Re: [Freeipa-users] fine-grained permissions for DNS tasks
On 12/12/2013 04:26 PM, Stephen Ingram wrote: Is it possible to restrict user to say a DNS Administrator role for only one domain in the system? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes. Read up here. http://adam.younglogic.com/2012/02/dns-managers-in-freeipa/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Roles and permissions
On 02/07/2012 03:54 PM, Steven Jones wrote: Hi, Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Yes, I can see that delegating is going to be very hard to do securely / properly.at least with [my] limited knowledgeMy problem is that I have a central IT department but many schools who want to be as autonomous as possible (totally if they can achieve it). I also have managers who only understand AD somewhatand they think this can all be done without themselves understanding what is to be done, so they make/have requirements that might seem reasonable but really are not but I dont know enough to say so. So it could well be on a case by case basis I have to design such a delegation.looks like I will need a good level of understanding which I obviously lack.I mean I cant even get across to you what I mean!!! doh. Having briefly chatted to an AD guy this problem isnt just faced by IPA... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 7 February 2012 4:32 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Roles and permissions Steven Jones wrote: Hi, Trying to get my head around theseis it possible to create a group administrator say engineering team administrator and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...? Need a little more to go on. It is that how to specify question that really matters. How DO you distinguish between users? You can add extra attributes to break them into groups, or you can literally put them into extra groups and manage them that way (easiest). But you definitely need a way to distinguish them. Creating this type of permission would require a bit of LDAP knowledge, mostly just knowing which attributes to use. It all depends on what responsibility you are delegating. I'm not entirely sure what you're after so I don't want to guess and end up down a deep rabbit hole, but it is probably going to be easiest to break the permissions into smaller components like: Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Both of these are relatively straightforward. I can provide examples if you can give me some more guidance on what you're looking for. I dont find that section of the manual very easy to understandI'd like examples or more explanation Also if such a say (bad) engineering team administrator could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user passwordthe user then effectively owns the IPA system...? Yes, it would be a problem if you granted password change permission to a bad admin. That is true in any system. Given that we've got a ticket open to limit those who can change the password of those in the admins group to those in the admins group, so helpdesk can change user's passwords but not admins. That is currently possible. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Does this answer your question: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos
On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote: On 1/27/2012 4:53 PM, JR Aquino wrote: On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote: Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt. The Key to success: network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll I had been previously using lib\i386/gssapi32.lib and thats what was breaking it. The rest of the documentation on the FreeIPA site is sound. We could probably stand to add that 1 line to the doc at http://freeipa.com/page/ClientConfigurationGuide ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The only other thing I would add here, at least for me, was on an x86_64 install of windows I needed to use: C:\Program Files (x86)\MIT\Kerberos\bin\gssapi32.dll -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Done. Thanks to both of you for contributing. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On 12/16/2011 03:41 PM, Dmitri Pal wrote: On 12/16/2011 02:37 PM, Alan Evans wrote: Adam, This is great news. The feedback I have after a quick read through (I will try to put a bit more time on it later) would be to make the 'tennant' separation more flexible and why not use existing ldap schema? Instead of forcing the user into cn={TENANT},cn=tenants,$suffix why not create a 'tennant' aux class that would allow the end user to design a DIT however they would like. We for example use o=company|organization,$suffix. Then any schema maintenance instead of being: For each tennant in (cn=tenants,$suffix) It would be: For each tennant in (ldapsearch (objectclass=tennant)) Then the end provider could design a DIT that fit their needs with replication in mind. Consider the flexibility of: o=Tennant1,C=US,$suffix o=Tennant2,C=UK,$suffix o=Tennant3,OU=North America,$suffix o=Tennant4,OU=Europe,$suffix That's my 2ยข at the moment. I'd be glad to banter back and forth about this with you. :) Regards, -Alan This is very flexible but I am not sure IPA would be able to be that flexible. One of the design goals from the beginning was: static schema and flat DIT. The whole project is built around it. Such approach would really come as a system shock. I am not against it, just saying it would be harder as it goes even further than Adam's proposal in changing the fundamental principals. Also, it is not just the user table that we need to segregate but the entire DIT. Roles, Groups, SUDO, HBAC, and so forth all need to be segregated into a separate subtree, not just the user lists. So putting users in a aux class doesn't really support sufficient segregation. The assumption for us is that the IPA base scheme would be for administrative machines, and then each of the tenant subtrees would be for a subset of the machines in the system. But that is really only one view of it, and I think I can see where you are coming from: you want to be able to manage,say customers, but use the same rules for them as you do for employees? On Fri, Dec 16, 2011 at 5:35 AM, Adam Youngayo...@redhat.com wrote: I opened a ticket for multitenancy https://fedorahosted.org/freeipa/ticket/2201 Here is a detailed write up of the issues. http://freeipa.org/page/Multitenancy Please provide any feedback that you have and I will update. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User Administrator role member doesn't see User Groups under identity tab
On 12/13/2011 02:09 PM, Rob Crittenden wrote: Ian Levesque wrote: Hello, I'm running version 2.0.0-23 under Scientific 6.1. I've noticed that users in the User Administrator role, don't have access via the web UI to actually manage groups. The only link under Identity is Users. CLI management works as expected. Is this a known bug with the relatively old version of FreeIPA I'm running? $ ipa role-show User Administrator Role name: User Administrator Description: Responsible for creating Users and Groups Member users: levesque Privileges: user administrators, group administrators $ ipa privilege-show group administrators Privilege name: Group Administrators Description: Group Administrators Permissions: add groups, remove groups, modify groups, modify group membership Granting privilege to roles: User Administrator Best, Ian A similar issue was fixed in 2.1.3 but it affected all UI screens IIRC (e.g. non-admins never saw anything extra). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes, that is the same issue. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some feature requests
On 11/28/2011 04:16 PM, Steven Jones wrote: Hi, a) Auto setup in RH satellite to allow auto joining to freeIPA from a baremetal kickstart. That is a Satellite, not FreeIPA, request. b) Setup/config (info etc) to allow a gluster system to join to IPA. What would a gluster system require that we do not already provide? Since these are all RH...shouldn't be too hard. ;] regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)
On 11/17/2011 10:58 AM, Dan Scott wrote: On Wed, Nov 16, 2011 at 14:01, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: On Wed, Nov 16, 2011 at 10:39, Rob Crittendenrcrit...@redhat.comwrote: Dan Scott wrote: On Wed, Nov 16, 2011 at 09:23, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: Hi, I receive the following error when I try to remove a host from IPA: djscott@pc35:~$ ipa host-del pc60 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. I've looked at this: https://fedorahosted.org/freeipa/ticket/1889 But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I need to do? Thanks, Dan This would suggest that dogtag isn't running. Is dogtag and its LDAP instance up? It seems to be, there are 2 entries 'loaded active running' for the dirsrv@ instances. I don't see any errors in the /var/log/dirsrv/slapd-PKI-IPA/errors file. Tomcat is running too. Dan Hmm, ok, lets see if we can talk to the cert system at all. $ ipa cert-show 1 fileserver1 is the IPA server with PKI-IPA running: [root@fileserver1 ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) SELinux is my normal culprit when things don't work. It may be so in this case. My /var/log/audit/audit.log hasn't changed since 11th November. Unfortunately, temporarily disabling it doesn't seem to help: [root@fileserver1 ~]# setenforce Permissive [root@fileserver1 ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What processes should be running for the certificate server? I have the ns-slapd process and tomcat6 running. The tomcat logs are empty. Dan It sounds like you have the right processes running. The dogtag logs are in /var/log/pki-ca. debug is rather verbose and where I usually start looking for issues. The /var/log/pki-ca/debug file hasn't been updated since the 11th November. I've attached an extract from catalina.out which contains some pretty severe errors. To summarise, the errors are: SEVERE: Error initializing socket factory java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar I'd guess that this means I'm missing a package? I'm having trouble figuring out which one contains the code I'm missing. Maybe I need to reinstall one? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Is this on F16? It might be that the package is there but not being picked up. JSS and osutils are a JNI packages, and you should find them in /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in /usr/lib/java/jss4.jar and osutil,jar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos authentication setup
On 11/11/2011 03:52 PM, Boris Epstein wrote: Hello all, I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the Your kerberos ticket is no longer valid. message. So the question is: is there a good guide on how to set up the Kerberos components involved? You will get this error for numerous reasons. If any of the security mechanisms are not in place, tht is the only error message that will get through. 1. You need to accept the CA cert 2. You need to accept the server cert...this will be automatic if you have the CA cert. 3. You need to configure your browser and accept the config potions that allow ticket forwarding All this is done by clicking through the options from the link in the same window as the Kerberos error message you mention. I'f you've been through all this, then the problem is likely that you do not have Kerberos set up on the machine running the browser, or you do not have a ticket. Assuming the browser is running on the IPA server, running kinit will be sufficient. If you installed IPA on a machine that has no X server, and you need to run the browser on a remote machine to talk to it, please follow the steps to set up the remote machine as an ipa-client. That will get the Kerberos ticket set up for you. Thanks. Boris. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA on CentOS 5.6
On 11/09/2011 02:27 PM, Stephen Gallagher wrote: On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? Boris. Well, RHEL 6.2 (due out before the end of the year) will include a fully-supported version of FreeIPA as Red Hat Identity Management. Presumably, whenever CentOS 6.2 is released, it will also carry this package. It's likely to be possible to get it to run on CentOS 6.0, but it will require some elbow grease. I also agree with the earlier comments that 512MB is not enough to run the OS + FreeIPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users If you are looking for a means to evaluate it, look at a really stripped down Fedora 15 Install. People have also had better success with Scientific Linux for RHEL6 parity than they have had with Centos6, but no guarantees there: both have been significantly behind the RHEL 6 efforts. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
CentOS is far behind RHEL. Many of the issues you will find have been fixed in released versions of IPA. This one is due, I think to an earlier issue with directory server that has since been upgraded. You might want to see if the versions shipped with Scientifix Linux work better for you, but it is going to be quite a few packages. Aside from freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others. On 11/04/2011 03:04 PM, Jimmy wrote: I'm running the ipa-client-install on a CentOS 6 client and get this error: [root@kudzu ~]# ipa-client-install Discovery was successful! Realm: PDH.CSP DNS Domain: pdh.csp IPA Server: csp-idm.pdh.csp BaseDN: dc=pdh,dc=csp Continue to configure the system with these values? [no]: yes Principal: admin Password for ad...@pdh.csp: Joining realm failed: Operation failed! unsupported extended operation child exited with 9 Certificate subject base is: O=PDH.CSP The only logs I see on the server are here: Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.201.199 http://192.168.201.199: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for HTTP/csp-idm.pdh@pdh.csp Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes {18}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.201.102 http://192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
On 11/04/2011 07:07 PM, Dmitri Pal wrote: On 11/04/2011 04:23 PM, Jimmy wrote: I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Correct. It looks like Scientific Linux is behind as well: The packages on http://ftp.scientificlinux.org/linux/scientific/ are all 2.0.0 forexample http://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/fastbugs/ipa-client-2.0.0-23.el6_1.1.x86_64.rpm Not sure how they are doing their naming scheme, as they have 6/ 6.1/ 6x/ and 6rolling but they all look pretty much the same. Jimmy You need a newer ipa-client package. The extended operation we used for enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components
On 11/01/2011 01:04 PM, Rodney Mercer wrote: On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-requ...@redhat.com wrote: On 10/31/2011 05:20 PM, Rodney Mercer wrote: We have previously developed Solaris RBAC authorization within our application to validate users and roles to our application's internal commanding capability using the definitions that populate the name service switch maps. I have been searching for a method for implementing similar capability using RHEL and had found promise with the following proposed documentation for IPAv2: We decided to back away from trying to provide central RBAC. Our experience with multiple projects revealed that there is no one size fits all solution regarding RBAC. But we were talking about geral Role base access control model not specific RBAC as Solaris implemented it. The Solaris RBAC is similar to sudo and HBAC combined together. Both features are managed by IPA. We also have SELinux policies on Linux that can constrain the root access. The user SELinux roles management is on the roadmap but HBAC + SUDO should give you the equivalent if not more functionality than Solaris RBAC. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC there. The RBAC structure that I speak of is contained within our application. Being able to have IPA clients request the XML blob of role mappings to internal application commanding authorizations is what I was looking for. Is it possible to create IPA Roles that mean nothing to IPA yet our independent application could query and use them with it's internal security mechanisms? Yes it is possible. The role mechanism does not have to have any permissions or privileges assigned to it, and they will show up as member of relations in an LDAP query. Could extending the dirsrv schema to include attributes to be accessed for the security of the independent application be created to work in conjunction with these custom defined roles? Having the IPA Server available to all hosts that run the application is what we desire. We use *_attr Name Service Switch maps to access these roles and attributes from our Solaris implementation. Unless I am mistaken, HBAC might give us options as to whom may run our applications on particular hosts, but it would not help in defining who could run the internal application directives that we seek to map to users roles. Sudo doesn't help for the internal commanding our application desires to control. Thanks for any ideas you can lend. Regards, Rodney. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unique world wide UIDS
On 10/26/2011 08:49 PM, Steven Jones wrote: Hi, Readng the docs on the 32bit UIDs it says it makes an attempt to give out a unique rangewould it be possible / practical if RH (would want to) ran some sort of database or registration function to try and insure that? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users No. It would not be. Fragmentation of the 32 Bit space means that you are going to have clashes. Just look at IPv4 addresses and you can see an analogue. 32bits really means 32 bits, as you have to deal with sometimes things being stored in signed values (Java for instance) so you have 2^31 or 2,147,483,648. Which is not quite a quarter of the worlds population. Now, assuming that any organization is going to be smaller than that, you have to figure out how much to give them...they are going to make it a financial decision, so the US governement buys up enough to be future proof, lets say 1 Billion, leaveing a little over 1 Billion for the Rest of the world...then China comes in. Then India. You get the idea. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 07:05 PM, Sigbjorn Lie wrote: On 10/21/2011 10:02 PM, Adam Young wrote: On 10/21/2011 02:29 PM, Sigbjorn Lie wrote: On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? No search filter, that I know of. I assume you're referring to the top right hand corner field? That field is empty, I'm displaying all hosts. Still noting in the Enrolled? field. Just realized that you are referring to the enrolle? column. I think that is a bug. I just opened this ticket: https://fedorahosted.org/freeipa/ticket/2020 The field that populates that column is actually krblastpwdchange, which should show when the password for the host principal was last changed. The intention is that this column should show when the host was enrolled, But is defaulting to blank. Thanks. I got several hosts joined to IPA, and they have a krbLastPwdChange value if I look for them using ldapsarch and ipa host-show fqdn --all. Please let me know if I can assist in further troubleshooting of the issue. There is not problem with your hosts, just a UI disconnect. The column is bogus and we are going to remove it. Please ignore it for now. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 02:29 PM, Sigbjorn Lie wrote: On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? No search filter, that I know of. I assume you're referring to the top right hand corner field? That field is empty, I'm displaying all hosts. Still noting in the Enrolled? field. Just realized that you are referring to the enrolle? column. I think that is a bug. I just opened this ticket: https://fedorahosted.org/freeipa/ticket/2020 The field that populates that column is actually krblastpwdchange, which should show when the password for the host principal was last changed. The intention is that this column should show when the host was enrolled, But is defaulting to blank. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Complaint web browsers
On 10/17/2011 10:36 PM, Steven Jones wrote: Hi, I have only used Firefox 3.x as shipped with RHEL to admin IPA, what are others using? ie what are compliant/suitable? We are only claiming to support Firefox, 3 on forward should all work, but we only test the versions with Fedora and RHEL. Chrome will work, but you need to set up Kerberos Ticket Forwarding, which means setting an ENV VAR prior to running. Have not tested on IE recently. Have reason to think it might be broke, but the Kerberos requirement makes it a non-starter for real deployments. Safari has been fairly well tested. Again, Kerberos setup is a little bit of effort. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Complaint web browsers
Lets distinguish between Supported browsers for the kerberos case and the Supported browser for the Basic auth enabled case: For Kerberos, it is as I said previously: it will work on the others, but you have to know how to configure. You are not going to get IE Kerberos support without a significant headache, but even that is theoretically possible. Kerberos is going to be an issue from Windows no matter what. For Basic Auth, things are much easier, but that is the setup is just not that secure. So that would be fine for a proof of concept, we just don't recommend it in the wild. As far as the Javascript web app goes, we try to stick to features that work in all browsers. For example, you'll notice that we don't do any file uploads, as that is something that, in a AJAX application, is done with browser specific code. I can't promise that we will avoid browser specific solutions in the future, but if we do, it will be that you can do everything with either browser, but the user experience will be smoother on Firefox. If something is broken on a browser other than Firefox, please file a ticket, and be prepared to test it for us. https://fedorahosted.org/freeipa/report/12 . Make sure the component is Web UI. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Install problem with --setup-dns
On 09/30/2011 01:10 PM, Mark A Cinense wrote: Hi, new to the list. I have been pounding away at this for the past month or so, and I am stumped as to why when installing IPA, it keeps wanting to setup DNS with a domain name of ipaserver.test.mark.cinense.org http://ipaserver.test.mark.cinense.org. During the interaction part of the install, I defined the domain as mark.cinense.org http://mark.cinense.org. The message I get is: Do you want to configure the reverse zone? [yes]: Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone Unexpected error - see ipaserver-install.log for details: test.mark.cinense.org http://test.mark.cinense.org: DNS zone not found Here is how I answer the interactive questions: Server host name [ipaserver.test.mark.cinense.org http://ipaserver.test.mark.cinense.org]: I think the problem is the you are adding to an invalid zone here. I am guessing siomething is silently failing. You are stating that your domain is mark.cinense.org http://mark.cinense.org but I think you want it do be test.mark.cinense.org http://mark.cinense.org And then your server ipaserver.test.mark.cinense.org http://ipaserver.test.mark.cinense.org makes sense. The zone is the zone you are going to control by default, not the zone you are joiningif that makes sense Warning: skipping DNS resolution of host ipaserver.test.mark.cinense.org http://ipaserver.test.mark.cinense.org The domain name has been calculated based on the host name. Please confirm the domain name [test.mark.cinense.org http://test.mark.cinense.org]: mark.cinense.org http://mark.cinense.org The IPA Master Server will be configured with Hostname: ipaserver.test.mark.cinense.org http://ipaserver.test.mark.cinense.org IP address: 156.119.45.254 Domain name: mark.cinense.org http://mark.cinense.org When I do a hostname I get: [root@ipaserver log]# hostname ipaserver.test.mark.cinense.org http://ipaserver.test.mark.cinense.org Any ideas? Is there something I am missing? -- Mark Cinense CNA A+ MCP CVE RHCSA 6 MACDAV Productions a Cinense Consulting Service Company ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) /etc/httpd/conf.d/nss.conf: oot@vm-077 conf.d]# diff nss.conf.orig nss.conf 74c74 NSSRenegotiation off --- NSSRenegotiation on 78c78 NSSRequireSafeNegotiation off --- NSSRequireSafeNegotiation on As I said, we are scripting this. I should have had you hold out for the script. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/28/2011 05:59 PM, Sigbjorn Lie wrote: On 09/28/2011 11:35 PM, Adam Young wrote: On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) /etc/httpd/conf.d/nss.conf: oot@vm-077 conf.d]# diff nss.conf.orig nss.conf 74c74 NSSRenegotiation off --- NSSRenegotiation on 78c78 NSSRequireSafeNegotiation off --- NSSRequireSafeNegotiation on As I said, we are scripting this. I should have had you hold out for the script. :) I see Ade Lee has posted the script now. I'll have a go at the script tomorrow. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Well, that script assumes the machine is in a certain state. I am not sure if you machine now qualifies. You shold only need the nss.conf change, as that seems to match the error you are seeing. Before you make any changes, try pointing a browser at https://hostname/ca/ee/ca/getCertChain And you should get a valid response: XML with a tag ChainBase64 This shows that Dogtag is being proxied correctly. The error you are seeing is due to the need to renegotiate the SSL handshake for the authed sections of the PKI-CA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] user login exposes all users in UI
On 09/28/2011 01:13 PM, Stephen Ingram wrote: When logging into the FreeIPA UI as a user, most everything is removed with the exception of the Identity tab and the Users list. Although I'm guessing that LDAP needs to expose the users list to all users just as anyone can view the passwd file on any one system, is there a technical need to expose all of the users to any user logging into the UI? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The UI does not remove any privs. That same user can run the command line ipa user-find and get the same results. Additionally, the user has the ability to query the LDAP server directly. Thus, we decided to leave the ability to enumerate all users, but not to advertise it. We did remove tabs for other things that the user can do, mainly because some of them pointed at operations that the user was not allowed to see (Roles, for example, and Sudo commands for another). We had to draw the line somewhere, and that is where we decided. It has the added benefit of letting IPA work as a company directory. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 04:22 PM, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show hostname. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable hostname, and # ipa cert-show serialno. I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] POST /ipa/xml HTTP/1.1 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] POST /ipa/xml HTTP/1.1 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] POST /ca/agent/ca/displayBySerial HTTP/1.1 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] POST /ipa/xml HTTP/1.1 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. netstat -nat agrees...nothing there. /etc/init.d/pki-cad status seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? 9447 was likely the right value. I think the problem is with the Proxy configuration. We are working on a script to upgrade a non-proxied PKI (Dogtag) to a proxied version, but the ports set in the config file need to match the ports that the pki-ca web app is using. I'm assuming from what you said above that you can talk to Dogtag directly of port 9443, but that the proxy is not set correctly for the HTTPD to AJP communication. Have your server.xml and web.xml files in the PKI configuration been modified to listen to AJP? It should be something like: Connector port=[PKI_AJP_PORT] protocol=AJP/1.3 redirectPort=[PKI_AJP_REDIRECT_PORT] / In the server.xml file.THE AJP port has to match what the file in /etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the HTTPS port in your case, not the AJP port. AJP should be 9447. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We (Ade Lee) is working in a script to upgrade an existing Dogtag instance to use
Re: [Freeipa-users] Certificate error when modifying/deleting a host
Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + Connector port=9447 protocol=AJP/1.3 redirectPort=9444 / You can place it around line 281, above the comment for the line Engine name=Catalina defaultHost=localhost Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: init-param param-nameproxy_port/param-name param-value443/param-value /init-param + init-param + param-nameproxy_port/param-name + param-value443/param-value + /init-param init-param param-nameactive/param-name param-valuetrue/param-value /init-param /filter The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA web interface from a windows client(IE)
On 09/23/2011 03:31 PM, Rob Crittenden wrote: Jimmy wrote: I have been using the interface from a Linux client on Firefox just fine, but now I need to configure a windows client to access the web interface. I have the win7 client logged in using a FreeIPA user, authenticated against the realm, and when I browse to the web page I still get another log in box but no matter what I do not get access, or the browser cannot access the ticket the system has. I enabled the Enable Integrated Windows Authentication option in IE. After that wasn't working I even installed the MIT KFW to make sure I was really getting a ticket(not really expecting that it would fix the problem.) I am searching for this fix actively, but figured I'd ask here in case someone had the answer at hand. Firefox in Windows will work with the MIT client but not IE. For IE to work you need to enable fake basic auth fallback, http://freeipa.org/page/UIPasswordAuth . This isn't really ideal but the only workaround we know of. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Chrome will work as well, just not IE. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] extending FreeIPA
On 08/06/2011 03:18 PM, Stephen Ingram wrote: On Fri, May 6, 2011 at 1:11 PM, Adam Youngayo...@redhat.com wrote: On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA configuration data in it (among other items). I'm wondering what is the best way to add to the FreeIPA schema without stepping on current and future schema additions that might conflict with what I add. I know at one time you were expecting to add information for Postfix and other common server programs. Was this schema ever prepared and agreed upon, or is it best to use some special branch to put this all under? Ok it seem we are confusing 2 things here, on one side schema extensions (new attributes and objectclasses) and on the other side DIT structure (subtrees within the tree where to put your information). If you use standard schema or schema you made yourself after you got assigned a base OID there should be no issue at all. if you do your own schema please be careful in trying to use a prefix for attribute and objectclass names so that you do not risk future name conflicts). For the DIT part it really depends on what you need to do. If you just need to add attributes to users then you have no other option but to attach them to the users and that's fine it shouldn't cause any issue. If you need to add entirely new objects I can suggest to create a cn=custom container as a top level subtree (ie at the same level of cn=accounts and cn=etc, ... And within it do what you need to do. This way it will not conflict with anything we may add in future. Also, although I read Adam Young's blog article about how to extend the WebUI, I'm having difficulty adding attributes within the existing structure. For example, on the user page, is there a prescribed way of adding say, the mailAlternateAddress attribute such that it shows as a field in the WebUI? The rule is that you need to be able to do it in the CLI first, and then attempt it in the WebUI. The attribute you are attmpeting to access needs to be added to the user object in freeipa/ipalib/plugins/user.py first. Once you have that, you can add it to the ui just like email address: {factory: IPA.multivalued_text_widget, name:'mail'}, However, mail is already a multivalued attribute. You can store multiple email addresses there if you want, and that is the intention. If you want to make these both single value fields, change it to: fields: [ mail,mailalternateaddress, {factory: IPA.multivalued_text_widget, name:'telephonenumber'},... Off on another project for awhile, but I finally had a chance to attack this. Yes, I did have to make mailalternateaddress a separate attribute as I need to be able to search the directory for this and treat it differently than an email address (or multiple email addresses). After a nasty browser caching problem, I got everything to work. This is great! I'm a little weak in the javascript department, but with your instructions above and here (https://www.redhat.com/archives/freeipa-users/2011-June/msg00192.html) I was able to edit everything and make it work! The CLI worked great too. I could not believe it when I saw the command line options change (even in help) to reflect the added attribute. This is so unbelievably cool. The only problem I'm having is that if there is no attribute entry to begin with (I added the first mailalternateaddress with the command line after the changes), there is no Add link in the UI next to the attribute like on the Email address. Is there something that has to be done to get this to appear? Note that the Delete link and Add link does appear if there is already a value for the attribute. Sounds like a bug, but to be honest, it is a cod path I haven't gone down. Please file it in trac and we'll investigate. https://fedorahosted.org/freeipa/report/12 Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] extending FreeIPA
On 08/06/2011 04:29 PM, Stephen Ingram wrote: On Sat, Aug 6, 2011 at 12:18 PM, Stephen Ingramsbing...@gmail.com wrote: On Fri, May 6, 2011 at 1:11 PM, Adam Youngayo...@redhat.com wrote: On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA configuration data in it (among other items). I'm wondering what is the best way to add to the FreeIPA schema without stepping on current and future schema additions that might conflict with what I add. I know at one time you were expecting to add information for Postfix and other common server programs. Was this schema ever prepared and agreed upon, or is it best to use some special branch to put this all under? Ok it seem we are confusing 2 things here, on one side schema extensions (new attributes and objectclasses) and on the other side DIT structure (subtrees within the tree where to put your information). If you use standard schema or schema you made yourself after you got assigned a base OID there should be no issue at all. if you do your own schema please be careful in trying to use a prefix for attribute and objectclass names so that you do not risk future name conflicts). For the DIT part it really depends on what you need to do. If you just need to add attributes to users then you have no other option but to attach them to the users and that's fine it shouldn't cause any issue. If you need to add entirely new objects I can suggest to create a cn=custom container as a top level subtree (ie at the same level of cn=accounts and cn=etc, ... And within it do what you need to do. This way it will not conflict with anything we may add in future. Also, although I read Adam Young's blog article about how to extend the WebUI, I'm having difficulty adding attributes within the existing structure. For example, on the user page, is there a prescribed way of adding say, the mailAlternateAddress attribute such that it shows as a field in the WebUI? The rule is that you need to be able to do it in the CLI first, and then attempt it in the WebUI. The attribute you are attmpeting to access needs to be added to the user object in freeipa/ipalib/plugins/user.py first. Once you have that, you can add it to the ui just like email address: {factory: IPA.multivalued_text_widget, name:'mail'}, However, mail is already a multivalued attribute. You can store multiple email addresses there if you want, and that is the intention. If you want to make these both single value fields, change it to: fields: [ mail,mailalternateaddress, {factory: IPA.multivalued_text_widget, name:'telephonenumber'},... Off on another project for awhile, but I finally had a chance to attack this. Yes, I did have to make mailalternateaddress a separate attribute as I need to be able to search the directory for this and treat it differently than an email address (or multiple email addresses). After a nasty browser caching problem, I got everything to work. This is great! I'm a little weak in the javascript department, but with your instructions above and here (https://www.redhat.com/archives/freeipa-users/2011-June/msg00192.html) I was able to edit everything and make it work! The CLI worked great too. I could not believe it when I saw the command line options change (even in help) to reflect the added attribute. This is so unbelievably cool. The only problem I'm having is that if there is no attribute entry to begin with (I added the first mailalternateaddress with the command line after the changes), there is no Add link in the UI next to the attribute like on the Email address. Is there something that has to be done to get this to appear? Note that the Delete link and Add link does appear if there is already a value for the attribute. Please just disregard this last problem. The correct objectclass was missing from the directory entry. It works perfectly now. Steve Glad to hear it. Interesting failure case. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
DRM is the way to go. However it does not support symmetric keys now. This is the pert that we need for volume keys. May be it is the vault to store all sorts of keys. This is something that needs to be designed and looked at as a broader perspective. Adam likes to repeat a phase about dreaming big so I do. I want IPA to be a vault for all sorts of keys and passwords and what else. If DRM is the answer - great. I can start listing the use cases that such a key store should satisfy and we can design something that would altimately fit the build but build gradually knocking use cases one by one. I will take an action idem to come with the use cases. Give me couple weeks as I am under water now... Specifically: the phrase is Dream big, implement small. There are four things here, I'd guess, that should play into the design. 1. User certificates in IPA. Discussed already, and probably the first thing to implement on the IPA side. 2. DRM/KRA talking to an external CA. Not sure if this makes sense, has been discussed etc. 3. DRM/KRA Integration into IPA. Regardless of 2, we should talk through the use cases for integration 4. DRM/KRA Support for symmetric keys etc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
On 08/03/2011 12:21 PM, Ian Stokes-Rees wrote: On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote: As a general rule, I would think that having your private key stored somewhere that an admin other than yourself can reset the password and have access to would be really dangerous. Most especially if this private key was being used to access sites in other administrative domains. That really sounds like an accident waiting to happen... If you are concerned about that, then don't make use of a centralized keystore. You may be a security expert and have a deeper understanding of this than I do, but from my limited experience and knowledge of security audits and risk assessment, if you don't trust your system administrators then you have a whole heap of other issues you need to contend with. Consider that the FreeIPA server is probably *more* secure than the user-accessible systems and file servers. If someone with administrative (root) privs for the part of the system where I store my passphrase encrypted private key would be the kind of person who would take the private key from a central keystore, if it existed, then do you not think they could get my passphrase and/or cleartext private key from the system *without* a central keystore? I think that it is a case of Just becasue I am paranoid doesn't mean they are not out to get me. Its not that we don't trust sys admins, it is that we don't trust anyone. Typically, instead of trusting anyone, sysadmin or no, with long term access to keys, you might provide a window in which they know the shared secret in order to reset the key, but not to make that a permanent relationship. I think what you are interested in is the Data Recovery Manager (DRM...hey, we had the acronym first, but we also call it Key Recovery ) aspect of Certificate Server. Here's the redhat docs on it http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/7.1/html/Administrators_Guide/kra.html#22604 And from the RPM That is not integrated into FreeIPA, but the packages are in Fedora as pki-kra The Data Recovery Manager (DRM) is an optional PKI subsystem that can act as a Key Recovery Authority (KRA). When configured in conjunction with the Certificate Authority (CA), the DRM stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the Certificate Request Message Format (CRMF) request format, a request is generated for the user's private encryption key. This key is then stored in the DRM which is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in the PKI deployment. This is not to say there aren't arguments against it: a policy mix up or a bug in the central keystore could lead to *all* users having their private keys compromised, and an admin who can dip in and grab private keys without any evidence would also be bad, but hopefully the Audit part of IPA means that any access to private keys will be securely logged, and flagged if they are by users other than the owner of the private key. This is a topic that is very important to me, so I'm quite interested to hear how my reasoning may be flawed, or to hear opinions from others. Regards, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
On 08/03/2011 01:16 PM, Ian Stokes-Rees wrote: On 8/3/11 12:38 PM, Adam Young wrote: I think what you are interested in is the Data Recovery Manager (DRM...hey, we had the acronym first, but we also call it Key Recovery ) aspect of Certificate Server. That is awesome. That is exactly what I want. Do you have experience with this? If so, does it work if the certificate requests are being handled by an external entity? We use a Department of Energy CA located in California, but the users in our community are from across the US (and international), and we're looking to improve the process of them acquiring a usable identity in a federated environment. We're using FreeIPA internally, but if we can link it in to the cert request process and cert mgmt process (from the user end, not the CA end) that would be great. Ian Experience? I've been on the Dogtag project for over a week now. I'm learning about it as we speak. The place to ask about Dogtag and the pki products is pki-us...@redhat.com http://www.redhat.com/mailman/listinfo/pki-users and the IRC Channel on freednode is *#dogtag-pki. *Integrating KRA into IPA is on the map, although I am not sure the timeframe. However, I suspect that our approach would be assuming you wanted your own CA. Not sure if you can do KRA with**an external CA.* * ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start IPA server after server reboot
On 08/02/2011 09:42 AM, Ondrej Valousek wrote: Hi Rob, It was just polaris - so I tried: [root@polaris etc]# hostname polaris.example.com and it started working - Magic! That means that we rely on the fact that hostname is set to FQDN, right? Isn't it too strong requirement? Maybe we should guess FQDN using reverse lookups I do not know. The bottom line is that at least the IPA installation script should warn about the incorrect hostname. This actually brought a chucklewe've been through a few iterations of how to deal with this. The approach did do Reverse at one point, but that brought in a few other issues. Needless to say, we've felt your pain on numerous occasions. Kerberos depends on the hostname being right, and none of the auth works without Kerberos. This is an issue that seems to mess people up in testing and evaluation mode, but people want and need it to resolve correctly in live environments. And the error message was bit confusing as well, because from that one none can even guess what went wrong, I even tried to add 'ipactl -d start' to print more debugging, but it did not help either. Just trying to bring some ideas, otherwise I am happy that it is working again for me :-) Thanks! Ondrej On 02.08.2011 15:18, Rob Crittenden wrote: Is your hostname set to polaris.example.com or polaris (check /etc/sysconfig/network). What we search for is cn=$FQDN,cn=masters,cn=etc That explains the matched part. It matched everything except the hostname. rob The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?
In order to authenticate through the firewall you have to allow kinit and kerberos web traffic through, which means opening port 88. If you are unwilling to do that, you need to come up with an authentication solution that will pass through firewalls, which means either basic auth, digest, or certificates. IPA has an embeded CA in it (Dogtag) but does not yet manage user certificates. http://pki.fedoraproject.org/wiki/PKI_Main_Page The approaches for web only single sign on (OpenID, OAuth, SAML and so forth) still require the initial authentication. Since IPA doesn't currently have a solution for that piece, we do not yet support one of hte HTTP SSO mechanisms, but it is under discussion. On 07/29/2011 02:30 AM, Rapid Noreapeat wrote: Thank you for your quick reply Rob, I'll try it. On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Rapid Noreapeat wrote: Is it possible to integrate my web applications like portal website, helpdesk website, and other web apps login using FreeIPA's login accounts (SSO) like CAS? It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide access to your KDC for this to work. If we're talking external portal then you may not want to expose your KDC. It also requires some configuration. Your browser has to be configured to do Negotiate auth against a given domain. It will also need to trust the IPA CA (and since CAS seems at least partially SSL-based you already handle this). I don't know much about CAS other than what I just read on their web site but it looks like they handle redirecting when you aren't authenticated, seemingly allowing a nice way to mix protected and unprotected data. I think you'd have to do much of this configuration yourself in Apache. Probably not a huge amount of work though. So it is basically whatever mod_auth_kerb provides. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
On 07/01/2011 03:48 AM, Ondrej Valousek wrote: Hi, On 30.06.2011 17:29, Dmitri Pal wrote: Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to configure automount with DNS? Does DNS allow specifying the search base? Can you please point on any doc/man page that describes how to configure DNS for automount. We might add it as a reference into the doc. Is this what you are looking for? First of all, I believe you guys in Redhat did a great job with the IPA. Why? Because with all the install scripts and the framework around it, you managed to integrate all services (DNS, Kerberos, LDAP) into simply manageable Identity management for Linux. Normal IT admin no longer has to dig various howtos in the Internet. Just run the install script and you get something very similar to Active Directory - robust and standard-based system. The key thing is for me the simplicity and the scripts around it. One should no longer be afraid of setting up all the services separately. From the client's prospective, You already covered Kerberos configuration and NSS, that's fine. Because of the reasons I outlined above I also believe that the *ipa-client-install* script should take care of the automounter, too (or at least offer the autofs configuration) - and this includes everything. As a helping hand I offer my adds to your existing howtos (I have already checked its functionality). [root@draco etc]# cat /etc/sysconfig/autofs: ... LDAP_URI=ldap:///dc=example,dc=com; # let the automounter discover LDAP server on its own [root@draco etc]# cat /etc/autofs_ldap_auth.conf autofs_ldap_sasl_conf usetls=no tlsrequired=no authrequired=yes authtype=GSSAPI clientprinc=host/draco.prague.s3group@example.com # taken from klist -k / This is I believe the best configuration you can get for autofs. It is not difficult (as you can see) so the ipa-client-install script should be able to take care of it automatically. And finally, regarding your question - see man auto.master. The DNS SRV lookup ability was added there because I asked autofs maintainer Ian Kent from Redhat to do it and he was kind enough to implement it for us (he actually grabbed a piece of Samba code to make it working). If you feel there should be something more (like you mentioned getting the search base from DNS as well), talk to him, I am sure he will help you. Very nice. I'm with you in the philosophy of Make it easy, make it work together, and provide a good basic approach that makes sense for most people. With IPA, the user and group stuff is pretty close to how you'd expect everyone to do things, but we have had to make minor divergences: notice the ipausers group for example. With automount, what we found is that there is a wide array of implementation approaches. Based on talking with people that are interested in IPA, we found that people can't even agree on whether the users home directories should be automatically created when the user is added to the system. Often, people have multiple locations, and the user does not get a home directory for a location until they need it. Thus, we've taken the blank slate approach to automount policy. What I suspect we'll find moving forward is that automount strategies will fall into one of two-three buckets, and we can work with the automount team and so on to make a clean unified strategy. Partially, I think we will need to assign a host to a Location and then it will be able to work with the maps and keys nested under there. We also will want to be able to trap a new user event and create the home directory on the file server, but we don't yet have an abstraction for a file server in IPA. There is the opportunity to write helper tools for configuration that exist outside of the ipa-client and ipa-server execution paths. I scripted up the Sudo test cases earlier in the year. The ldap server SRV lookup has been there for quite some time so it is in RHEL5/6 already. Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
Good point. Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount On 06/30/2011 11:08 AM, Ondrej Valousek wrote: On 30.06.2011 16:55, Rob Crittenden wrote: Look at the output of this for details: ipa help automount I see, thanks! It would be nice to update man pages like: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html to say something like: LDAP_URI=ldap:///dc=example,dc=com; SEARCH_BASE=cn=location,cn=automount,dc=example,dc=com So people know more automounter's ability to locate ldap server via DNS SRV Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. Cheers Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
On 06/27/2011 11:01 AM, Rob Crittenden wrote: Charlie Derwent wrote: On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: __ On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. This was a client side issue (apologies for saying cut down server I meant server in a hardware sense rather that server/client model). But yeah bind-dyndb-ldap is installed on my server. A brute force way would be to do rpm -qa list on both installs so we can compare the two and try to find some important difference. rob Would the client install log report an error if something was missing? /var/log/ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Custom Fields on UI
On 06/23/2011 08:35 AM, Attila Bogรกr wrote: Hi, When I apply the following ldif, the custom fields are not appearing on the web interface (ipa restart doesn't help). -- 8 -- dn: cn=ipaConfig,cn=etc,dc=linguamatics,dc=com changetype: modify replace: ipaCustomFields ipaCustomFields: Employee Type,employeeType,false$Employee Number,employeeNumber,false -- 8 -- I'm wondering if this is the correct behaviour and I have to modify some web ui related distro files a'la https://www.redhat.com/archives/freeipa-users/2009-June/msg00049.html Thanks, Attila There are a lot of things in the Directory Server schema that we don't show in the UI. This is a deliberate decision, and comparable to what we've done with explicit attributes in the CLI. If you want customer fields in the UI, there are three steps. 1. Add it to the schema. You've done that. 2. Add it to the CLI. For this one, you want to modify /usr/lib64/python2.7/site-packages/ipalib/plugins/user.py. 3. Add an entry into the Javascript for the webui. /usr/share/ipa/ui/user.js For employee number, you probably want to make it an integer data type in user.py. For employee type, you probably want to use IPA.select_widget to constrain the potential values. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] extracting info and injecting info
On 06/14/2011 04:33 PM, Steven Jones wrote: Hi, That's excellentit wont be me but our IdM developers...who will want to look, since its Oracle IdM I suspect Java type stuff but im clueless on programming..I can hand this to them when they ask. JSON is much friendlier, and it is what the webUI uses: I do it all the time. Here's my write up. http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ thanks regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Tuesday, 14 June 2011 11:48 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] extracting info and injecting info On Tue, 2011-06-14 at 04:18 +, Steven Jones wrote: At a high level, I just need an idea how this will/could work We have a centralised provisioning system that (eventually) we need to talk to IPA. So the sort of things I need to extract are the available user groups and hosts and that then would be displayed in the IdM system. At that point the user admin would create the user and select the groups and hosts the user can interact with...how does the external program query IPA? langauge? etc ? and then inject user info? An external program can use the XLM-RPC interface to perform IPA queries and updates. This is what the 'ipa' command-line tool does behind the scenes. It's not very readable, but you can take a look at http://git.fedorahosted.org/git/?p=freeipa.git;a=blob_plain;f=API.txt;hb=HEAD to see the API specification. There's a python API included with FreeIPA as well. See http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=doc/examples/python-api.py;h=60578e805fb5f2b440ba204c5adbac62e8415c2b;hb=HEAD for an example of how to start using this API. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multiple host records in the GUI
On 06/13/2011 12:20 PM, Sigbjorn Lie wrote: Hi, How come I cannot see multiple records for the same host in the WEB GUI? I can see the records when I'm using the CLI. This goes for multiple A records for the same hostname, but also if a hostname has an A record and a record. Only the A record will show up in the WEB GUI. All records are found using a ipa dnsrecord-find domain.com hostname on the CLI. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This is an issue that comes about based on the way that ipa dnsrecord-find returns data. We are currently only reading the first value for each record, but this command packs the data in such a way that is different from other find comands. Thus, the subsequent A and records are ignored. I've opened up a ticket for this issue: https://fedorahosted.org/freeipa/ticket/1319 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2, adding Samba attributes
On 06/09/2011 03:37 PM, John S. Skogtvedt wrote: Den 09. juni 2011 14:31, skrev Simo Sorce: You probably want to use the DNA plugin to generate the sambaSid for you once you have a domain SID, it's not too difficult and will be much less error prone. Simo. Thanks. The solution outlined at http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html works for me, at least for user objects (didn't try the group part yet). It should be relatively trivial to add support in the WebUI for Samba, but nothing would be broken without it. All that would happen is that the WebUI would lack fields for the Samba specific attributes. Assuming that ipa user-add works, you would want to add the field as an attribute in user.py. To add it after groupID: Int('gidnumber?', label=_('GID'), doc=_('Group ID Number'), default_from=lambda uid: uid, Int('sambasid?', label=_('SAMBA SID'), doc=_('Samba SID Number') I have to admit I'm not sure what the rules would be for default values for sambaSID. Once you have ipa user-add working, if you want to extend the web UI, the file to modify is /usr/share/ipa/ui/user.js. What you would want to do is to add in a filed sambaSID. I'd be prone to put it under the section with the name: 'account'. It should be a text field, so you just need to add an entry for sambasid. I'd put it under 'gidnumber'. That looks like this: { name: 'account', fields: [ { factory: IPA.user_status_widget, name: 'nsaccountlock' }, 'uid', { factory: IPA.user_password_widget, name: 'userpassword' }, 'uidnumber', 'gidnumber', 'sambasid', 'loginshell', 'homedirectory' ] }, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/17/2011 02:03 AM, nasir nasir wrote: Further to my previous mail, let us try to isolate it even more by comparing the login attempts to the NFS server(hugayat.cohort.org) and another IPA client(rhel.cohort.org) This is the relevant /var/log/message in the two cases *1. ssh -l nasir hugayat.cohort.org* May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org 12 May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org 13 May 17 07:45:14 hugayat automount[15767]: connected to uri ldap://192.168.1.240 14 May 17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A))) under automountmapname=auto.ho me,cn=default,cn=automount,dc=cohort,dc=org 15 May 17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): getting first entry for automountKey=nasir 16 May 17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): examining first entry 17 May 17 07:45:14 hugayat automount[15767]: lookup_mount: lookup(ldap): nasir - -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/ 18 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir 19 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 20 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): dequote(hugayat.cohort.org:/xtra/home/nasir) - hugayat.cohort.org:/xtra/home/nasir 21 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/nasir 22 May 17 07:45:14 hugayat automount[15767]: sun_mount: parse(sun): mounting root /home, mountpoint nasir, what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8192 23 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192 24 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): nfs options=rw,sec=krb5,soft,rsize=8192,wsize=8192, nosymlink=0, ro=0 25 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): calling mkdir_path /home/nasir 26 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): *nasir is local, attempt bind mount* I'm guessing that there is some policy enforced by the NFS server here that lets you do something like this. ...and here's the source code http://autofs5.sourcearchive.com/documentation/5.0.4-2/mount__nfs_8c-source.html Here's the comment right above the line that generates that message. * If the port option is specified, then we don't want * a bind mount. Use the port option if you want to * avoid attempting a local bind mount, such as when * tunneling NFS via localhost. So no surprise that the behavior is different on the NFS server than the rest of the cluster. 27 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mkdir_path /home/nasir 28 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mount --bind -s -o defaults /xtra/home/nasir /home/nasir 29 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): mounted /xtra/home/nasir type bind on /home/nasir *2. ssh -l rhel.cohort.org* 7 May 17 07:46:06 rhel automount[15387]: find_server: trying server uri ldap://192.168.1.240 8 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null) 9 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): ldap simple bind returned 0 10 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): check search base list 11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org 12 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org 13 May 17 07:46:06 rhel automount[15387]: connected to uri ldap://192.168.1.240 14 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A))) under automountmapname=auto.home, cn=default,cn=automount,dc=cohort,dc=org 15 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): getting first entry for automountKey=nasir 16 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): examining first entry 17 May 17
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
I'm guessing that the user you are trying to create is test1? And the directory /xtra/home/test1 does not yet exist? Does a precreated directory automount? On 05/16/2011 08:08 AM, nasir nasir wrote: Thanks indeed for the reply! I updated the autofs package with version *5.0.5-30.el6.i686* and that error is gone now. But still automounting is not happening. Following is the relevant portion of /var/log/messages in one of the IPA client machine(RHEL 6.1 beta) configured with --mkhomedir switch . May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): looking up test1 May 16 14:14:13 rhel automount[1787]: find_server: trying server uri ldap://192.168.1.240 May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null) May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): ldap simple bind returned 0 May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): check search base list May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org May 16 14:14:13 rhel automount[1787]: connected to uri ldap://192.168.1.240 May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=test1)(automountKey=/)(automountKey=\2A))) under automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): getting first entry for automountKey=test1 May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): examining first entry May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): test1 - -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/ May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/test1 May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): dequote(hugayat.cohort.org:/xtra/home/test1) - hugayat.cohort.org:/xtra/home/test1 May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/test1 May 16 14:14:13 rhel automount[1787]: sun_mount: parse(sun): mounting root /home, mountpoint test1, what hugayat.cohort.org:/xtra/home/test1, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8192 May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): root=/home name=test1 what=hugayat.cohort.org:/xtra/home/test1, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192 May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): nfs options=rw,sec=krb5,soft,rsize=8192,wsize=8192, nosymlink=0, ro=0 May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mkdir_path /home/test1 May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/test1 /home/test1 May 16 14:14:13 rhel automount[1787]: mount.nfs4: mounting hugayat.cohort.org:/xtra/home/test1 failed, reason given by server: May 16 14:14:13 rhel automount[1787]:No such file or directory May 16 14:14:13 rhel automount[1787]: mount(nfs): nfs: mount failure hugayat.cohort.org:/xtra/home/test1 on /home/test1 May 16 14:14:13 rhel automount[1787]: dev_ioctl_send_fail: token = 47 May 16 14:14:13 rhel automount[1787]: failed to mount /home/test1 Please note the following points, -- All the configuration you had suggested for autofs nsswitch had already been done -- My NFS server is another IPA client machine with RHEL 6.1(hugayat.cohort.org) -- This NFS server has */xtra/home/* as the NFS partition and /etc/exports file as follows * * */xtra/home *(rw,fsid=0,insecure,no_subtree_check)* */xtra/home gss/krb5(rw,fsid=0,insecure,no_subtree_check)* */xtra/home gss/krb5i(rw,fsid=0,insecure,no_subtree_check)* */xtra/home gss/krb5p(rw,fsid=0,insecure,no_subtree_check)* -- Output of the command *ipa automountlocation-tofiles default* */etc/auto.master:* */- /etc/auto.direct* */home /etc/auto.home* */share /etc/auto.share* *---* */etc/auto.direct:* *---* */etc/auto.home:* ** -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/* *---* */etc/auto.share:* I have played various entries corresponding to /etc/auto.home (like /home instead of * ) but with no success. Any idea ? Regards, Nidal --- On *Mon, 5/16/11, Jakub Hrozek /jhro...@redhat.com/* wrote: From: Jakub Hrozek
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/12/2011 03:30 PM, nasir nasir wrote: Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS server and created a folder /export as a share for creating home folder. I have *pam_oddjob_mkhomedir.so *enabled in pam files for autocreation of home folders. Now I can manually mount the /export nfs share on the server and the client successfully. But when I do that on server for testing and try to login as a new user(e.g abc), it is not creating home folder. It gives the following error, *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. I have given 777 for my /export and rw permission in /etc/export. Output of the command *ipa automountlocation-tofiles default*. * * */etc/auto.master:* */- /etc/auto.direct* */share /etc/auto.share* */home /etc/auto.home* *---* */etc/auto.direct:* *---* */etc/auto.share:* *---* */etc/auto.home:* ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 openipa.cohort.org:/export/home/* ** I tried reading many docs(RHEL deployment guide, google, FreeIPA doc etc). The problem is that they are confusing and conflicting in many cases. There is a lot of old information on the site that needs to be updated to 2.0, and we are working on that. the more input (tickets logged into Trac) we can get for that the better. Please advice me how to proceed. Thanks and Regards, Nidal Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/13/2011 12:13 PM, nasir nasir wrote: Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error *chown: changing ownership of `nasir': Operation not permitted* Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, see the '(rw' in those lines? That indicates read and write privs, but not execute. I'm not an nfs guru, so I might be wrong. this post suggests that I am wrong: http://jackhammer.org/node/7 SInce IPA is managing the IDs, they should be in sync across the NFS and autmounted client machines, but there might be something not right in the setup. if the IPA server isn't managing the machine that serves as your NFS server, then the IDs are certainly going to be out of sync. */xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards, Nidal *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
On 05/11/2011 11:00 AM, Rob Crittenden wrote: Steven Jones wrote: Hi, Nope looks like DNS is barfed big time... == [root@vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236 [root@vuwunicoipamt01 ~]# ipa dns-resolve vuwunicoipamt01.unix.vuw.ac.nz ipa: ERROR: Kerberos error: No credentials cache found/ [root@vuwunicoipamt01 ~]# ipa host-show vuwunicoipamt01.unix.vuw.ac.nz ipa: ERROR: Kerberos error: No credentials cache found/ [root@vuwunicoipamt01 ~]# You have to kinit to get a TGT in order to run the ipa command. rob Yeah, we went on IRC shortly after this. He did kinit as one user, but ran the command as another, and realized it later. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] failure to un-install FreeIPA
On 05/10/2011 04:32 AM, Martin Kosek wrote: On Tue, 2011-05-10 at 03:58 +, Steven Jones wrote: I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the script to check and remove everything? Or somewhere there is a lock file or something that needs removing? regards Steven, can you please send a full output of `ipa-server-install --uninstall` and then the `ipa-server-install` command? (and freeipa-server package version) There was a that could case this behavior. Anyway, the installer files you are looking for are there: /var/lib/ipa/sysrestore/ # server backup files /var/lib/ipa-client/sysrestore/ # client backup files If you remove then, the installation will continue. However, I wouldn't recommend removing them manually as ipa-[server|client]-install --uninstall won't be able to return the machine to it's original configuration then. I would rather suggest using the server/client uninstaller again. A couple hacks: 1. run the uninstaller multiple times 2. I have a sterilize script: http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/ Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] failure to un-install FreeIPA
On 05/10/2011 05:02 PM, Steven Jones wrote: VMware local consoleI cant cut and paste outputs or scroll back when its a KDE rdp to a windows 7 vmware guest and then into the vmware thick client and then to a local console simply doesnt work... Bit messy but I get a Linux desktop Yeah, I had to deal with that in my lst job. I had a hack where I converted the MAC address to the IPv6 Link local in order to be able to get an SSH session without firing up the vSphere Gui. :D regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 11 May 2011 8:52 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] failure to un-install FreeIPA Steven Jones wrote: I logged in via ssh instead so I could get an output and the install worked without a hitch... ssh instead of what? rob :/ weird... regards Steven From: Martin Kosek [mko...@redhat.com] Sent: Tuesday, 10 May 2011 8:32 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] failure to un-install FreeIPA On Tue, 2011-05-10 at 03:58 +, Steven Jones wrote: I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the script to check and remove everything? Or somewhere there is a lock file or something that needs removing? regards Steven, can you please send a full output of `ipa-server-install --uninstall` and then the `ipa-server-install` command? (and freeipa-server package version) There was a that could case this behavior. Anyway, the installer files you are looking for are there: /var/lib/ipa/sysrestore/ # server backup files /var/lib/ipa-client/sysrestore/ # client backup files If you remove then, the installation will continue. However, I wouldn't recommend removing them manually as ipa-[server|client]-install --uninstall won't be able to return the machine to it's original configuration then. I would rather suggest using the server/client uninstaller again. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
Can you attach the file /var/log/ipa-server-install.log? On 05/10/2011 10:14 PM, Steven Jones wrote: I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst! ac! k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576 May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf' May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ') May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error) May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10 = there appears to be no named.log? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
Very cool. I've had a slew on DNS related issues when trying to set things up in a small virtual environment using DNSMasq, so I feel your pain. Please send a quick write up of your set up if you get everything working. On 05/10/2011 11:02 PM, Steven Jones wrote: Hi, Fixed I think, forgot to disable networkmanager.so did that uninstalled and re-installed and its fine...so far... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 11 May 2011 2:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] fatal error for ipa with dns. I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst! ac! k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576 May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf' May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ') May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error) May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10 = there appears to be no named.log? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
OK, I'll take a look. BTW, what is your DNS set up outside of the IPA Server: does your IPA server have A FQDN in a different server? On 05/10/2011 11:28 PM, Steven Jones wrote: all the logs regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Adam Young [ayo...@redhat.com] Sent: Wednesday, 11 May 2011 3:16 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] fatal error for ipa with dns. Very cool. I've had a slew on DNS related issues when trying to set things up in a small virtual environment using DNSMasq, so I feel your pain. Please send a quick write up of your set up if you get everything working. On 05/10/2011 11:02 PM, Steven Jones wrote: Hi, Fixed I think, forgot to disable networkmanager.so did that uninstalled and re-installed and its fine...so far... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 11 May 2011 2:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] fatal error for ipa with dns. I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fs! t! ac! k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576 May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf' May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ') May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error) May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10 = there appears to be no named.log? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another *RHEL 6.1 client machine *with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, * * *[root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt* *mount.nfs4: timeout set for Mon May 9 17:36:14 2011* *mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'* *mount.nfs4: mount(2): Permission denied* *mount.nfs4: access denied by server while mounting openipa.cohort.org:/* *[root@abc Packages]#* But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of Make sure the network cable is actually plugged in The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message. Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On *Mon, 5/9/11, Adam Young /ayo...@redhat.com/* wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 6:17 AM On 05/08/2011 11:57 PM, nasir nasir wrote: Adam, I truly appreciate your persistence ! I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the *ipa-client-install* command, it gave the following error, *openway@dl-360:~/rpm$ sudo ipa-client-install * *There was a problem importing one of the required Python modules. The* *error was:* * * *No module named ipaclient.ipadiscovery* I'm guessing that this is a 64 bit system? It might be an arch issue. IU know that Debian and RH mde different choices for 32 on 64. RH/Fedora puts the Python code into /usr/lib64/python2.7/site-packages/ Debian might be looking under /usr/lib/ for Python. Try a 32bit RPM. * * *openway@dl-360:~/rpm$* I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ? Thanks and regards, Nidal --- On *Sun, 5/8/11, Adam Young /ayo...@redhat.com /mc/compose?to=ayo...@redhat.com/*wrote: From: Adam Young ayo...@redhat.com /mc/compose?to=ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com /mc/compose?to=kollath...@yahoo.com Cc: freeipa-users@redhat.com /mc/compose?to=freeipa-users@redhat.com Date: Sunday, May 8, 2011, 4:39 PM On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ? Did you try installing the ipa-client rpms with Alien? Thanks and Regards, Nidal --- On *Mon, 5/2/11, Adam Young /ayo...@redhat.com/* wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Monday, May 2, 2011, 8:03 AM On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] extending FreeIPA
On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA configuration data in it (among other items). I'm wondering what is the best way to add to the FreeIPA schema without stepping on current and future schema additions that might conflict with what I add. I know at one time you were expecting to add information for Postfix and other common server programs. Was this schema ever prepared and agreed upon, or is it best to use some special branch to put this all under? Ok it seem we are confusing 2 things here, on one side schema extensions (new attributes and objectclasses) and on the other side DIT structure (subtrees within the tree where to put your information). If you use standard schema or schema you made yourself after you got assigned a base OID there should be no issue at all. if you do your own schema please be careful in trying to use a prefix for attribute and objectclass names so that you do not risk future name conflicts). For the DIT part it really depends on what you need to do. If you just need to add attributes to users then you have no other option but to attach them to the users and that's fine it shouldn't cause any issue. If you need to add entirely new objects I can suggest to create a cn=custom container as a top level subtree (ie at the same level of cn=accounts and cn=etc, ... And within it do what you need to do. This way it will not conflict with anything we may add in future. Also, although I read Adam Young's blog article about how to extend the WebUI, I'm having difficulty adding attributes within the existing structure. For example, on the user page, is there a prescribed way of adding say, the mailAlternateAddress attribute such that it shows as a field in the WebUI? The rule is that you need to be able to do it in the CLI first, and then attempt it in the WebUI. The attribute you are attmpeting to access needs to be added to the user object in freeipa/ipalib/plugins/user.py first. Once you have that, you can add it to the ui just like email address: {factory: IPA.multivalued_text_widget, name:'mail'}, However, mail is already a multivalued attribute. You can store multiple email addresses there if you want, and that is the intention. If you want to make these both single value fields, change it to: fields: [ mail,mailalternateaddress, {factory: IPA.multivalued_text_widget, name:'telephonenumber'},... I will let Adma reply to this one. HTH, Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 04/30/2011 12:10 PM, JR Aquino wrote: On Apr 29, 2011, at 11:45 PM, nasir nasirkollath...@yahoo.commailto:kollath...@yahoo.com wrote: Hi All, First of all, many thanks indeed to the developers and community for making some great strides in the open source IPA world ! I am planning for a Linux deployment with the following requirements. -- About 50 Linux clients running Kubuntu (can change this to ubuntu if necessary) No need. The client side of IPA is completly agnostic of the XWindows system or anything running in it. THe GUI is completely Web technologies, and so you can hit from the Mozilla Browser just fine from Kubuntu. -- Centralized authentication Yes -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. -- NO Windows or other users Dare I say Hooray? -- Admin should be able to create and modify the accounts of all the users Yes -- Admin should be able to set password policies -- Allocate /home folder for each user from the storage through iSCSI Outside the realm of IPA, but possible to do from a central server...see above comments. But if you mount the home directory on the FreeIPA server via NFS, you should be able to create directories upon adding a user. -- Server can be CentOS/RHEL (or even Fedora if absolutely required) Agree with JR: go with Fedora 15 as that is where the most focused development is happening. F15 will ship with the 2.0 version of IPA. It is in Beta now, and should be stable enough for you to start setting up your environment. CentOS hasn't release a version compatable with RHEL6, and the supported version of IPA is going to ship in the RHEL 6 series. -- Any other administration of users if possible ! Centralized SUDO, and Host Based Access controls are two features you probably want to at least look over. Plus, IPA comes with good DNS integration, and you'll want to make each managed host reachable on your network, DNS support is pretty important. The ability to delegate authority for tasks, nesteg groups, and netgroup/hostgroup support all help in centralizing administration. I was wondering whether FreeIPA makes sense to me in this scenario ? can it satisfy all these or at least some of these ? if not, can anyone suggest me some alternative solutions which are open source ? I am flexible on the requirements and can make modifications if that is required. I think FreeIPA is the perfect starting point for you. I would really appreciate any feedback on this. Thanks in advance and regards, Nidal __ Yes Nidal, you will find that FreeIPA satisfies almost all of these requirements. iSCSI managment is not a feature of FreeIPA. If you are looking to begin now, I would recommend that you start with Fedora as your base server distro. IPA will be available for RHEL as a Feature preview in 6.1 with plans to be fully supported and integrated by 6.2. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users