Re: [Freeipa-users] Certs.
Search the list for a post by me and certs... Basically there is a install flag that will do all the work for you once you have it the cert in the right format. On Sep 10, 2014 5:53 PM, William Graboyes wgrabo...@cenic.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3 98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW 3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY 1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh Jrc6QM2LipgK5KmpjTKa =t75e -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Thanks Martin, can you do SSSD on MAC's? On Thu, Sep 4, 2014 at 4:45 AM, Martin Kosek mko...@redhat.com wrote: Ok, thanks. Good to see it is working for you. I see you actually do authorization decision based on Schema Compatibility plugin :) Note that an alternate, preferred way of doing authorization in FreeIPA though is HBAC where you would configure which group of users can login to which machines. But this is only being enforced when SSSD is on the client machine, so it may not be working for all your machines. Martin On 09/03/2014 10:45 PM, Chris Whittle wrote: Success here is my LDIF if anyone needs to do this with a MAC dn: cn=Mac Users, cn=Schema Compatibility, cn=plugins, cn=config objectClass: top objectClass: extensibleObject cn: Mac Users schema-compat-search-base: cn=users,cn=accounts,dc=DOMAIN,dc=com schema-compat-search-filter: ((objectClass=posixaccount)(memberOf=cn=canlogin,cn=groups,cn=accounts,dc DOMAIN,dc=com)) schema-compat-container-group: cn=compat,dc=DOMAIN,dc=com schema-compat-container-rdn: cn=canlogin schema-compat-entry-rdn: cn=%{cn} schema-compat-entry-attribute: objectclass=inetOrgPerson schema-compat-entry-attribute: objectclass=posixAccount schema-compat-entry-attribute: gecos=%{cn} schema-compat-entry-attribute: cn=%{cn} schema-compat-entry-attribute: uid=%{uid} schema-compat-entry-attribute: uidNumber=%{uidNumber} schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: loginShell=%{loginShell} schema-compat-entry-attribute: homeDirectory=%{homeDirectory} On Wed, Sep 3, 2014 at 1:04 PM, Chris Whittle cwhi...@gmail.com wrote: Thanks Rob for the explanation! I think I have it working, I just have to test a machine and verify. On Wed, Sep 3, 2014 at 12:47 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: That worked, but having issues get it to work with the OSX Directory Utility. I'm wondering if it's because when you go against the OU normally it's returning more info about the user versus what's being returned from the compat view I'm going to experiment with the attributes it's returning and see if that's it. I'm also wondering why FreeIPA doesn't support multiple OU's natively, this would be so much easier with multiple OUs (one for my non-users and one for my users) Because they are so very often used really, really poorly, resulting in having to move entries around a lot with no real technical reason behind it. Think about the number of times an IT department gets renamed, oops, today they are called Global Support Services, oh no, didn't you hear, now they are ... Each one requiring an entire subtree move. Where the users exist in LDAP does not generally need to reflect the organizational structure. Your case is a bit different from most, where you want to host two completely separate kinds of users. rob On Wed, Sep 3, 2014 at 9:10 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 09/03/2014 03:08 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/03/2014 09:02 AM, Martin Kosek wrote: In the meantime, you can use the workaround that Rob sent, you would just need to delete it again when the fix is in, so that the permissions do not step on each other. Actually, wait a minute. I think Rob's ACI example may be too wide, it may expose any attribute in the compat tree, including a potential userPassword. The ACI was on his custom cn=canlogin subtree, not all of cn=compat. As I see, it seems that slapi-nis plugin do not fortunately expose that, but it is safer to just list the attributes that one wants to display (this is also what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more). I added a respective permission via Web UI (one part of it cannot be added via CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now works for me. See attached example. Resulting permission shown in CLI: # ipa permission-show TEMPORARY - Read compat tree Permission name: TEMPORARY - Read compat tree Granted rights: read, search, compare Effective attributes: cn, description, gecos, gidnumber, homedirectory, loginshell, memberuid, objectclass, uid, uidnumber Bind rule type: all Subtree: dc=mkosek-fedora20,dc=test ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test It is much easier to manipulate than ACI added via ldapmodify. I see you filed a bug on the missing CLI option. That's why I did the ACI, because I couldn't demonstrate how to add this ACI
Re: [Freeipa-users] Filters in bind-dyndb-ldap
Look at nsaccountlock if it's TRUE then they are disabled. On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz sebastian.le...@etes.de wrote: Hello, I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server for zones. I have a tiny question regarding this and both the project website and the kind people on #freeipa IRC directed me to this list. I hope someone is here who can answer my question. Sorry for intruding if I'm not asking in the correct place. For technical reasons we need to be able to filter zones in LDAP according to some flags, e.g. 'enabled'. Other services usually provide a config option to include LDAP search filters in every query, like ldap_search_filter = (enabled=1) Unfortunately, I can't find anything like this in the README file of bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP? Thanks in advance, Sebastian -- Sebastian Leitz Mail: sebastian.le...@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 14 Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50 D-70186 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
That worked, but having issues get it to work with the OSX Directory Utility. I'm wondering if it's because when you go against the OU normally it's returning more info about the user versus what's being returned from the compat view I'm going to experiment with the attributes it's returning and see if that's it. I'm also wondering why FreeIPA doesn't support multiple OU's natively, this would be so much easier with multiple OUs (one for my non-users and one for my users) On Wed, Sep 3, 2014 at 9:10 AM, Martin Kosek mko...@redhat.com wrote: On 09/03/2014 03:08 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/03/2014 09:02 AM, Martin Kosek wrote: In the meantime, you can use the workaround that Rob sent, you would just need to delete it again when the fix is in, so that the permissions do not step on each other. Actually, wait a minute. I think Rob's ACI example may be too wide, it may expose any attribute in the compat tree, including a potential userPassword. The ACI was on his custom cn=canlogin subtree, not all of cn=compat. As I see, it seems that slapi-nis plugin do not fortunately expose that, but it is safer to just list the attributes that one wants to display (this is also what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more). I added a respective permission via Web UI (one part of it cannot be added via CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now works for me. See attached example. Resulting permission shown in CLI: # ipa permission-show TEMPORARY - Read compat tree Permission name: TEMPORARY - Read compat tree Granted rights: read, search, compare Effective attributes: cn, description, gecos, gidnumber, homedirectory, loginshell, memberuid, objectclass, uid, uidnumber Bind rule type: all Subtree: dc=mkosek-fedora20,dc=test ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test It is much easier to manipulate than ACI added via ldapmodify. I see you filed a bug on the missing CLI option. That's why I did the ACI, because I couldn't demonstrate how to add this ACI on the CLI. I hadn't gotten around to doing that last night. rob Right. Surprisingly, the option was available in Web UI, thus the Web UI screenshot I attached to the thread :) But we have the CLI option fixed already, will be part of FreeIPA 4.0.2 which will be released very soon. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Thanks Rob for the explanation! I think I have it working, I just have to test a machine and verify. On Wed, Sep 3, 2014 at 12:47 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: That worked, but having issues get it to work with the OSX Directory Utility. I'm wondering if it's because when you go against the OU normally it's returning more info about the user versus what's being returned from the compat view I'm going to experiment with the attributes it's returning and see if that's it. I'm also wondering why FreeIPA doesn't support multiple OU's natively, this would be so much easier with multiple OUs (one for my non-users and one for my users) Because they are so very often used really, really poorly, resulting in having to move entries around a lot with no real technical reason behind it. Think about the number of times an IT department gets renamed, oops, today they are called Global Support Services, oh no, didn't you hear, now they are ... Each one requiring an entire subtree move. Where the users exist in LDAP does not generally need to reflect the organizational structure. Your case is a bit different from most, where you want to host two completely separate kinds of users. rob On Wed, Sep 3, 2014 at 9:10 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 09/03/2014 03:08 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/03/2014 09:02 AM, Martin Kosek wrote: In the meantime, you can use the workaround that Rob sent, you would just need to delete it again when the fix is in, so that the permissions do not step on each other. Actually, wait a minute. I think Rob's ACI example may be too wide, it may expose any attribute in the compat tree, including a potential userPassword. The ACI was on his custom cn=canlogin subtree, not all of cn=compat. As I see, it seems that slapi-nis plugin do not fortunately expose that, but it is safer to just list the attributes that one wants to display (this is also what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more). I added a respective permission via Web UI (one part of it cannot be added via CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now works for me. See attached example. Resulting permission shown in CLI: # ipa permission-show TEMPORARY - Read compat tree Permission name: TEMPORARY - Read compat tree Granted rights: read, search, compare Effective attributes: cn, description, gecos, gidnumber, homedirectory, loginshell, memberuid, objectclass, uid, uidnumber Bind rule type: all Subtree: dc=mkosek-fedora20,dc=test ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test It is much easier to manipulate than ACI added via ldapmodify. I see you filed a bug on the missing CLI option. That's why I did the ACI, because I couldn't demonstrate how to add this ACI on the CLI. I hadn't gotten around to doing that last night. rob Right. Surprisingly, the option was available in Web UI, thus the Web UI screenshot I attached to the thread :) But we have the CLI option fixed already, will be part of FreeIPA 4.0.2 which will be released very soon. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Success here is my LDIF if anyone needs to do this with a MAC dn: cn=Mac Users, cn=Schema Compatibility, cn=plugins, cn=config objectClass: top objectClass: extensibleObject cn: Mac Users schema-compat-search-base: cn=users,cn=accounts,dc=DOMAIN,dc=com schema-compat-search-filter: ((objectClass=posixaccount)(memberOf=cn=canlogin,cn=groups,cn=accounts,dc DOMAIN,dc=com)) schema-compat-container-group: cn=compat,dc=DOMAIN,dc=com schema-compat-container-rdn: cn=canlogin schema-compat-entry-rdn: cn=%{cn} schema-compat-entry-attribute: objectclass=inetOrgPerson schema-compat-entry-attribute: objectclass=posixAccount schema-compat-entry-attribute: gecos=%{cn} schema-compat-entry-attribute: cn=%{cn} schema-compat-entry-attribute: uid=%{uid} schema-compat-entry-attribute: uidNumber=%{uidNumber} schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: loginShell=%{loginShell} schema-compat-entry-attribute: homeDirectory=%{homeDirectory} On Wed, Sep 3, 2014 at 1:04 PM, Chris Whittle cwhi...@gmail.com wrote: Thanks Rob for the explanation! I think I have it working, I just have to test a machine and verify. On Wed, Sep 3, 2014 at 12:47 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: That worked, but having issues get it to work with the OSX Directory Utility. I'm wondering if it's because when you go against the OU normally it's returning more info about the user versus what's being returned from the compat view I'm going to experiment with the attributes it's returning and see if that's it. I'm also wondering why FreeIPA doesn't support multiple OU's natively, this would be so much easier with multiple OUs (one for my non-users and one for my users) Because they are so very often used really, really poorly, resulting in having to move entries around a lot with no real technical reason behind it. Think about the number of times an IT department gets renamed, oops, today they are called Global Support Services, oh no, didn't you hear, now they are ... Each one requiring an entire subtree move. Where the users exist in LDAP does not generally need to reflect the organizational structure. Your case is a bit different from most, where you want to host two completely separate kinds of users. rob On Wed, Sep 3, 2014 at 9:10 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 09/03/2014 03:08 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/03/2014 09:02 AM, Martin Kosek wrote: In the meantime, you can use the workaround that Rob sent, you would just need to delete it again when the fix is in, so that the permissions do not step on each other. Actually, wait a minute. I think Rob's ACI example may be too wide, it may expose any attribute in the compat tree, including a potential userPassword. The ACI was on his custom cn=canlogin subtree, not all of cn=compat. As I see, it seems that slapi-nis plugin do not fortunately expose that, but it is safer to just list the attributes that one wants to display (this is also what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more). I added a respective permission via Web UI (one part of it cannot be added via CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now works for me. See attached example. Resulting permission shown in CLI: # ipa permission-show TEMPORARY - Read compat tree Permission name: TEMPORARY - Read compat tree Granted rights: read, search, compare Effective attributes: cn, description, gecos, gidnumber, homedirectory, loginshell, memberuid, objectclass, uid, uidnumber Bind rule type: all Subtree: dc=mkosek-fedora20,dc=test ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test It is much easier to manipulate than ACI added via ldapmodify. I see you filed a bug on the missing CLI option. That's why I did the ACI, because I couldn't demonstrate how to add this ACI on the CLI. I hadn't gotten around to doing that last night. rob Right. Surprisingly, the option was available in Web UI, thus the Web UI screenshot I attached to the thread :) But we have the CLI option fixed already, will be part of FreeIPA 4.0.2 which will be released very soon. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Thanks Dmitri, I'm so close I can almost see the end! On Tue, Sep 2, 2014 at 3:24 PM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 10:08 PM, Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com I thint it might be related to the new permission system that was released in 4.0. Stay tuned, the chivalry is on the way... On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
For testing I'm using ldapsearch -LLL -H ldaps://DOMAIN636 -x -D cn=directory manager -w 'nachopassword' -b cn=canlogin,cn=compat,dc=domain,dc=com If I do it with directory manager it works fine, if I use my automation user (just a generic user with no extra permissions) it returns nothing, no error, just empty space if I add -v (verbose) i get ldap_initialize( ldaps://domain.com:636/??base ) filter: (objectclass=*) requesting: All userApplication attributes Thanks everyone! On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com Can you provide more details on what you're doing, and how you are binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree? AFAICT you should be able to read cn=compat as long as you bind as a user. rob On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
If I do this ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com -w 'nachopassword' -b uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com It works fine **Mac_Slave is my automation user. On Tue, Sep 2, 2014 at 3:40 PM, Chris Whittle cwhi...@gmail.com wrote: For testing I'm using ldapsearch -LLL -H ldaps://DOMAIN636 -x -D cn=directory manager -w 'nachopassword' -b cn=canlogin,cn=compat,dc=domain,dc=com If I do it with directory manager it works fine, if I use my automation user (just a generic user with no extra permissions) it returns nothing, no error, just empty space if I add -v (verbose) i get ldap_initialize( ldaps://domain.com:636/??base ) filter: (objectclass=*) requesting: All userApplication attributes Thanks everyone! On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com Can you provide more details on what you're doing, and how you are binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree? AFAICT you should be able to read cn=compat as long as you bind as a user. rob On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Search Base issues
I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Disable Password Policy?
We are going to use a SSO provider like OneLogin to enforce a password policy how can we disable FreeIPA from doing it also? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora Core IPTables or FirewallID?
Here is what I found that seems to work from http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/ It only has to be ran once... cat /etc/firewalld/services/kerberos.xml EOD ?xml version=1.0 encoding=utf-8? service shortkerberos/short descriptionKerberos/description port protocol=tcp port=88/ port protocol=udp port=88/ /service EOD cat /etc/firewalld/services/kpasswd.xml EOD ?xml version=1.0 encoding=utf-8? service shortkpasswd/short descriptionkpasswd/description port protocol=tcp port=464/ port protocol=udp port=464/ /service EOD cat /etc/firewalld/services/ldap.xml EOD ?xml version=1.0 encoding=utf-8? service shortldap/short descriptionLightweight Directory Access Protocol/description port protocol=tcp port=389/ /service EOD cat /etc/firewalld/services/ldaps.xml EOD ?xml version=1.0 encoding=utf-8? service shortldaps/short descriptionLightweight Directory Access Protocol over SSL/description port protocol=tcp port=636/ /service EOD firewall-cmd --permanent --zone=public --add-service=dns firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=kerberos firewall-cmd --permanent --zone=public --add-service=kpasswd firewall-cmd --permanent --zone=public --add-service=ldap firewall-cmd --permanent --zone=public --add-service=ldaps firewall-cmd --permanent --zone=public --add-service=ntp firewall-cmd --reload On Tue, Aug 26, 2014 at 9:22 AM, Mark Heslin mhes...@redhat.com wrote: Hi Chris, Take a look at the attached snippet - it will walk you through configuring firewalld with named chains on RHEL 7. You don't have to use named chains but makes managing multiple chains cleaner. Do make sure you 'mask' iptables - only using 'disable' can still cause conflicts in some circumstances. This is extracted from the recently published reference architecture Integrating OpenShift Enterprise with IdM in RHEL 7: https://access.redhat.com/articles/1155603 (The redhat.com links are not yet in place). The context here was for an IdM server but I also used the same approach for the IdM replica and RHEL 7 clients. hth, -m On 08/25/2014 10:22 PM, Chris Whittle wrote: I've got my server up and running great with one exception every time I reboot I have to login and flush the iptables or nothing can connect. I've found a ton of fixes and none seem to work, I'm on FC20 does anyone have experience with it and wouldn't mind helping? -- Red Hat Reference Architectures Follow Us: https://twitter.com/RedHatRefArch Plus Us: https://plus.google.com/u/0/b/114152126783830728030/ Like Us: https://www.facebook.com/rhrefarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Create a non-user
So I have a user called mac_slave that is used to verify a that a user is active or not and also used to bind a mac laptop to freeipa's ldap. What I want to do is limit what that used can do and see, for example I wwant to keep them from logging in to my macs (i think i can do that by moving them outside the users group but don't know how to do that in freeipa) I also want to limit what they can see... basically I want them to see is the uid and the nsaccountlock attribute. Any ideas on these? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
This actually died after restart so I ended up starting over... So here is the process I did that looks like it works and also survives restart Step 1 - Before install http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely Step 2 - Install IPA server using the p12 file from before and also the intermediate.crt from your provider (I'm not sure why this isn't documented anywhere but I found it in my searches) ipa-server-install --http_pkcs12 DOMAIN.COM.p12 --dirsrv_pkcs12 collectivebias.com.p12 --root-ca-file intermediate.crt Step 3 - re add certs (for some reason I don't know but it's needed) (from http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) ipa-server-certinstall -w --http_pin=PKPASSWORD DOMAIN.COM.p12 ipa-server-certinstall -d --dirsrv_pin=PKPASSWORD DOMAIN.COM.p12 Step 4 reboot Step 5 You can dance if you wanna... On Mon, Aug 25, 2014 at 2:02 PM, Chris Whittle cwhi...@gmail.com wrote: I spoke a little too soon... It's working fine (browser is using new cert and also ldaps is using the new cert) except when you go to the certs page on the ui. https://DOMAIN/ipa/ui/#/e/cert/search An error has occurred (IPA Error 4301: CertificateOperationError) Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle cwhi...@gmail.com wrote: ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I spoke a little too soon... It's working fine (browser is using new cert and also ldaps is using the new cert) except when you go to the certs page on the ui. https://DOMAIN/ipa/ui/#/e/cert/search An error has occurred (IPA Error 4301: CertificateOperationError) Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle cwhi...@gmail.com wrote: ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Fedora Core IPTables or FirewallID?
I've got my server up and running great with one exception every time I reboot I have to login and flush the iptables or nothing can connect. I've found a ton of fixes and none seem to work, I'm on FC20 does anyone have experience with it and wouldn't mind helping? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Installing a new Cert
Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... Any ideas? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 and 4.0
Thanks, i was following the instructions On Aug 22, 2014 11:18 PM, James purplei...@gmail.com wrote: On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml : [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 and 4.0
ipa-server does work but only for 3.3.3 I'm wanting 4 On Sat, Aug 23, 2014 at 7:16 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks, i was following the instructions On Aug 22, 2014 11:18 PM, James purplei...@gmail.com wrote: On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml : [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 and 4.0
Thanks Dmitri, I'm going to sound like a noob for a second but how do I add that repo? I added a repo call pviktori-epel-7 to /etc/yum.repos.d with the following info [pviktori-epel-7] name=pviktori for RHEL/ CentOS $releasever - $basearch baseurl= http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ enabled=1 And then ran [root@xavier yum.repos.d]# yum install freeipa-server Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00 extras | 3.3 kB 00:00 pviktori-epel-7 | 3.0 kB 00:00 updates | 3.4 kB 00:00 pviktori-epel-7/primary_db | 1.4 kB 00:00 Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package *freeipa-server* available. Error: Nothing to do I then tried [root@xavier yum.repos.d]# yum install ipa-server and just got the 3.3 stuff... I'm so close, I can taste it Thanks for all your help On Sat, Aug 23, 2014 at 8:23 AM, Dmitri Pal d...@redhat.com wrote: On 08/23/2014 02:22 PM, Chris Whittle wrote: ipa-server does work but only for 3.3.3 I'm wanting 4 Try the epel repo http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ On Sat, Aug 23, 2014 at 7:16 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks, i was following the instructions On Aug 22, 2014 11:18 PM, James purplei...@gmail.com wrote: On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml : [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 and 4.0
Thanks Kat, so what do I need to do? I have a brand new Centos 7 Server and I am itchy to install FreeIPA 4... Thanks! On Aug 23, 2014 2:44 PM, Kat uncommon...@gmail.com wrote: If you look closely, the epel-7 repo is actually empty. There are no packages there. So there are no packages to actually install. Only the fedora repos in that same tree have packages. ~K On 8/23/14 12:29 PM, Dmitri Pal wrote: On 08/23/2014 08:33 PM, Chris Whittle wrote: Thanks Dmitri, I'm going to sound like a noob for a second but how do I add that repo? I added a repo call pviktori-epel-7 to /etc/yum.repos.d with the following info Sorry this is beyond my skill set. I would leave it for some more experienced people to answer. Lukas mentioned in other mail that epel might not work. May be best would be to wait till Monday and ping people on #freeipa on freenode.net [pviktori-epel-7] name=pviktori for RHEL/ CentOS $releasever - $basearch baseurl= http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ enabled=1 And then ran [root@xavier yum.repos.d]# yum install freeipa-server Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00 extras | 3.3 kB 00:00 pviktori-epel-7 | 3.0 kB 00:00 updates | 3.4 kB 00:00 pviktori-epel-7/primary_db | 1.4 kB 00:00 Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package *freeipa-server* available. Error: Nothing to do I then tried [root@xavier yum.repos.d]# yum install ipa-server and just got the 3.3 stuff... I'm so close, I can taste it Thanks for all your help On Sat, Aug 23, 2014 at 8:23 AM, Dmitri Pal d...@redhat.com wrote: On 08/23/2014 02:22 PM, Chris Whittle wrote: ipa-server does work but only for 3.3.3 I'm wanting 4 Try the epel repo http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ On Sat, Aug 23, 2014 at 7:16 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks, i was following the instructions On Aug 22, 2014 11:18 PM, James purplei...@gmail.com wrote: On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml : [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 and 4.0
Thanks Kat On Aug 23, 2014 3:36 PM, Kat uncommon...@gmail.com wrote: I am working on the same thing - specifically I have found the libnl dependencies to be the biggest headache. If I get anywhere over the weekend, I will let you all know. ~K On 8/23/14 12:51 PM, Dmitri Pal wrote: On 08/23/2014 09:46 PM, Chris Whittle wrote: Thanks Kat, so what do I need to do? I have a brand new Centos 7 Server and I am itchy to install FreeIPA 4... I suspect there are only two options: 1. Wait for project developers to produce a build for CentOS 7 2. Try to do it yourself by building all packages needed. That would include a lot of dependencies that would need to be built. We will see what can we do on 1) on Monday but it would not be instantaneous. Thanks! On Aug 23, 2014 2:44 PM, Kat uncommon...@gmail.com wrote: If you look closely, the epel-7 repo is actually empty. There are no packages there. So there are no packages to actually install. Only the fedora repos in that same tree have packages. ~K On 8/23/14 12:29 PM, Dmitri Pal wrote: On 08/23/2014 08:33 PM, Chris Whittle wrote: Thanks Dmitri, I'm going to sound like a noob for a second but how do I add that repo? I added a repo call pviktori-epel-7 to /etc/yum.repos.d with the following info Sorry this is beyond my skill set. I would leave it for some more experienced people to answer. Lukas mentioned in other mail that epel might not work. May be best would be to wait till Monday and ping people on #freeipa on freenode.net [pviktori-epel-7] name=pviktori for RHEL/ CentOS $releasever - $basearch baseurl= http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ enabled=1 And then ran [root@xavier yum.repos.d]# yum install freeipa-server Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00 extras | 3.3 kB 00:00 pviktori-epel-7 | 3.0 kB 00:00 updates | 3.4 kB 00:00 pviktori-epel-7/primary_db | 1.4 kB 00:00 Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package *freeipa-server* available. Error: Nothing to do I then tried [root@xavier yum.repos.d]# yum install ipa-server and just got the 3.3 stuff... I'm so close, I can taste it Thanks for all your help On Sat, Aug 23, 2014 at 8:23 AM, Dmitri Pal d...@redhat.com wrote: On 08/23/2014 02:22 PM, Chris Whittle wrote: ipa-server does work but only for 3.3.3 I'm wanting 4 Try the epel repo http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ On Sat, Aug 23, 2014 at 7:16 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks, i was following the instructions On Aug 22, 2014 11:18 PM, James purplei...@gmail.com wrote: On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml : [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com
Re: [Freeipa-users] Centos 7 and 4.0
I gave up and just installed Fedora... Looks like once my provider opens my ports I'm going to be good... One last question is the UI url the same from 3.3 to 4? On Sat, Aug 23, 2014 at 3:48 PM, Dmitri Pal d...@redhat.com wrote: On 08/23/2014 10:32 PM, Kat wrote: I am working on the same thing - specifically I have found the libnl dependencies to be the biggest headache. If I get anywhere over the weekend, I will let you all know. do not forget about sssd, samba, certmonger, ging-libs; not all dependencies are yet polished in all distros. ~K On 8/23/14 12:51 PM, Dmitri Pal wrote: On 08/23/2014 09:46 PM, Chris Whittle wrote: Thanks Kat, so what do I need to do? I have a brand new Centos 7 Server and I am itchy to install FreeIPA 4... I suspect there are only two options: 1. Wait for project developers to produce a build for CentOS 7 2. Try to do it yourself by building all packages needed. That would include a lot of dependencies that would need to be built. We will see what can we do on 1) on Monday but it would not be instantaneous. Thanks! On Aug 23, 2014 2:44 PM, Kat uncommon...@gmail.com wrote: If you look closely, the epel-7 repo is actually empty. There are no packages there. So there are no packages to actually install. Only the fedora repos in that same tree have packages. ~K On 8/23/14 12:29 PM, Dmitri Pal wrote: On 08/23/2014 08:33 PM, Chris Whittle wrote: Thanks Dmitri, I'm going to sound like a noob for a second but how do I add that repo? I added a repo call pviktori-epel-7 to /etc/yum.repos.d with the following info Sorry this is beyond my skill set. I would leave it for some more experienced people to answer. Lukas mentioned in other mail that epel might not work. May be best would be to wait till Monday and ping people on #freeipa on freenode.net [pviktori-epel-7] name=pviktori for RHEL/ CentOS $releasever - $basearch baseurl= http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ enabled=1 And then ran [root@xavier yum.repos.d]# yum install freeipa-server Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00 extras | 3.3 kB 00:00 pviktori-epel-7 | 3.0 kB 00:00 updates | 3.4 kB 00:00 pviktori-epel-7/primary_db | 1.4 kB 00:00 Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package *freeipa-server* available. Error: Nothing to do I then tried [root@xavier yum.repos.d]# yum install ipa-server and just got the 3.3 stuff... I'm so close, I can taste it Thanks for all your help On Sat, Aug 23, 2014 at 8:23 AM, Dmitri Pal d...@redhat.com wrote: On 08/23/2014 02:22 PM, Chris Whittle wrote: ipa-server does work but only for 3.3.3 I'm wanting 4 Try the epel repo http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/epel-7-x86_64/ On Sat, Aug 23, 2014 at 7:16 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks, i was following the instructions On Aug 22, 2014 11:18 PM, James purplei...@gmail.com wrote: On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml : [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa
Re: [Freeipa-users] Install FreeIPA 4 on ubuntu
Thanks Timo so Fedora is really the only one it's supported on for now? On Wed, Aug 20, 2014 at 11:55 PM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 21.08.2014 04:27, Chris Whittle wrote: Is there instructions anywhere? My FreeIPA 3 on CentOS died so I'm starting over there is no server for ubuntu/debian yet -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Install FreeIPA 4 on ubuntu
But just Centos 7 right? On Fri, Aug 22, 2014 at 10:19 AM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 22.08.2014 18:16, Chris Whittle wrote: Thanks Timo so Fedora is really the only one it's supported on for now? Fedora/RHEL/Centos etc, yes. Maybe by x-mas we'll have something in Debian unstable working. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Centos 7 and 4.0
I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package *freeipa-server* available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIP just stopped starting
How is the best way to determine the version? On Wed, Aug 20, 2014 at 2:29 AM, Martin Kosek mko...@redhat.com wrote: On 08/19/2014 11:08 PM, Chris Whittle wrote: Here is what I get if I try to start it manually... Any ideas? [root@itservices /]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service Starting pki-ca: [ OK ] Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Failed to start CA Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[ OK ] Stopping pki-ca: [FAILED] Shutting down dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Aborting ipactl This error is new to me. PKI service start script apparently calls grep function with wrong arguments. CCing Ade and Endi from PKI team to help. What version of PKIIPA are we talking about? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIP just stopped starting
ipa-server-3.0.0-37.el6.x86_64 I also found this with no solution https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html On Wed, Aug 20, 2014 at 8:04 AM, Martin Kosek mko...@redhat.com wrote: $ rpm -q freeipa-server if you are running on Fedora. $ rpm -q ipa-server if you are running on RHEL/CentOS. FreeIPA 4.0 later also show version with $ ipa --version or in Web UI. Martin On 08/20/2014 02:54 PM, Chris Whittle wrote: How is the best way to determine the version? On Wed, Aug 20, 2014 at 2:29 AM, Martin Kosek mko...@redhat.com wrote: On 08/19/2014 11:08 PM, Chris Whittle wrote: Here is what I get if I try to start it manually... Any ideas? [root@itservices /]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service Starting pki-ca: [ OK ] Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Failed to start CA Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[ OK ] Stopping pki-ca: [FAILED] Shutting down dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Aborting ipactl This error is new to me. PKI service start script apparently calls grep function with wrong arguments. CCing Ade and Endi from PKI team to help. What version of PKIIPA are we talking about? Martin -- Manage your subscription
[Freeipa-users] Install FreeIPA 4 on ubuntu
Is there instructions anywhere? My FreeIPA 3 on CentOS died so I'm starting over -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIP just stopped starting
Here is what I get if I try to start it manually... Any ideas? [root@itservices /]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service Starting pki-ca: [ OK ] Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Failed to start CA Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[ OK ] Stopping pki-ca: [FAILED] Shutting down dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Aborting ipactl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Does FreeIPA support SHA or SSHA for password encryption
We are looking at ONELogin as well as OKTA for our SSO to work with FreeIPA. The way they integrate with LDAP is a little different. The question I have is how does FreeIPA support SHA or SSHA for password encryption? *From One Login's help doc on LDAP* *--password-crypt: *Defines the cryptographic method used to store new passwords to your Ldap Server when a user changes his password on the OneLogin Web UI. Currently only SHA an SSHA are supported, SHA is the default value -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium
Thanks Martin! On Tue, Aug 12, 2014 at 9:50 AM, Martin Kosek mko...@redhat.com wrote: Thank you! I liked this page to http://www.freeipa.org/page/HowTos#Authentication and also improved formatting of the page. I am not sure about the role section though, we do not use role objectclass, so Okta's search probably returns no results anyway. It may be better to keep that blank IMO. Martin On 08/12/2014 03:46 PM, Chris Whittle wrote: http://www.freeipa.org/page/HowTo/Integrate_With_Okta On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal d...@redhat.com wrote: On 08/08/2014 04:26 PM, Chris Whittle wrote: Hey Dimitri, What do you mean? Both of them gave me the same answer and it worked. Right, now you have the knowledge which is burred in a mail thread and would be hard to find for others that might want to follow your steps. I was hoping you would find some time to summarize your setup and experience and share with others via a HOWTO page on the FreeIPA site [1]. [1] http://www.freeipa.org/page/HowTos Thanks Dmitri On Aug 8, 2014 3:25 PM, Dmitri Pal d...@redhat.com wrote: On 08/07/2014 02:21 PM, Chris Whittle wrote: Thanks guys that works! And what about HOWTO? ;-) On Thu, Aug 7, 2014 at 12:22 PM, Lucas Yamanishi lyamani...@sesda3.com wrote: On 08/07/2014 12:18 PM, Chris Whittle wrote: I'm currently working on a trial with OKTA and have installed their server agent with no issues. Now I'm trying to map FreeIPA attributes with OKTA's I'm getting no entries found, which leads me to think I'm missing something [image: Inline image 1] [image: Inline image 2] [image: Inline image 3] Thanks! The objectClass values look incorrect. Try posixAccount and posixGroup for users and groups. Roles are groupOfNames, but that’s a little less specific and will match non-role entries without a search base. You can easily look up raw entries to check your mappings with commands like these (the —all and —raw options are available for all *-show commands, afaik): ipa user-show --all --raw $USER_NAME ipa group-show --all --raw $GROUP ipa role-show --all --raw $ROLE Or pure ldaputils: ldapsearch -LLL -YGSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' 'uid=$USER_NAME' -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?
If anyone is looking for this check out http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 It worked great with the caveat or needing the NSS Database Password which was in /etc/httpd/alias/pwdfile.txt (per http://www.freeipa.org/page/V3/Drop_selfsign_functionality) Thanks On Mon, May 19, 2014 at 7:15 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2014-05-18 at 20:58 -0500, Chris Whittle wrote: Actually is this it? http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I think so, yeah. Simo. On Sun, May 18, 2014 at 8:31 PM, Chris Whittle cwhi...@gmail.com wrote: Thanks Simo, I'm finding a lot of posts on certs but none that really tells me what I need to do... Any more help would be extremely appreciated. On Sun, May 18, 2014 at 11:31 AM, Simo Sorce s...@redhat.com wrote: On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: Let me be more specific... I just want to use my wildcard ssl for the UI so that it doesn't give an error we you access it, anyone done this before? I think this has been posted on the list already, however all you need to do is to replace the apache certs, they are in a nss database located in /etc/httpd/alias, you can use certutil to deal with the database. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Awesome... Can ipsilon be installed on the same server as FreeIPA? On Mon, May 19, 2014 at 7:16 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: Anything new on ipsilon? I released 0.2.3: https://fedorahosted.org/ipsilon/ It is still a bit rough on the edges, but can be used. Simo. On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?
All I am trying to fix right now is so when the user comes to the web ui they have a valid cert. On May 19, 2014 2:01 AM, Martin Kosek mko...@redhat.com wrote: On 05/17/2014 04:22 AM, Chris Whittle wrote: I have an existing key and crt that has be successfully installed on other subdomain servers... Where is the best place to start? To start what? :-) Without knowing what you want to achieve, I would like to point you to our training presentation describing different FreeIPA Certificate infrastructure integration procedures: http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf I would like to especially point you to the CA-less integration type. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Theming FreeIPA
I'm mostly interested in making it responsive and logos, colors and such. So it sounds like I'll be covered in 4 On May 19, 2014 6:30 AM, Petr Vobornik pvobo...@redhat.com wrote: On 19.5.2014 09:05, Martin Kosek wrote: On 05/17/2014 04:27 PM, Christopher Swingler wrote: Short and to the point, but I have the same question. :) On May 16, 2014, at 9:08 PM, Chris Whittle cwhi...@gmail.com wrote: Is there a doc anywhere? CC-ing Petr Vobornik to help with that. You can already achieve some theming with overriding the CSS + utilizing Web UI plugins we already have in FreeIPA Web UI. Note that Web UI in FreeIPA 4.0 will change extensively as it migrated to Patternfly project, I wonder if there are more theming options then. Martin FreeIPA doesn't have an official theming support. But, as Martin mentioned, you can do some theming. Up to version 3.2 the only option was to change css files and images in /usr/share/ipa/ui Obviously this method is not ideal since it won't survive rpm update. Since version 3.2 it's possible to create a UI plugin [1] which would load additional css with override rules. This method is suitable only for minor theming - it's not very comfortable to create override rules for half of the application. PatternFly [2] will be used in FreeIPA 4.1, example of current development version: [3]. PatternFly is based on Bootstrap 3 which is probably the most used frontend framework - people are familiar with Bootstrap theming. To speed up(start) development of proper theming support I suggest you create a new [RFE] ticket [4]. It would also help us to know what parts of the application you want to theme, i.e., just logos and background? [1] http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins [2] https://www.patternfly.org/ [3] http://pvoborni.fedorapeople.org/ui/ [4] https://fedorahosted.org/freeipa/newticket -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?
Thanks Simo, I'm finding a lot of posts on certs but none that really tells me what I need to do... Any more help would be extremely appreciated. On Sun, May 18, 2014 at 11:31 AM, Simo Sorce s...@redhat.com wrote: On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: Let me be more specific... I just want to use my wildcard ssl for the UI so that it doesn't give an error we you access it, anyone done this before? I think this has been posted on the list already, however all you need to do is to replace the apache certs, they are in a nss database located in /etc/httpd/alias, you can use certutil to deal with the database. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Anything new on ipsilon? On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?
Actually is this it? http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP On Sun, May 18, 2014 at 8:31 PM, Chris Whittle cwhi...@gmail.com wrote: Thanks Simo, I'm finding a lot of posts on certs but none that really tells me what I need to do... Any more help would be extremely appreciated. On Sun, May 18, 2014 at 11:31 AM, Simo Sorce s...@redhat.com wrote: On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: Let me be more specific... I just want to use my wildcard ssl for the UI so that it doesn't give an error we you access it, anyone done this before? I think this has been posted on the list already, however all you need to do is to replace the apache certs, they are in a nss database located in /etc/httpd/alias, you can use certutil to deal with the database. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?
Let me be more specific... I just want to use my wildcard ssl for the UI so that it doesn't give an error we you access it, anyone done this before? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Theming FreeIPA
Is there a doc anywhere? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Bash script to see if user is enabled or disabled?
Thanks everyone... Between what you guys said and some research i ended up doing this http://serverfault.com/questions/594443/how-can-i-force-a-mac-mobile-account-user-to-be-logged-out-or-locked-out-when-th/594773#594773 On Mon, May 12, 2014 at 4:31 PM, Michael ORourke mrorou...@earthlink.netwrote: I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled. So I needed a way to query my IPA server for this info. I came up with 2 solutions for checking if the account is disabled. 1. Do an LDAP query on the user and check for an attribute called nsAccountLock. If it is TRUE, then the account is disabled. If it is FALSE or not defined, then the account is enabled. 2. On a box with the IPA CLI tools installed, run the following command, ipa user-status username. However, if you have several replicated IPA servers, you will see the status of the account on each IPA server along with the account status. I hope this helps. -Mike -Original Message- From: Chris Whittle Sent: May 12, 2014 10:31 AM To: freeipa-users Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Bash script to see if user is enabled or disabled?
I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Google Apps Directory Sync and Free-IPA
I've seen a lot of people have issues with making GADS work with FreeIPA. Does anyone have it working and care to share how? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. On Mon, Apr 28, 2014 at 7:17 AM, Dmitri Pal d...@redhat.com wrote: On 04/28/2014 08:11 AM, Chris Whittle wrote: I've seen a lot of people have issues with making GADS work with FreeIPA. Does anyone have it working and care to share how? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users There was a thread last week. It had some hints. Also it ended up with Simo needing to put documentation about Ipsilon IdP so that we can show how to federate FreeIPA and Google but this is not done yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
Thanks Simon I'm not sure it'll work for what I need I really wish someone had Google Apps Directory Sync either working or not working so I can either research more or strike it off my list On Mon, Apr 28, 2014 at 11:34 AM, Simon Williams simon.willi...@thehelpfulcat.com wrote: I do have it working, but I have Atlassian Crowd sitting between FreeIPA and the Google Apps log in. On 28 Apr 2014 15:44, Simo Sorce s...@redhat.com wrote: On Mon, 2014-04-28 at 08:24 -0400, Dmitri Pal wrote: On 04/28/2014 08:22 AM, Chris Whittle wrote: Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. I do not think we have a better answer for you other than what Martin mentioned and SAML IdP Simo is working on. note that any other SAML IdP that has support for LDAP may work, for example http://picketlink.org/ may work for you if you have experience in setting up jboss based applications and know how to make your way in configuring such software. (I can't help here really). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. Does it just allow them to SSO using their LDAP credentials? If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? On Fri, Apr 25, 2014 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: On 04/25/2014 01:59 AM, Chris Whittle wrote: I am wanting to use Free IPA as the authentication source for Google Apps. I can't seem to find any documentation on how to accomplish this. Anyone have any experience they would be willing to share? Or install is on CentOS 6.5 fyi. I did a brief googling and it seems to me that Google Apps should be capable of LDAP based auth/synchronization: http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/config_ldap_auth.html Even better solution would be probably to use SAML: https://developers.google.com/google-apps/sso/saml_reference_implementation by utilizing a project Ipsilon that Simo (CCed) is working on. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Thank you Simo! Does anyone have any more info/experience on using GADS and FreeIPA that they would be willing to share? On Fri, Apr 25, 2014 at 7:39 AM, Simo Sorce sso...@redhat.com wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Free IPA and Google Apps
I am wanting to use Free IPA as the authentication source for Google Apps. I can't seem to find any documentation on how to accomplish this. Anyone have any experience they would be willing to share? Or install is on CentOS 6.5 fyi. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Questions about Logs
One of the big rocks I am trying to accomplish is the ability to audit access information and password resets. I know the audit capabilities is on the road map for the future so I'm trying to make due with what I have. 1) is all the above information in the access log? 2) do you know of any 3rd party online tools to view those logs in a more readable format then the /var/log/dirsrv/slapd- access file? 3) Any idea on rough time period for the full audit capabilities? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.
I was able to take that script and with some customizing get it to work with Mavericks This should work, I tried to do a find and replace to make it work like the github one. On Wed, Apr 16, 2014 at 5:40 PM, Fredy Sanchez fredy.sanc...@modmed.comwrote: Sure Rob, we'll put something together and send it to you for publishing. Give us a few days. We'll also sanitize our enrollment package and share it w/ you too. This is what we use to enroll our Macs, a one time install that does what ipa-client-install does for Linux, including these LDAP mappings. We love FreeIPA and will be really happy if this helps any other users with Mac fleets. On Wed, Apr 16, 2014 at 6:12 PM, Rob Crittenden rcrit...@redhat.comwrote: Fredy Sanchez wrote: Hi Simo, Thanks for your reply. Good old Google pointed me to https://github.com/rtrouton/rtrouton_scripts/blob/master/ rtrouton_scripts/open-l dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of updating the RealName mapping to displayName. This solved the problem, I'll have to recreate the permissions for every share, but the user names now show up, and stick. No more UIDs. Great. Any chance you can write something and post a howto on our wiki? Or send the details to me and I'll write something up? thanks rob On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: Hi all, We asked this same question at discussions.apple.com http://discussions.apple.com, but figured we'd have better luck here. I apologize in advance if this is the wrong forum. We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly bound to it. Unfortunately, although we can add usernames to the shares for the initial config, the usernames transform to UIDs after (only for SSO accounts; local accounts are not affected). That is, when we go to edit the permissions for a share, all we see are UIDs. We can always figure out the username from the UID, but this is an extra step we don't want to have. We've tried reinstalling the Mac server app from scratch, re-binding to the FreeIPA backend, changing mappings in Directory Utility (for example, mapping GeneratedUID to uid, which is the username), recreating the shares and permissions, etc. Here are more details about the binding: * The binding happens thru a custom package we created based primarily on http://linsec.ca/Using_FreeIPA_for_User_ Authentication#Mac_OS_X_10.7.2F10.8 * Sys Prefs, Users Groups, Login Options show the server bound to the FreeIPA backend with the green dot * The following mappings are in place in Directory Utility, Services, LDAPv3, FreeIPA backend Users: inetOrgPerson AuthenticationAuthority: uid GeneratedUID: random number in uppercase HomeDirectory: #/Users/$uid$ NFSHomeDirectory: #/Users/$uid$ OriginalHomeDirectory: #/Users/$uid$ PrimaryGroupID: gidNumber RealName: cn RecordName: uid UniqueID: uidNumber UserShell: loginShell Groups: posixgroup PrimaryGroupID: gidNumber RecordName: cn The search bases are correct * Directory Utility, Directory Editor shows the right info for the users. * $ id $USERNAME shows the right information for the user FreeIPA is working beautifully for our Mac / Linux environment. We provide directory services to about 300 hosts, and 200 employees using it; and haven't had any problems LDAP wise until now. So we think we are missing a mapping here. Any ideas? Fredy, I quickly tried to check for some documentation on how to configure this stuff, but found only useless superficial guides on how to find the pointy/clicky buttons to push to enable the service. I am not a Mac expert by a long shot so I cannot help you much here. Is there any guide available on how to use this service with other LDAP servers, like openLDAP or Active Directory ? We can probably draw some conclusions from there. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Cheers, Fredy Sanchez IT Manager @ Modernizing Medicine (561) 880-2998 x237 fredy.sanc...@modmed.com mailto:fredy.sanc...@modmed.com *Need IT support?* Visit https://mmit.zendesk.com https://mmit.zendesk.com/ * * * * ___ Freeipa-users
[Freeipa-users] Updated Mavericks (MAC) Client setup or am I doing something wrong?
So I am a partial noob to this so I appreciate any leeway / help ahead of time. We found http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 and we're just wanting to use the directory functions of Free IPA for now. Walking through the directory until works until we try to login. When we try to login using the other option we put in the username (ie tomjones not tomjo...@heytherepussycat.com) and password and it just shakes the password field like it is invalid but gives no error. When looking at the console nothing shows as an error. So my questions are: 1) Should we be using the username or usern...@domain.com to login through the mac. 2) Is there something not documented I am missing? 3) Do I have to have all the services listed under Mac (Kerberos and IPA) before we can use the directory service? Thanks Whitt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users