[Freeipa-users] Apache group authentication stopped working
Did something change re Apache LDAP group authentication. The following configuration directive was working for me until recently. Require ldap-group cn=sprinklers,cn=groups,cn=accounts,dc=penurio,dc=us Today, this is causing authentication failures, even though the users are still in the "sprinklers" user group. "Require valid-user" still works, so it definitely seems to be something to do with the group. -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Apache group authentication stopped working
Apologies if this is a duplicate. Not sure if posting via Gmane works these days ... Did something change re Apache LDAP group authentication. The following configuration directive was working for me until recently. Require ldap-group cn=sprinklers,cn=groups,cn=accounts,dc=penurio,dc=us Today, this is causing authentication failures, even though the users are still in the "sprinklers" user group. "Require valid-user" still works, so it definitely seems to be something to do with the group. -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Use SQLite format NSS database?
On 03/21/2017 02:26 PM, Rob Crittenden wrote: Um, this _might_ work. Each httpd worker will have an fd open to the NSS database files so you'd want to do this rather carefully. I'm no expert on this stuff, but my understanding is that any file descriptors will continue to point to the older database files until a worker is restarted or it closes and reopens a file for some reason (which I have no reason to believe mod_nss does). Even if a worker does do this for some reason, the /etc/httpd/alias symlink can be changed atomically, so it will only be an issue if a worker reopens an NSS database at the same time that the symlink is being updated -- thus getting inconsistent versions of secmod.db, cert8.db, or key3.db. If this happens, NSS will presumably return SEC_ERROR_ALIENS_ATTACKING, or something similarly inaccurate and non- useful. (Even this wouldn't be an issue if NSS used openat() like a library that actually cares about ... security, but I digress.) In order for NSS to see a newly added certificate it will need to reopen the database. I'm fairly certain a SIGHUP will cause all the children to be respawned so except for those actually serving a request at the time the new certs should be available. I'll check on SIGHUP. Even if it doesn't work, a complete restart is much easier to coordinate than shutting down Apache, updating the database, and restarting it. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Use SQLite format NSS database?
On 03/20/2017 11:02 AM, Rob Crittenden wrote: I think his concern may be around warnings that the NSS BDB databases should only be updated when quiet. In the case of mod_nss it explicitly opens the database read-only so I think you'd be safe updating the certificate. You are correct about my concern. I should have noticed that mod_nss is opening the database read-only, based on the file permissions if nothing else. Based on this, I should be able to do something with symlinks to make a copy of the database, do my updates, rename the symlink to make the updated database "live", and SIGHUP (or restart if necessary) Apache. Thanks! -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Use SQLite format NSS database?
On 03/20/2017 04:00 AM, David Kupka wrote: Generally I would not recommend touching this on production system. Why do you want to change the database format? My FreeIPA server also acts as a reverse proxy/TLS endpoint for my home sprinkler system (https://opensprinkler.com/), allowing me to securely connect to the sprinkler controller from my cell phone when I'm out in the yard (out of WiFi range). Since free 1-year TLS certificates seem to be a thing of the past, I'm working on automating the retrieval of 90-day certificates from Let's Encrypt. My current update script has to stop Apache before updating the certificate in the NSS database. It's hardly the end of the world, but it would have been nice to be able to load the new certificate into the database and just send a SIGHUP to the daemon. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Use SQLite format NSS database?
Can IPA 4.4 (on CentOS 7) use a SQLite format NSS database in /etc/httpd/alias? I would presumably have to prepend "sql:" to the NSSCertificateDatabase setting in nss.conf. Anything else? -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-conncheck wants listener on port 7389
On 02/28/2017 03:37 AM, Standa Laznicka wrote: Please, rather check what the problem is. Port 7389 is not required for the newer system, but the old 6.x system has to be listening on it so that we can replicate agains the older Dogtag database. From the previous mail I believe you were following the right documentation, https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc, correct? Yes, but I hit this issue when setting up replication from a (temporary) CentOS 7 system back to the newly re-installed system. I believe that I understand the issue. The ipa-replica-conncheck man page at https://linux.die.net/man/1/ipa-replica-conncheck says this: -c, --check-ca Include in a check also a set of dogtag connection requirements. When a replica is self-sign this option is not needed. But the man page in CentOS 7 says: -c, --check-ca Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower. As a system administrator who is unfamiliar with the inner workings of FreeIPA, neither version really helped me to figure out if I should be passing that option. (The answer appears to be "yes" when the existing server was CentOS 6, but "no" when the existing server is CentOS 7.) -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6 -> 7 migration
On 02/28/2017 03:49 AM, Petr Vobornik wrote: On 02/26/2017 04:58 PM, Rob Verduijn wrote: Sounds feasable, however I'm not sure which solution entails the most work. +1 Just in case, I'll mention migration documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc There are some manual steps regarding CA which should not be skipped. Thanks for mentioning that. I thought that I was done, but I had missed that part. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-replica-conncheck wants listener on port 7389
I'm part way through my CentOS 6 to 7 "upgrade". I've reached the point of trying to set up my new IPA server as a replica of a temporary VM. ipa-replica-conncheck is complaining, because nothing on the temporary server is listening on port 7389. The documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html Says: In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not required. Which seems to indicate that nothing *should* be listening on that port on a CentOS 7 IPA server. So who's right? And if something (pki-tomcatd?) should be listening on that port, how do I make it do so? Thanks! -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6 -> 7 migration
On 02/26/2017 05:08 AM, Rob Verduijn wrote: You should consider setting up a temporary vm to migrate from. On one of your client systems, I assume you got at least 1 ipa client Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your current system to a vm (side effect : instant full backup) When you got the vm up and running you can reinstall your main system with the new os and ipa. Then replicate the old ipa to the new one. Hmm. The system that runs IPA is the "network server" in my home network. It runs various services -- DNS, NTP, CUPS, squid, etc. -- as well as routing between various VLANs. So simply P2V'ing it would be a major project in its own right. What about this, though ... 1. Set up a new CentOS 7 VM running IPA 2. Replicate the IPA data from the old CentOS 6 system to the VM. 3. Install CentOS 7 on the original system 4. Replicate the IPA data back from the VM Will this work? -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CentOS 6 -> 7 migration
Is there any way to migrate an IPA server from 6 -> 7 without losing all of the IPA configuration and data? All of the documentation I can find involves setting up a replica, replicating the data over, and then decommissioning the old system; not exactly an option with a single system. -- ==== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to clear DNS cache
I am running FreeIPA 3.0.0 on CentOS 6. I appear to have stale records for for smtp.gmail.com in my cache, which are preventing me from sending email. I've been unable to figure out how to delete these records, which seem to be stored in LDAP. Any assistance/pointers appreciated. Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?
This looks as something PKI specific (given it is in /usr/sbin/pki-server), CCing Endi from Dogtag team. From doing some additional Googling, it seems like the request should be in the PKI-CA dirsrv instance. Thus far, I haven't been able to figure out the incantation necessary to get ldapsearch to connect, though. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?
I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a
traceback every time pki-cad starts:
Traceback (most recent call last):
File "/usr/sbin/pki-server", line 89, in
cli.execute(sys.argv)
File "/usr/sbin/pki-server", line 84, in execute
super(PKIServerCLI, self).execute(args)
File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in execute
module.execute(module_args)
File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py",
line 103, in execute
scriptlet.execute()
File
"/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py", line
50, in execute
cert = self.subsystem.get_system_cert('subsystem')
File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line
93, in get_system_cert
cert['request'] = base64.b64decode(self.config['%s.%s.certreq' %
(self.prefix, tag)])
KeyError: 'ca.subsystem.certreq'
Starting pki-ca: [ OK ]
As you can see, the daemon does still start successfully, and the
traceback doesn't appear in any of the pki-cad logs.
It seems that it is looking for a ca.subsystem.certreq entry in
/etc/pki-ca/CS.cfg, and sure enough it isn't there. Nor is it present
in CS.cfg.bak.
How can I create this entry (or otherwise fix this)?
Thanks!
--
========
Ian Pilcher arequip...@gmail.com
"I grew up before Mark Zuckerberg invented friendship"
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Vector/hi-res logo
Now that I'm actually using IPA authentication for a few services within my house, I'm going to set up a simple "start page" with a few links, including a link to IPA web UI for password changes. I'd like to use the FreeIPA logo, but I've only been able to find very small and/or fuzzy versions. Does anyone know where I can find a high-resolution or vector version of the logo? Thanks! -- ======== Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using IPA CA to sign SSL client certificates
On 08/28/2015 10:41 AM, Jan Pazdziora wrote: That's new feature in FreeIPA 4.2: http://www.freeipa.org/page/V4/User_Certificates I'm glad to see that's being added. I have IPA 3.0 on CentOS 6 (on a 32-bit system), so I won't be able to use that feature. I'm basically asking if there's a way to manually use the CA within my existing IPA install to manually create a certificate, in a way that is non-disruptive to IPA itself. I hope that makes sense. Thanks! -- Ian Pilcher arequip...@gmail.com I grew up before Mark Zuckerberg invented friendship -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using IPA CA to sign SSL client certificates
On 08/28/2015 10:35 AM, Alexander Bokovoy wrote: This is all explained in the official guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html I guess I should have been more clear. I need to create certificates for users, not services. -- Ian Pilcher arequip...@gmail.com I grew up before Mark Zuckerberg invented friendship -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Using IPA CA to sign SSL client certificates
I need to create a few client certificates, and I'd like to use my pre- existing IPA CA. Is there a simple way to do this? Thanks! -- Ian Pilcher arequip...@gmail.com I grew up before Mark Zuckerberg invented friendship -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding virtual servers to IPA httpd
On 08/24/2015 08:30 PM, Rob Crittenden wrote: Ian Pilcher wrote: How can I test the CA proxy and RPC URIs? Is there anything else I should check before I declare victory and start drinking? Thanks! This will exercise the basics: ipa cert-show 1 As long as /ca is opened by IPA you should be ok. Seems to be working. Thanks! -- Ian Pilcher arequip...@gmail.com I grew up before Mark Zuckerberg invented friendship -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Adding virtual servers to IPA httpd
Is it possible to add name- or port-based virtual servers to IPA's Apache server (without interfering with any of the IPA functions)? If so, is it documented anywhere? Thanks! -- Ian Pilcher arequip...@gmail.com I grew up before Mark Zuckerberg invented friendship -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
