Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Iulian Roman 
On Fri, May 12, 2017 at 4:03 PM, <wouter.hummel...@kpn.com> wrote:

> Yes, kinit works with IPA users. GSSAPI authentication is not keeping it
> simple, since we want passwords to work before trying TGS based logins over
> GSSAPI.
>
> The keytab works sinds lsuser is still able to get user data.
> (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user
> and password moot, secldapclntd uses krb5 to identify itself to IPA)
>
>
>
> Also we are able to kinit host/aixlpar.example@example.org -kt
> /etc/krb5/krb5.keytab
>
If your kerberos client works (and it looks like it works as long as you
can properly kinit)  the only option you have is to check the
/var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have
configured in syslog for auth. on the AIX client.

>
>
> We van try using su from an unprivileged user, but su has some different
> issues altogether, it doesn’t like @ in usernames which we need at the next
> stage (integrating AD Trust)
>
>
>
>
>
> *From:* Iulian Roman [mailto:iulian.ro...@gmail.com]
> *Sent:* vrijdag 12 mei 2017 15:56
> *To:* Hummelink, Wouter
> *Cc:* luiz.via...@tivit.com.br; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
>
>
>
>
>
>
> On Fri, May 12, 2017 at 3:31 PM, <wouter.hummel...@kpn.com> wrote:
>
> The shell is shown correctly as ksh in lsuser, so that doesnt appear to be
> an issue for the ID view.
>
>
>
> My advice would be to start simple ,prove that your authentication works
> and you can develop a more elaborated setup afterwards. If you combine them
> all together it will be a trial and error which eventually will work at
> some point.
>
> Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run
> kinit (with password and with the keytab) from aix and get a ticket from
> Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication
> enabled in sshd_config  ?
>
> From what you've described i would suspect that your keytab is not correct
> , but that should be confirmed only by answering the questions above.
>
>
>
>
>
>
>
> Verzonden vanaf mijn Samsung-apparaat
>
>
>
>  Oorspronkelijk bericht 
> Van: Luiz Fernando Vianna da Silva <luiz.via...@tivit.com.br>
> Datum: 12-05-17 15:03 (GMT+01:00)
> Aan: "Hummelink, Wouter" <wouter.hummel...@kpn.com>,
> freeipa-users@redhat.com
> Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
>
>
> Hello Wouter.
>
> It may seem silly, but try installing bash on one AIX server and test
> authenticating against that one.
>
> Its a single rpm with no dependencies. For me it did the trick and I ended
> up doing that on all my AIX servers.
>
> Let me know how it goes or if you have any issues.
>
> Best Regards
>
> *__*
>
> *Luiz Fernando Vianna da Silva*
>
>
>
> Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu:
>
> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user 
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>
> AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>
>
>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> === Configuration Excerpt ==
> ==
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Iulian Roman 
On Fri, May 12, 2017 at 3:31 PM,  wrote:

> The shell is shown correctly as ksh in lsuser, so that doesnt appear to be
> an issue for the ID view.
>

My advice would be to start simple ,prove that your authentication works
and you can develop a more elaborated setup afterwards. If you combine them
all together it will be a trial and error which eventually will work at
some point.
Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run
kinit (with password and with the keytab) from aix and get a ticket from
Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication
enabled in sshd_config  ?

>From what you've described i would suspect that your keytab is not correct
, but that should be confirmed only by answering the questions above.

>
>
>
> Verzonden vanaf mijn Samsung-apparaat
>
>
>  Oorspronkelijk bericht 
> Van: Luiz Fernando Vianna da Silva 
> Datum: 12-05-17 15:03 (GMT+01:00)
> Aan: "Hummelink, Wouter" ,
> freeipa-users@redhat.com
> Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
> Hello Wouter.
>
> It may seem silly, but try installing bash on one AIX server and test
> authenticating against that one.
>
> Its a single rpm with no dependencies. For me it did the trick and I ended
> up doing that on all my AIX servers.
>
> Let me know how it goes or if you have any issues.
>
> Best Regards
>
> *__*
>
> *Luiz Fernando Vianna da Silva*
>
>
> Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu:
>
> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user 
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>
> AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>
>
>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> === Configuration Excerpt ==
> ==
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>
> automountbasedn:cn=default,cn=automount,dc=example,dc=org
>
> etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
>
> userclasses:posixaccount,account,shadowaccount
>
> groupclasses:posixgroup
>
> ldapport:389
>
> searchmode:ALL
>
> defaultentrylocation:LDAP
>
>
>
> /etc/security/user default:
>
> SYSTEM = KRB5LDAP or compat
>
> */etc/methods.cfg*
>
> LDAP:
>
>program = /usr/lib/security/LDAP
>
>program_64 =/usr/lib/security/LDAP64
>
> NIS:
>
>program = /usr/lib/security/NIS
>
>program_64 = /usr/lib/security/NIS_64
>
> DCE:
>
>program = /usr/lib/security/DCE
>
> KRB5:
>
>program = /usr/lib/security/KRB5
>
>program_64 = /usr/lib/security/KRB5_64
>
>options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,
> keep_creds=yes,allow_expired_pwd=no
>
>
>
> KRB5LDAP:
>
>options = auth=KRB5,db=LDAP
>
>
>
>
>
> Met vriendelijke groet,
>
> Wouter Hummelink
>
> Technical Consultant - Enterprise Webhosting / Tooling & Automation
>
> T: +31-6-12882447 <+31%206%2012882447>
>
> E: wouter.hummel...@kpn.com
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Iulian Roman 
On Fri, May 12, 2017 at 2:32 PM,  wrote:

> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user 
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>

Why don't you just use the /bin/sh as default shell in IPA  ? In aix
/bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash
.

AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>

>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> === Configuration Excerpt ==
> ==
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>
> automountbasedn:cn=default,cn=automount,dc=example,dc=org
>
> etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
>
> userclasses:posixaccount,account,shadowaccount
>
> groupclasses:posixgroup
>
> ldapport:389
>
> searchmode:ALL
>
> defaultentrylocation:LDAP
>
>
>
> /etc/security/user default:
>
> SYSTEM = KRB5LDAP or compat
>

I am using the following settings in in /etc/security/user:
SYSTEM = KRB5LDAP
registry = KRB5LDAP
it works for AIX5,6 and 7 in my setup.


> */etc/methods.cfg*
>
> LDAP:
>
>program = /usr/lib/security/LDAP
>
>program_64 =/usr/lib/security/LDAP64
>
> NIS:
>
>program = /usr/lib/security/NIS
>
>program_64 = /usr/lib/security/NIS_64
>
> DCE:
>
>program = /usr/lib/security/DCE
>
> KRB5:
>
>program = /usr/lib/security/KRB5
>
>program_64 = /usr/lib/security/KRB5_64
>
>options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,
> keep_creds=yes,allow_expired_pwd=no
>
>
>
> KRB5LDAP:
>
>options = auth=KRB5,db=LDAP
>
>
>
>
>
> Met vriendelijke groet,
>
> Wouter Hummelink
>
> Technical Consultant - Enterprise Webhosting / Tooling & Automation
>
> T: +31-6-12882447
>
> E: wouter.hummel...@kpn.com
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa replica between different environments

2017-05-01 Thread Iulian Roman 
Hello,

is it possible/supported to _clone_ an ipa setup between different
environments , disconnect the replicas and use them independently  (ex.
clone ST to ET and use them as separate IPA servers for
ST respective ET clients ? )  or does the disconnect remove the data  ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-getkeytab client equivalent for Unix

2017-04-06 Thread Iulian Roman 
Hello,

Can anybody explain briefly what ipa-getkeytab runs under the hood in order
to use similar logic for unix clients (will help in automating  the
registration to IPA server)  ?

Thank You !
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] staging area and group membership

2017-03-28 Thread Iulian Roman 
Hello,

Is it possible to directly add a user to certain groups when the user is
defined in staging  area ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ldap connector from IIQ to ipa

2017-03-20 Thread Iulian Roman 
Hello,

We do plan to integrate  IPA with IdentityIQ (sailpoint) for user
provisioning. Because IPA does abstract all the ldap commands via new set
of commands and APIs, i am not sure if the standard ldap connector is the
right option and if it is supported ( taking into consideration that a
simple user creation does update/create more ldap containers).

Could you please clarify if updating IPA via standard ldap commands is
supported but not necessarily a best practice or it is an absolute NO ?

Thank You !
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] compat and nested groups for Unix system

2017-03-20 Thread Iulian Roman 
On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ma, 20 maalis 2017, Iulian Roman wrote:
>
>> On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On ma, 20 maalis 2017, Iulian Roman wrote:
>>>
>>> Hello,
>>>>
>>>> I noticed that nested group feature do not work with the unix ldap
>>>> clients
>>>> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used.
>>>> If
>>>> i use the cn=compat and change the mapping the nested groups are listed
>>>> properly.
>>>>
>>>> Compat tree implements RFC2307 schema which doesn't have nested groups.
>>>
>>> Correct, but although the groups under the compat tree do not have the
>> nestedgroup object class attribute, whenever i change the group membership
>> via WEB UI, the compat tree group membership is automatically updated (new
>> memberUid is added). What i've done was a sort of workaround and map the
>> AIX groups attribute to the memberUid which seems to work properly.
>>
> memberUid is uidNumber of corresponding user, not a group identifier.
> Perhaps, you are trying to explain something else?
>
Ok, maybe i have to explain it more clearly as it was confusing:
in order to get the user list attribute for an ldap group in AIX , you use
some .map files, which map the ldap attributes to the AIX attributes. For
the 2307schema, to get the user list of a group you have to map the
AIX *_users_
*attribute to the _memberuid_ ldap attribute. For compat tree, in the file
ipagroup.map i've mapped the AIX _users_ attribute to the _memberuid_
ipa/ldap attribute and therefore i have the list of the users for that
particular group.  Having the user list which are members to a group
translates to having the group list of the users (if we invert the logic).
Does that make more sense now ?

>
> Main tree in FreeIPA uses RFC2307bis schema which supports nested
>>> groups.
>>>
>>> Any plans to support RFC2307AIX schema ?
>>
> No.
>
>
>> On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX
>>> schemas. AIX's automounter does support RFC2307bis automount maps but
>>> the rest of the system does not support RFC2307bis. In particular, AIX
>>> does not understand member attribute  dereference.
>>>
>>>
>>> My question is if it is allowed to mix the compat and accounts cn for the
>>>
>>>> userbasedn and groupbasedn on the same unix ldap client ?
>>>>
>>>> No, not really. You are messing it up something that your client
>>> does not understand.
>>>
>>> As i explained above, i could use the basic attributes in the compat tree
>> for groups in order to update the AIX "groups" attribute (based on
>> memberuid list). Is there anything which can break the functionality if
>> the
>> compat tree is used instead of the main/accounts tree  or it is a
>> fortunate
>> coincidence that this setup works ?
>>
> Why you don't use compat tree for both users and groups in AIX? This is
> how it was designed to be used.
>
Actually the compat tree was the default one configured by the ldap client,
but checking the ldap structure seemed more logical to use the default ipa
ldap tree which is used as well for Linux. Moreover i did not understood
what is exactly the purpose of the compat tree and i was quite confused .
Apart from that i missed  some krb* related attributes for the user, but
probably i have to re-evaluate that and use compat tree for both users and
groups, if that's what it was designed for.


>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] compat and nested groups for Unix system

2017-03-20 Thread Iulian Roman 
On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ma, 20 maalis 2017, Iulian Roman wrote:
>
>> Hello,
>>
>> I noticed that nested group feature do not work with the unix ldap clients
>> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used.
>> If
>> i use the cn=compat and change the mapping the nested groups are listed
>> properly.
>>
> Compat tree implements RFC2307 schema which doesn't have nested groups.
>
Correct, but although the groups under the compat tree do not have the
nestedgroup object class attribute, whenever i change the group membership
via WEB UI, the compat tree group membership is automatically updated (new
memberUid is added). What i've done was a sort of workaround and map the
AIX groups attribute to the memberUid which seems to work properly.


> Main tree in FreeIPA uses RFC2307bis schema which supports nested
> groups.
>
> Any plans to support RFC2307AIX schema ?

> On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX
> schemas. AIX's automounter does support RFC2307bis automount maps but
> the rest of the system does not support RFC2307bis. In particular, AIX
> does not understand member attribute  dereference.
>
>
> My question is if it is allowed to mix the compat and accounts cn for the
>> userbasedn and groupbasedn on the same unix ldap client ?
>>
> No, not really. You are messing it up something that your client
> does not understand.
>
As i explained above, i could use the basic attributes in the compat tree
for groups in order to update the AIX "groups" attribute (based on
memberuid list). Is there anything which can break the functionality if the
compat tree is used instead of the main/accounts tree  or it is a fortunate
coincidence that this setup works ?

>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] compat and nested groups for Unix system

2017-03-20 Thread Iulian Roman 
Hello,

I noticed that nested group feature do not work with the unix ldap clients
(AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If
i use the cn=compat and change the mapping the nested groups are listed
properly.

My question is if it is allowed to mix the compat and accounts cn for the
userbasedn and groupbasedn on the same unix ldap client ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pam_hbac for aix

2017-03-06 Thread Iulian Roman 
On Mon, Mar 6, 2017 at 12:20 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Mon, Mar 06, 2017 at 10:59:12AM +0100, Iulian Roman wrote:
> > Hello,
> >
> > Does anyone know what is the status with the support for AIX in the
> > pam_hbac tool ? I've heard from a RH presentation that it is available,
> > although on the project site it does not seem to be supported yet.
> >
> > I would like to know if there are any plans in that direction ,  because
> > our migrations of thousands of AIX machines to IPA is conditioned by the
> > availability of pam_hbac.  The HBAC rules/policy design depends as well
> on
> > the method you use to parse the rules.
>
> It's in progress, but delayed due to the current work we are doing for
> RHEL-7.4. I've merged HP-UX support a couple of weeks ago and AIX
> support is next on the list.
>
> Any chance we can prioritize  that by creating  an RFE ?  We have quite a
big environment and it would simplify a lot the access control if we can
make use of pam_hbac.

> If you'd like to help with the port, any help is appreciated :-)
>
> I am willing to , at least with testing it on different OS versions. If
there is anything else i can do , please let me know.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] pam_hbac for aix

2017-03-06 Thread Iulian Roman 
Hello,

Does anyone know what is the status with the support for AIX in the
pam_hbac tool ? I've heard from a RH presentation that it is available,
although on the project site it does not seem to be supported yet.

I would like to know if there are any plans in that direction ,  because
our migrations of thousands of AIX machines to IPA is conditioned by the
availability of pam_hbac.  The HBAC rules/policy design depends as well on
the method you use to parse the rules.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Iulian Roman 
On Fri, Feb 24, 2017 at 5:41 PM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 02/24/2017 05:13 PM, Iulian Roman wrote:
>
>>
>>
>> On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik <pvobo...@redhat.com
>> <mailto:pvobo...@redhat.com>> wrote:
>>
>> On 02/24/2017 12:15 PM, Iulian Roman wrote:
>>
>> Hello,
>>
>> After a successful installation of the ipa-server when i try to
>> login
>> via WEB UI
>> i've noticed that the web page looks strange (wrong fonts and
>> page seems not
>> completely/correctly loaded).
>>
>>
>>
>> The network debugger in chrome/firefox does
>>
>>
>> So it won't be browser or extension related. The only possibility is
>> to have
>> same extension on both browsers.
>>
>> display 2 errors :
>>
>> - json /ipa/session/ 401 Unauthorized
>>
>>
>> This is expected.
>>
>> - login _kerberos?=...  net::ERR_ACCESS_DENIED
>>
>>
>> This one should return also "401 Unauthorized" if you don't have SSO
>> configured on browser or SSO(kerberos) ticket.
>>
>> net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other
>> software
>> interferes in the communication with server.
>>
>> What OS it is? Could there be an overzealous antivirus (the web check
>> part).  Or maybe a custom proxy setting?
>>
>>
>> it behaves the same from all browsers (firefox,chrome) and from both
>> Linux and
>> windows. i do use proxy, but trying with the firefox directly from the ipa
>> server - therefore without proxy - does have the same result.
>>
>>
>>
>> I do not intend to use SSO for login into WEBUI (although it is
>> the
>> default in
>> the ipa version i am using)  but apparently a supported method to
>> disable  it is
>> not known.
>>
>>
>> Right, it is not currently possible. I've opened RFE ticket.
>> https://fedorahosted.org/freeipa/ticket/6709
>> <https://fedorahosted.org/freeipa/ticket/6709> Please comment if you
>> use
>> case is different than the proposed user story.
>>
>> I can login with user and password but the WEB UI is almost
>> unusable
>> because of wrongly loaded page .
>>
>>
>> I wonder if something did not temper in the loaded files. If all
>> files are
>> loaded correctly and if it is fresh install(to mitigate possibility
>> of old
>> cache) then it is weird. Maybe it is the antivirus.
>>
>> i wonder too. the strange thing is that from the same browser i can access
>> properly a different ipa server (which i've configured some time ago).
>>
>>
>> Do you have some Web UI plugin installed on IPA server?
>>
>>
>> it is default installation. How can i check which plugins are installed ?
>>
>
>
> Plugins are in /usr/share/ipa/ui/js/plugins/ if the directory is empty
> then there is no plugin.
>
> i've just checked and there are no plugins installed.

> But plugin would not cause:
>   login _kerberos?=...  net::ERR_ACCESS_DENIED

indeed, but what would cause that ? it quite strange and i am almost
clueless. i try to narrow it down and in my opinion the issues is most
probably on the server side, but i have no evidence for that so far.

>
>
>
>>
>>
>>
>>
>> Did  anyone experience  the same issue and is there any
>> fix/solution for
>> that ?
>>
>>
>>
>> --
>> Petr Vobornik
>>
>> Associate Manager, Engineering, Identity Management
>> Red Hat, Inc.
>>
>>
>>
>
> --
> Petr Vobornik
>
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Iulian Roman 
On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 02/24/2017 12:15 PM, Iulian Roman wrote:
>
>> Hello,
>>
>> After a successful installation of the ipa-server when i try to login via
>> WEB UI
>> i've noticed that the web page looks strange (wrong fonts and page seems
>> not
>> completely/correctly loaded).
>>
>
>
> The network debugger in chrome/firefox does
>>
>
> So it won't be browser or extension related. The only possibility is to
> have same extension on both browsers.
>
> display 2 errors :
>>
>> - json /ipa/session/ 401 Unauthorized
>>
>
> This is expected.
>
> - login _kerberos?=...  net::ERR_ACCESS_DENIED
>>
>
> This one should return also "401 Unauthorized" if you don't have SSO
> configured on browser or SSO(kerberos) ticket.
>
> net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other
> software interferes in the communication with server.
>
> What OS it is? Could there be an overzealous antivirus (the web check
> part).  Or maybe a custom proxy setting?
>

it behaves the same from all browsers (firefox,chrome) and from both Linux
and windows. i do use proxy, but trying with the firefox directly from the
ipa server - therefore without proxy - does have the same result.

>
>
>> I do not intend to use SSO for login into WEBUI (although it is the
>> default in
>> the ipa version i am using)  but apparently a supported method to
>> disable  it is
>> not known.
>>
>
> Right, it is not currently possible. I've opened RFE ticket.
> https://fedorahosted.org/freeipa/ticket/6709 Please comment if you use
> case is different than the proposed user story.
>
> I can login with user and password but the WEB UI is almost unusable
>> because of wrongly loaded page .
>>
>
> I wonder if something did not temper in the loaded files. If all files are
> loaded correctly and if it is fresh install(to mitigate possibility of old
> cache) then it is weird. Maybe it is the antivirus.
>
i wonder too. the strange thing is that from the same browser i can access
properly a different ipa server (which i've configured some time ago).

>
> Do you have some Web UI plugin installed on IPA server?


it is default installation. How can i check which plugins are installed ?

>
>
>
>>
>> Did  anyone experience  the same issue and is there any fix/solution for
>> that ?
>>
>>
>
> --
> Petr Vobornik
>
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Iulian Roman 
Hello,

After a successful installation of the ipa-server when i try to login via
WEB UI i've noticed that the web page looks strange (wrong fonts and page
seems not completely/correctly loaded). The network debugger in
chrome/firefox does  display 2 errors :

- json /ipa/session/ 401 Unauthorized
- login _kerberos?=...  net::ERR_ACCESS_DENIED

I do not intend to use SSO for login into WEBUI (although it is the default
in the ipa version i am using)  but apparently a supported method to
disable  it is not known. I can login with user and password but the WEB UI
is almost unusable because of wrongly loaded page .


Did  anyone experience  the same issue and is there any fix/solution for
that ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Iulian Roman 
Despite reading the freeipa and Redhat IdM documentation regarding the DNS
, it is still unclear to me if and when is integrated DNS mandatory .  We
do have an environment with a pretty complex DNS setup , which is in place
for years and there are no  plans to change it.

if i understood correctly from the documentation , integrated DNS is
mandatory for configuring AD trust. is that correct ?

Can the integrated DNS be configured as forward only ? Do the clients need
to have IPA DNS as a resolver or they can just use existing DNS server ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-23 Thread Iulian Roman 
On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder <mich...@stroeder.com>
wrote:

> Iulian Roman wrote:
> > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <mich...@stroeder.com
> > <mailto:mich...@stroeder.com>> wrote:
> >
> > Iulian Roman wrote:
> > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <
> rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
> > >
> > > Iulian Roman wrote:
> > > > Does anybody know if the rfc2307aix schema is supported in
> IPA server
> > >
> > > No, it isn't supported (it's the first I've ever heard of it).
> Looking
> > > at the schema I doubt it is something that would ever be fully
> supported.
> > >
> > > is there any possibility to extend the existing schema with
> additional
> > > attributes/object
> >
> > Do you really use this specific AIX schema?
> > If yes, which attributes for which purpose?
> >
> > I do need the aixAuxAccount and aixAuxGroup object classes . they
> implement some
> > password restrictions needed for security/compliance
>
> Password policy is something best enforced centrally in the authentication
> server and
> password management system. So IMHO this serves as perfect example for
> proprietary
> attributes you won't need.
>
> How is authentication done? SSH keys, Kerberos, LDAP simple bind?
>

Kerberos


> > +  some other security related attributes.
> > Personally i do not consider them a must - they are rather some nice to
> have features  -
> > but i have to migrate an environment which does use them. And i would
> like as well to
> > make the migration as transparent as possible (therefore without
> "missing features").
>
> Is the existing environment also an LDAP server with this particular AIX
> schema?
>

no, it is a custom/legacy  solution wich does not use LDAP but local
accounts which are centrally managed.

> Or are you trying to follow a migration path to LDAP suggested by IBM docs?
>
>
no, i've adapted some freeipa document which describes the client setup for
aix (in original form it does not work and it needed some modifications) ,
but i have to admit that the documentation for integrating unix clients is
poor and incomplete . IBM does recommend  TDS, which integrates seamlessly
with both AIX and Linux clients  + other features which should help in
integrating in heterogeneous environment,  but i am not evaluating that
solution currently (i may look into it only if i cannot integrate it with
IPA in the way i want).


> Being in your position I'd first compile a list of functional and security
> requirements
> and ask then whether these requirements can be implemented with FreeIPA.
> I'm curious to
> learn whether "some other security related attributes" are still needed
> after all.
>
> all the password restriction policies  (minage, maxage, number of
characters in the password, history of the old passwords, number of
characters, password dictionaries , etc) , loginretries - which "locks" the
account after a number of unsuccessful logins  , hostsallow/deny login ,
all the ulimit related parameters (that can probably be  ignored)  .  It is
not a matter if they increase the security or not or if they are really
needed, but a matter of complying to some security standards agreed between
two parties  . It would be easy to keep  them in the same format  than to
change the security standard  , tooling and processes behind (bureaucracy ,
overhead and complexity of the enterprise environment makes me try to avoid
that as much as possible , especially when there are many people and
departments involved , with their own mindset and playing different
politics).



Ciao, Michael.
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Iulian Roman 
On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <mich...@stroeder.com>
wrote:

> Iulian Roman wrote:
> > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> > Iulian Roman wrote:
> > > Hello,
> > >
> > > Does anybody know if the rfc2307aix schema is supported in IPA
> server (i
> > > use red hat IDM version) ? If yes, is there any documentation
> available
> > > ? Was it tested ?
> >
> > No, it isn't supported (it's the first I've ever heard of it).
> Looking
> > at the schema I doubt it is something that would ever be fully
> supported.
> >
> > is there any possibility to extend the existing schema with additional
> > attributes/object
>
> Do you really use this specific AIX schema?
> If yes, which attributes for which purpose?
>
> I do need the aixAuxAccount and aixAuxGroup object classes . they
implement some password restrictions needed for security/compliance +  some
other security related attributes.
Personally i do not consider them a must - they are rather some nice to
have features  - but i have to migrate an environment which does use them.
And i would like as well to make the migration as transparent as possible
(therefore without "missing features").


> Last time I've checked this schema when integrating AIX clients my
> conclusion was that
> this schema is rather useless and proprietary bloat.
>
> Ciao, Michael.
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-21 Thread Iulian Roman 
On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Iulian Roman wrote:
> > Hello,
> >
> > Does anybody know if the rfc2307aix schema is supported in IPA server (i
> > use red hat IDM version) ? If yes, is there any documentation available
> > ? Was it tested ?
>
> No, it isn't supported (it's the first I've ever heard of it). Looking
> at the schema I doubt it is something that would ever be fully supported.
>
> is there any possibility to extend the existing schema with additional
attributes/object classes ? IPA integrates seamless in the Linux
environment and it would be nice to make that possible also for the Unix
environment.
Enterprise environment is quite heterogeneous and a solution which would
facilitate the consolidation of authentication and authorization methods
is still something many companies are looking for. There are different
solutions for different platforms , with different features, but none which
can be used cross platform.  I hope IPA will try to bridge this gap in the
near future.

rob
>
> >
> > I plan for a big migration and full support of the AIX user attributes
> > is one of the prerequisites.
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-21 Thread Iulian Roman 
Hello,

Does anybody know if the rfc2307aix schema is supported in IPA server (i
use red hat IDM version) ? If yes, is there any documentation available ?
Was it tested ?

I plan for a big migration and full support of the AIX user attributes is
one of the prerequisites.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project