Re: [Freeipa-users] FreeIPA server in Docker container
On Mon, Jul 21, 2014 at 04:17:44PM +0200, Jan Pazdziora wrote: > > if you need a way to quickly run FreeIPA server on your machine while > keeping the machine open to installation and configuration of other > software which would otherwise clash with the FreeIPA server, you can > try FreeIPA in a Docker container. We currently see it as a proof of > concept, for testing or demo purposes. > > The Dockerfiles with other content are available at > > https://github.com/adelton/docker-freeipa > > with branches for Fedora 20, rawhide, and RHEL 7. Automated built > images are available in Docker index: > > https://hub.docker.com/u/adelton/ > > with Fedora 20 and rawhide content. Also available are client > repositories and images, to quickly start another container and let it > IPA-enroll to the server in a container. > > At this point, the containers need to be run as --privileged. If you do not like the idea of running privileged containers, good news for you: the latest code at https://github.com/adelton/docker-freeipa as well as the new images at https://hub.docker.com/u/adelton/ allow the FreeIPA server containers to be run unprivileged. Also newly available is branch rhel-6 with Identity Management server configured on RHEL 6. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA server in Docker container
Hello, if you need a way to quickly run FreeIPA server on your machine while keeping the machine open to installation and configuration of other software which would otherwise clash with the FreeIPA server, you can try FreeIPA in a Docker container. We currently see it as a proof of concept, for testing or demo purposes. The Dockerfiles with other content are available at https://github.com/adelton/docker-freeipa with branches for Fedora 20, rawhide, and RHEL 7. Automated built images are available in Docker index: https://hub.docker.com/u/adelton/ with Fedora 20 and rawhide content. Also available are client repositories and images, to quickly start another container and let it IPA-enroll to the server in a container. At this point, the containers need to be run as --privileged. We plan to track the progress of the effort at http://www.freeipa.org/page/Docker Any comments or improvements are welcome, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PatternFly questions
On Fri, Jul 18, 2014 at 12:23:35PM +0200, Petr Vobornik wrote: > > >2. Browsing the screen on a large monitor still leaves the user page (at > >least) limited to around 22 rows. This leaves the bottom third of my > >browser empty. The table uses the full width of the browser, can it not > >use the full height too? > > I have and idea/plan to make it configurable - to specify the number of > items and also to allow disabling of paging. The ideal paging is paging which does not force the user to do much manual configuration to deliver the information unobtrusively. To me, it's paging which does not force me to scroll if I don't want to, and which minimizes the wasted space by maximizing the number of rows to fit into the screen. IOW, fill in exactly one full screen of data without introducing scrollbars, and then let me choose -- "load more" to extend the list on the current page, or go to the next page. Thus, on each screen the number of rows of the default ideal view can be different, if the content above and below the table is of different height, or if the height of the rows is different among pages/tables. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.0.0
On Mon, Jul 14, 2014 at 07:56:18AM +0200, Lukas Slebodnik wrote: > > Other packages can be in epel7. > python-polib is already in epel5 and epel6 but *NOT IN* epel7 > https://admin.fedoraproject.org/pkgdb/package/python-polib/ > python-qrcode is already in epel6 but *NOT IN* epel7 > https://admin.fedoraproject.org/pkgdb/package/python-qrcode/ > python-yubico is already in epel6 but *NOT IN* epel7 > https://admin.fedoraproject.org/pkgdb/package/python-yubico/ https://fedoraproject.org/wiki/EPEL/epel7/Requests should help us get the process started. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-server and conrainers
On Wed, Jun 11, 2014 at 07:41:11AM +0600, Arthur Fayzullin wrote: > Running IPA as a bunch of containers can reduce size of each one. Of Possibly. But FreeIPA is currently configured using ipa-server-install and there is no support in the installer for having / assuming the individual components on different hosts (be it containters or true hosts). That's why the initial effort goes into moving what we have with ipa-server-install to container as one block. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA-server and conrainers
On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: > HI! > Alexandr, I've seen Your presentation at RedHat forum. Very good > presentation! :) > I've got a question about FreeIPA from that presentation. Of course > question is not only for You. > So, the question: > Are there any plans for integration freeipa-server with containers? > * working freeipa as a single container; We have testing FreeIPA in Fedora 20 container at https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ However, at this point the size of that image is over 1.2 GB so we were not announcing it yet as we try to find ways to make the image smaller and thus more easily consumable. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Enrolling client to second IPA server
On Tue, Jan 07, 2014 at 08:11:12AM +0200, Alexander Bokovoy wrote: > > The problem here is that you would have the same host name assigned to > two different realms which means there would be a single principal but > two different keys associated with it from different realms. A single > keytab could contain only principals from the single realm. > > Thus, you need to use different keytabs and make sure that access to > a non-default KDC is always using non-default keytab. Understood. > You'd also need to fetch IPA2's CA certificate and trust it. Here might > be a problem since it will have the same nickname, 'IPA CA' and thus > cannot be placed in the same /etc/pki/nssdb database. You can, however, > put the cert file in a separate file somewhere, for example, > /etc/ipa/ipa2-ca.crt. Understood. > Now, suppose you have a non-default keytab set at /etc/krb5.keytab.IPA2. > > # kinit admin@IPA2 > # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k > /etc/krb5.keytab.IPA2 > > would fetch the host keytab there. > > Then SSSD would need to be configured to use a different location for > the keytab for this realm and a different TLS cert. > > [domain/example.com] > ... > krb5_keytab = /etc/krb5.keytab.IPA2 > ldap_tls_cacert = /etc/ipa/ipa2-ca.crt > ... > > So, off my head (not tested): > 1. Set up krb5.conf to have realm and domain_realm mappings for the > second realm. You can only have one of the realms as default one. > 2. Set up sssd.conf to have a second domain which points krb5_keytab to > a different keytab, /etc/krb5.keytab.IPA2, and a different TLS CA > certificate. > 3. kinit as a principal from the second realm > 4. Use ipa-getkeytab to fetch the keytab to /etc/krb5.keytab.IPA2 I have this set up and Kerberos works -- I can do kinit user...@realm1.net and kinit user...@realm2.net and they pass and klist will show respective prinsipals. > Finally, for LDAP operations you can't have profiles in ldap.conf, so > defaults will only point to the original one. You can create another one > in /etc/openldap and then use LDAPCONF environmental variable to point > to the second config file for the defaults. Here is where I got stuck -- when I run getent passwd user...@realm1.net I can see the record but getent passwd user...@realm2.net will not return anything. Is that because of the LDAP operations still using whatever is in /etc/openldap/ldap.conf? When I put IPA2's data to /etc/openldap/ldap.conf.IPA2 and run LDAPCONF=/etc/openldap/ldap.conf.IPA2 getent passwd user...@realm2.net I still don't get anything. I assume that it's because it's actually sssd which does the calls ... but how would I set LDAPCONF for sssd? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HBAC for mod_auth_kerb (and give karma to Fedora 20 package)
Hello, so you've read about the web application authentication and host-based access control but never tried it and now you wonder how the HBAC with Kerberos actually works in the web context ... Why not try to set it up and see for yourself? ... And give karma to https://admin.fedoraproject.org/updates/mod_authnz_pam-0.9-1.fc20 to get http://fedorapeople.org/cgit/adelton/public_git/mod_authnz_pam.git/commit/?id=3ddf467cbadba121e878699da74b26351a31e547 in if you find it satisfactory. You can use http://www.freeipa.org/page/Web_App_Authentication as the guidelines but you can also try to set things up completely without the guides, just using mod_authnz_pam's documentation at http://www.adelton.com/apache/mod_authnz_pam/ And comments and help with the karma would be appreciated. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] About Windows client
On Wed, Feb 19, 2014 at 05:23:15PM -0500, Dmitri Pal wrote: > > I want to summarize our position regarding joining Windows systems into IPA. > > 1) If you already have AD we recommend using this system with AD and > using trusts between AD and IPA. > 2) If you do not have AD then use Samba 4 instead of it. It would be > great when Samba 4 grows capability to establish trusts. Right now > it can't but there is an effort going on. If you are interested - > please contribute. > 3) If neither of the two options work for you you can configure > Windows system to work directly with IPA as described on the wiki. > It is an option of last resort because IPA does not provide the > services windows client expects. If this is good enough for you, > fine by us. > 4) Build a native Windows client (cred provider) for IPA using > latest Kerberos. IMO this would be really useful if someone does > that because we will not build this ourselves. With the native OTP > support in IPA it becomes a real business opportunity to provide a > native 2FA inside enterprise across multiple platforms. But please > do it open source way otherwise we would not recommend you ;-) Would it makes sense to make this into a freeipa.org wiki page? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow freeipa send password to user
On Tue, Feb 18, 2014 at 04:44:30PM -0500, Dmitri Pal wrote: > On 02/17/2014 10:51 PM, barry...@gmail.com wrote: > >Is it possible to set allow password to send to user after user request. > > > >I used one of the self password service pwm but it seem it is not > >compatible to retriveal of password > >using cert request / Answer and questions retrieval > > Passwords can't be sent to the user. You can using administrative > account set a new password (i.e. do an admin reset) and send it to > the user but then user will be asked to change it on the first > authentication. Since I've heard the requirement for no password change forced on user upon their first login from multiple sides, I wonder if the current behaviour stems from some technical reason or if it's just a security approach which the FreeIPA admins should be able to override. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free-IPA in an AWS Base Image
On Mon, Feb 10, 2014 at 10:02:53PM -0800, Steve Severance wrote: > I want to create an AWS AMI that when it starts up will register itself > with a Free-IPA instance. The issue I have run into so far is every > instance when it starts up uses the original instances hostname. What do I > need to do to have free-ipa work in a DHCP environment like this? Is the AMI supposed to be internal to some organization / domain or is it supposed to be completely public? I slightly assume the first because you probably have some particular FreeIPA server instance hardcoded in the AMI. Is it acceptable to change the hostname of the instance to be in the domain managed by the FreeIPA server? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC - expected behaviour?
On Tue, Feb 04, 2014 at 04:11:12AM +, Les Stott wrote: > > If I access the host "host1" and remove allow_all from its defined HBAC rules > in the web ui, jane can still access host1 via ssh (actually tested login). I can see you've found the solution already but I'd like to go back to this part. You say that you have removed allow_all from its defined HBAC ruls in the WebUI. However, when I try this on my FreeIPA server, I don't see allow_all listed for any of my hosts (neither in the Direct nor Indirect Membership listing). Is it possible that you've added that host to allow_all on top of its "Any Host" (aka Host category: all) manually and then removed it? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Enrolling client to second IPA server
For testing purposes, I'd like to enroll my already IPA-enrolled client to another IPA server, with different domain. My goal is to then use Kerberos authencation in applications to use the second realm and PAM authentication in applications to go to the second domain in sssd while leaving the first realm/domain solely for OS-level authentication. I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to /etc/krb5.conf, but I'm not sure where my second keytab is supposed to go. Reading http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/enrolling-machines.html suggests having the keytab from the IPA server is essential ... but where do I specify its location? Ideally I'd like to just run ipa-client-install with proper parameters but I always get IPA client is already configured on this system. While that is technically correct, it does not move me forward enrolling the system to another IPA server. Does anyone have example steps that need to be done to have my system enrolled to two IPA servers? Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa client wont install on host where a ipa server guest is already installed.
On Tue, Dec 17, 2013 at 08:23:36PM -0500, Joshua Nager wrote: > > I am running freeipa as a guest KVM virtual machine. I have found myself > running into a problem when trying to install ipa-client on the host which > the guest resides. > > Upon trying to install the ipa-client I am given the msg that I must first > uninstall the ipa server. What is the OS version and the exact message that you get? > Has anyone experienced this and how might I get around this problem? Are you sure you don't have the IPA server installed on both the KVM guest *and* on the host? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Starting with host based access control and your existing users and hosts
In FreeIPA installations that already have some users and hosts in them, the setup might be using host based access control (HBAC) without admins realizing it because by default there is a catchall allow_all rule there. When you then want to start tweaking the setup, the allow_all rule needs to be disabled or it would still allow all accesses. That might break existing users. Check http://www.freeipa.org/page/Howto/HBAC_and_allow_all about possible solution to that problem. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
On Sat, Sep 14, 2013 at 01:11:36PM -0400, Brian Lindblom wrote: > Of course, I would imagine that since the GECOS field is set upon account > creation based on the values provided for first and last name, and since > GECOS is not a provided field in the UI for user attributes, that GECOS > should be updated automatically to reflect those changes. Bug perhaps? The ticket https://fedorahosted.org/freeipa/ticket/3569 tracks addition of the WebUI GECOS field. It's been added in upstream FreeIPA and it should find its way to the next RHEL releases as well. -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [freeipa-users] errors when trying to add public SSH key to user
On Mon, Jul 15, 2013 at 02:40:19PM +, Armstrong, Kenneth Lawrence wrote: > I'm trying to add an SSH public key to a user, and I keep getting IPA Error > 3009 or IPA Error 3008 when I try to update the page. I have copied over the > exact contents of the .ssh/id_rsa.pub file. Even if I take the username > portion out at the end of the file, I still get the same error messages. > > When I try to add it from the command line, I get: > > ipa: ERROR: invalid 'sshpubkey': invalid SSH public key > > And yes, I verified that ssh-rsa is at the beginning of the key output. > > This is on a RHEL 6 server. > > Any thoughts? Does it fail even if you do not copy-n-paste the key but let shell expand it as ipa user-mod demo --sshpubkey "$( cat /tmp/demo.pub )" ? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users