[Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
Hi: I am using free-ipa 2.2 to manage LDAP/DNS for about a dozen CentOS 6.3 servers on a small network. I am having a problem where a user cannot log into a host even though ipa hbactest says the he is authorized. This user can log into other hosts where ipa hbactest says he is authorized. Here is the problem in a nutshell: # Works for host1 $ ssh user1@host1 user1@host1's password: top-secret Last login ... [user1@host1 ~] echo SUCCESS SUCCESS # Fails for host2 $ ssh user1@host2 Password: top-secret Permission denied (publickey, gssapi-keyex, gssapi-with-mic, keyboard-interactive). # hbactest $ ipa hbactest --user=user1 --host=host1 --service==sshd Access granted: True output snipped # hbactest $ ipa hbactest --user=user1 --host=host2 --service==sshd Access granted: True output snipped It seems that free-ipa thinks that everything is copacetic so there must be something different on the hosts. I looked at /etc/ssh/sshd.conf, /etc/nsswitch.conf and /etc/sssd/sssd.conf on both hosts but didn't see anything that looked out of whack. I also tried ssh -vvv but wasn't sure how to interpret the results. I am using an NFS automount /home setup so both are using the same ~/.ssh. I am not sure how to debug this. Do you know why the password prompt is different? That may be a clue. Can you suggest some other things that I can try? Any help would be greatly appreciated. Thank you. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
As Rob says, I think we should take a look at SSSD and system logs. Can you paste or attach the couple of lines that are appended to /var/log/secure during the login attempt? That should give us a clue on whether the SSSD PAM modules are contacted. Can you also add debug_level = 8 to the [pam] and [domain/$name] sections of the SSSD, restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$name.log ? Feel free to sanitize the logs before sending them out. Thank you. Unfortunately I am unable to reproduce the problem so I am not sure that this is a good use of your time. If I find that I can reproduce it, I will capture the logs and send them on. Does that make sense? Thank you for your suggestions and help. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Folks: I managed to get the user working doing the following (all from the CLI): 1. Deleted the user (ipa user-del new-user) 2. Re-added the user 3. Add the user to administrator groups. 4. Changed/set the password. 5. Removed the administrator privileges. 6. Attempt report ssh login. Steps 3 and 5 are a hack but I can demonstrate that not doing them causes the strange login problem. I can also show that the HBAC rules are enforced properly after step 5 is run so this works for me. I just don't understand why it is necessary. Thank you for all of your help and suggestions. Regards, Joe From: Joe Linoff Sent: Monday, July 23, 2012 1:51 PM To: sgall...@redhat.com; d...@redhat.com Cc: freeipa-users@redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Steve: Thank you for your suggestions. In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using ipa hbactest It showed that the rules were correct. Do you think that the GUI might provide a different result? Also what are the UIDS? IPA provided 32bit ones? or your own? The UID's were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn't seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? I'd suggest re-setting that user's password and get them to login and reset the password, that works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and ipa passwd to change the password but neither solved the problem. In both cases I was able to run kinit new-user and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Rob: Thank you for helping. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. Hmmm, good point. I think that I was probably doing a kinit between steps 3 and 5 which would amount to the same thing, right? Regards, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 23, 2012 3:21 PM To: Joe Linoff Cc: sgall...@redhat.com; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: Hi Folks: I managed to get the user working doing the following (all from the CLI): 1.Deleted the user (ipa user-del new-user) 2.Re-added the user 3.Add the user to administrator groups. 4.Changed/set the password. 5.Removed the administrator privileges. 6.Attempt report ssh login. Steps 3 and 5 are a hack but I can demonstrate that /not /doing them causes the strange login problem. I can also show that the HBAC rules are enforced properly after step 5 is run so this works for me. I just don't understand why it is necessary. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. rob Thank you for all of your help and suggestions. Regards, Joe *From:*Joe Linoff *Sent:* Monday, July 23, 2012 1:51 PM *To:* sgall...@redhat.com; d...@redhat.com *Cc:* freeipa-users@redhat.com; Joe Linoff *Subject:* Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Rob: The issue is if the UIDS are 1000 they are treated as local in sssd. Ahh, of course, thanks. I never assigned any UIDs 1000 (or less than 1 for that matter). It could be that sssd cached something and wouldn't let it go, too. If you can reproduce this it is probably worthwhile bump up the log level and add pam debug logging to see what is happening. That is a great idea and it makes sense given what I was seeing. I will give it a try. I just wasn't sure which service I should be analyzing. Regards, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 23, 2012 3:23 PM To: Joe Linoff Cc: steven.jo...@vuw.ac.nz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: Hi Steve: Thank you for your suggestions. In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using ipa hbactest It showed that the rules were correct. Do you think that the GUI might provide a different result? No, the GUI and CLI share exactly the same backend code. Also what are the UIDS? IPA provided 32bit ones? or your own? The UID's were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn't seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? The issue is if the UIDS are 1000 they are treated as local in sssd. I'd suggest re-setting that user's password and get them to login and reset the password, that works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and ipa passwd to change the password but neither solved the problem. In both cases I was able to run kinit new-user and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. It could be that sssd cached something and wouldn't let it go, too. If you can reproduce this it is probably worthwhile bump up the log level and add pam debug logging to see what is happening. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Martin: Thank you. This is very helpful. I am going to try the group functions tomorrow morning (PST). Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, June 29, 2012 12:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group foogroup', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need type 'list'; got type 'tuple': ({'summary': u'Added user user5', 'result': {'dn': u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': (u'top', u'person', u'organizationalperson', u'inetorgperson', u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), 'has_password': True, 'sn': (u'last',), 'homedirectory': (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname': (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first last',), 'gecos': (u'first last',), 'ipauniqueid': (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': None},) You may
Re: [Freeipa-users] How can I change my password from a python script?
Hi Rob: This is so only the end-user knows the password. That makes good sense. Your suggestions will help me in my test environment. Thanks, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, June 29, 2012 8:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? This is so only the end-user knows the password. You can add the DN of the user you are changing passwords with to a list of users who are exempt from password policy. Think carefully about what user you add to this list, you may not want to use the admin user. Add the DN to the passSyncManagersDNs attribute in the entry cn=ipa_pwd_extop,cn=plugins,cn=config rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Authentication failure when a reset the password
Hi Everybody. I ran into a strange problem today: I reset a user password in the GUI to Test1234 for testing but when I tried to login as that user and enter the password, I got an authentication error. Does anyone know why this might be occurring or how I can debug it? Here are some additional details: *OS: CentOS 6.2 *FreeIPA: 2.1.3 Here are the steps I went through: 1. I log into the server as A. 2. I run kinit admin 3. I add a user B with password: F00bar5pam! 4. I verify that the user exists https://localhost 5. I reset the password in the web interface to Test1234 (yeah, I know, completely lame) 6. The GUI tells me that it reset. 7. I then try ssh B@some-host using the Test1234 and get permission denied. That is odd, it may indicate an HBAC error. 8. So I try su - B with password Test1234 and get su: incorrect password 9. Now I am stumped so I look /var/log/secure and see these entries: Jun 29 17:53:11 cuthbert su: pam_sss(su-l:auth): authentication failure; logname=A uid=500 euid=0 tty=pts/1 ruser=A rhost= user=B Jun 29 17:53:11 cuthbert su: pam_sss(su-l:auth): received for B: 4 (System error) 10. I didn't see anything strange in /var/log/dirsrv/slapd-EXAMPLE-COM/access 11. I didn't see anything strange in /var/log/dirsrc/slapd-PKI-API/access 12. I didn't see any SELinux errors in /var/log/audit/audit.log 13. I didn't see anything suspicious in /var/log/krb5kdc.log 14. In /var/log/pki-ca/debug there was some stuff about no sessions have been created but I am not sure whether that has anything to do with this What is system error 4 (step #9)? Is that the source of the problem? Any help would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Martin: Thank you once again for your excellent insights. I really appreciate your help. FreeIPA is really impressive. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Thursday, June 28, 2012 1:46 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com mailto:b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.' -EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe Hello Joe, if you don't want to use batch command as Petr suggested you can try the following example. It also uses --random option available in recent FreeIPA version to let FreeIPA handle the password generation: # cat add-users.py #!/usr/bin/env python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() for i in xrange(5): login = u'user%d' % i result = api.Command['user_add'](login, givenname=u'Test', \ sn=u'User #%d' % i, random=True) password = result['result']['randompassword'] print Created user '%s' with password '%s' % (login, password) When I execute it: # ./add-users.py Created user 'user0' with password 'EvzY+Of5pk@+' Created user 'user1' with password 'kyRHb9RMFzBO' Created user 'user2' with password 'u2mt_oGU_UIX' Created user 'user3' with password 'Lm6ONeErNFgz' Created user 'user4' with password 'AS=EeFozvbE-' HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need type 'list'; got type 'tuple': ({'summary': u'Added user user5', 'result': {'dn': u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': (u'top', u'person', u'organizationalperson', u'inetorgperson', u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), 'has_password': True, 'sn': (u'last',), 'homedirectory': (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname': (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first last',), 'gecos': (u'first last',), 'ipauniqueid': (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': None},) Regards, Joe -Original Message- From: Petr Vobornik [mailto:pvobo...@redhat.com] Sent: Thursday, June 28, 2012 1:32 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: A batch command might be useful for this case. Example (note that I'm not a python guy): #!/usr/bin/env python import pprint from ipalib import api # Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Prepare request users = [ (u'Foo', u'Bar', u'f...@foo.baz', u'psw1', u'Sales guy'), (u'John', u'Doe', u'j...@foo.baz', u'psw2', u'Tech guy'), ] add_commands = [] for user in users: (firstname, surname, email, psw, desc) = user add_commands.append({ method: 'user_add', params: [ [], { givenname: firstname, sn: surname, mail: email, userpassword: psw, setattr: description='+desc+' }, ], }) # Execute as batch result = api.Command['batch'](*add_commands) # Print pp = pprint.PrettyPrinter() pp.pprint(result) #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.'-EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline
Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?
Hi Martin: Excellent! Thank you. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, June 26, 2012 11:34 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] What is the best way to make batch changes to the LDAP? On 06/27/2012 01:56 AM, Joe Linoff wrote: Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # # bootstrap # def bootstrap(): Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # # cmd # def cmd(cmd): Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street=123 Main Street --city=Anytown --state=AK --postalcode=12345' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe *From:*Joe Linoff *Sent:* Tuesday, June 26, 2012 3:04 PM *To:* freeipa-users@redhat.com *Cc:* Joe Linoff *Subject:* What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using ipa user-mod in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for ad...@idm.lab.bos.redhat.com: # python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Lets see custom user fbar api.Command['user_show'](u'admin') {'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'6520',), 'gidnumber': (u'6520',), 'memberof_group': (u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',), 'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin', 'summary': None} # See that result is a native Python dictionary, i.e. very easy to manipulate later # Now lets try to modify user's address: api.Command['user_mod'](u'fbar', street=u'221B Baker Street', l=u'London', st=u'UK', postalcode=u'NW1 6XE') {'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid': (u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'6521',), 'l': (u'London',), 'st': (u'UK',), 'gidnumber': (u'6521',), 'memberof_group': (u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory': (u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',), 'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary': u'Modified user fbar'} The user is now modified, I can verify it with standard CLI command: # ipa user-show fbar --all dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar ... Street address: 221B Baker Street City: London State/Province: UK ZIP: NW1 6XE ... Our source code is a good source of information (I used it to find out exact names of the command
Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?
Hi Martin: Just a quick follow up: your suggestion worked great. Here is a little code fragment that emulates the ipa user-find --all operation. I am including it in the hopes that it will help someone else. START #!/usr/bin/env python # # Demonstrate how to get the contents of the command # ipa user-find --all in python data structures based on the # insights provided by Martin Kosek on the freeipa-users@redhat.com # mailing list. # # It also demonstrates how to iterate over the list and grab # individual fields. # import pprint from ipalib import api # Bootstrap. api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Load the records. recs = api.Command['user_find'](all=True) # Dump the whole data structure -- with nice formatting. pprint.PrettyPrinter(indent=4).pprint( recs ) # Print out the uid and email information. # Note that the gratuitous conversion from unicode to UTF8 and the use # of a lambda function instead of an if/then were only for fun. print '---' for i in range(recs['count']): result = recs['result'][i] uid= result['uid' ][0].encode('utf8') # Email can be NULL. email = (lambda f: result[f][0].encode('utf8') if f in result is not None else str('None'))('mail') print '%-20s %s' % (uid,email) END Thanks, Joe -Original Message- From: Joe Linoff Sent: Wednesday, June 27, 2012 11:02 AM To: Martin Kosek Cc: freeipa-users@redhat.com; Joe Linoff Subject: RE: [Freeipa-users] What is the best way to make batch changes to the LDAP? Hi Martin: Excellent! Thank you. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, June 26, 2012 11:34 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] What is the best way to make batch changes to the LDAP? On 06/27/2012 01:56 AM, Joe Linoff wrote: Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # # bootstrap # def bootstrap(): Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # # cmd # def cmd(cmd): Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street=123 Main Street --city=Anytown --state=AK --postalcode=12345' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe *From:*Joe Linoff *Sent:* Tuesday, June 26, 2012 3:04 PM *To:* freeipa-users@redhat.com *Cc:* Joe Linoff *Subject:* What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using ipa user-mod in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for ad...@idm.lab.bos.redhat.com: # python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Lets see custom user fbar
[Freeipa-users] How can I change my password from a python script?
Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.' -EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?
Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # # bootstrap # def bootstrap(): Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # # cmd # def cmd(cmd): Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street=123 Main Street --city=Anytown --state=AK --postalcode=12345' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe From: Joe Linoff Sent: Tuesday, June 26, 2012 3:04 PM To: freeipa-users@redhat.com Cc: Joe Linoff Subject: What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using ipa user-mod in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Transfer user database to FreeIPA LDAP
You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's migration mode (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically. Thank you, that makes sense but my problem is doing the initial migration. How do I get the existing user data into LDAP using the hashed password from the old database? Regards, Joe -Original Message- From: Stephen Gallagher [mailto:sgall...@redhat.com] Sent: Monday, June 25, 2012 4:20 AM To: Joe Linoff Cc: Mark Reynolds; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote: Hi Mark: I did not find any entries related to passwords in the LDAP record. There were some entries that looked as though they were related to Kerberos which might be useful. % ldapseach -LLL -x -b uid=bigbob,cn=users,cn=accounts,dc=example,dc=com | grep ^krb krbPwdPolicyReference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= krbPrincipalName: big...@example.com krbLastPwdChange: 20120530170153Z krbPasswordExpiration: 20120828170153Z krbExtraData:: AAgBAA== krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A krbLastSuccessfulAuth: 20120621180658Z krbLastFailedAuth: 20120620013218Z krbLoginFailedCount: 0 Unfortunately, I am new to IPA so I don’t yet understand the internals for password management. Can you suggest any documentation I can read? I am fairly familiar with LDAP and Kerberos. You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's migration mode (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Transfer user database to FreeIPA LDAP
Hi Simo: Normally this is not actually allowed, the reason is that kerberos needs keys generated, and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword and reject any attempt that does not involve a clear text password. That makes sense. Thank you for clearing that up. However if you enable the migration mode we do allow to set the hash, what we expect then is to have either users or some application to authenticate via an ldap bind that sends a clear text password. While in migration mode, a bind will check if the password is valid, and if it is it will generate the kerberos keys out of it. That also makes sense and it is a great way to transfer users from an existing LDAP to FreeIPA. Unfortunately, the problem I have is that I have the user data and the hashed password in a standalone database and I want to move it into FreeIPA without requiring the users to re-authenticate. I do not have a plaintext password and I do not have an LDAP DB. From what you and Mark have said, I need to find a way to emulate migration mode for my setup or, if possible, insert the existing hash directly in Kerberos. Does that make sense? Regards, Joe -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, June 25, 2012 4:50 AM To: Mark Reynolds Cc: Joe Linoff; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP On Sun, 2012-06-24 at 15:49 -0400, Mark Reynolds wrote: Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark Normally this is not actually allowed, the reason is that kerberos needs keys generated, and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword and reject any attempt that does not involve a clear text password. However if you enable the migration mode we do allow to set the hash, what we expect then is to have either users or some application to authenticate via an ldap bind that sends a clear text password. While in migration mode, a bind will check if the password is valid, and if it is it will generate the kerberos keys out of it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Transfer user database to FreeIPA LDAP
Hi Simo: I really appreciate your help. If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file. That would be great. If the app db already contains a good hash that is suppoted by 389ds then you can simply grab the hashes from there. I believe that it does. I perused the CakePHP code and found that it used this algorithm to create the password: // PHP $salt = Configure::read('Security.salt'); $phpPasswd = sha1( $salt + $plaintext ); // Same as Security::hash($plaintext, 'sha1', true); Here is the same algorithm in python along with an LDAP encoding using SHA. They are embedding the salt along with the password so it is not SSHA. # python import hashlib from base64 import urlsafe_b64encode as encode from base64 import urlsafe_b64decode as decode salt = constantValueFromConfigFile() # SHA1 hash h = hashlib.sha1(salt + plaintext) # PHP password string phpPasswd = h.hexdigest() # LDAP password - this won't work for the userPassword field. ldapPasswd = '{SHA}'+encode(h.digest()) # OpenLDAP format # LDAP userPassword attribute format is the base64 MIME encoded version of above. # This is what you see when you run a command like: # ldapsearch -LLL -x -w passwd -D 'cn=Directory Manager' -b 'cn=user,cn=accounts,dc=example,dc=com' userpassword userPasswd = encode(ldapPasswd) Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add Ok. That sounds straightforward. Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field. That would be perfect but how do I switch to migration mode? Can I simply bind as the Directory Manager and update the userPassword field using something like ldapmodify or is there a better way? Is there an example of script like this that I can look at? Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database. Yup. This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions. However this is a possible solution. Yup, I really like it. I am going to give it a try. Should I use the ipalib/plugins/migration.py as a starting point or is there a more relevant module? Thanks, Joe -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, June 25, 2012 6:07 AM To: Joe Linoff Cc: Mark Reynolds; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote: Unfortunately, the problem I have is that I have the user data and the hashed password in a standalone database and I want to move it into FreeIPA without requiring the users to re-authenticate. I do not have a plaintext password and I do not have an LDAP DB. From what you and Mark have said, I need to find a way to emulate migration mode for my setup or, if possible, insert the existing hash directly in Kerberos. Does that make sense? Not really. A few questions: - how do users authenticate to CakePHP at the moment ? - how are passwords stored in your current DB ? If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file. If the app db already contains a good hash that is suppoted by 389ds then you can simply grab the hashes from there. Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field. Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database. This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions. However this is a possible solution. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Transfer user database to FreeIPA LDAP
Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Transfer user database to FreeIPA LDAP
Hi Mark: Thank you, that is really helpful. Regards, Joe From: Mark Reynolds [mailto:marey...@redhat.com] Sent: Sunday, June 24, 2012 12:49 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark On 06/24/2012 02:30 PM, Joe Linoff wrote: Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreyno...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Transfer user database to FreeIPA LDAP
Hi Mark: I did not find any entries related to passwords in the LDAP record. There were some entries that looked as though they were related to Kerberos which might be useful. % ldapseach -LLL -x -b uid=bigbob,cn=users,cn=accounts,dc=example,dc=com | grep ^krb krbPwdPolicyReference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= krbPrincipalName: big...@example.com krbLastPwdChange: 20120530170153Z krbPasswordExpiration: 20120828170153Z krbExtraData:: AAgBAA== krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A krbLastSuccessfulAuth: 20120621180658Z krbLastFailedAuth: 20120620013218Z krbLoginFailedCount: 0 Unfortunately, I am new to IPA so I don't yet understand the internals for password management. Can you suggest any documentation I can read? I am fairly familiar with LDAP and Kerberos. Thanks, Joe From: Joe Linoff Sent: Sunday, June 24, 2012 2:43 PM To: Mark Reynolds Cc: freeipa-users@redhat.com; Joe Linoff Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Mark: Thank you, that is really helpful. Regards, Joe From: Mark Reynolds [mailto:marey...@redhat.com] Sent: Sunday, June 24, 2012 12:49 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark On 06/24/2012 02:30 PM, Joe Linoff wrote: Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreyno...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA client ldapsearch
Hi: This is a best practices question. I am really impressed with FreeIPA and I want to make sure that I follow the recommended usage paradigms. What is the best way to do a ldapsearch operation on a FreeIPA client? One approach would be to install LDAP utilities on the client and run ldapsearch. Another approach might be to install the ipa-admintools package on the client. Since all I want to do is a simple query (like ipa user-find on the ipa-server), I wasn't sure whether the ipa-admintools made sense. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA client ldapsearch
Hi Rob: Your best bet is to use the ipa-admintools package. Thank you, I appreciate the help. As you suggested, I will use the ipa-admintools package. You probably don't to install this on every client. That makes sense. Regards, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, June 20, 2012 11:26 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA client ldapsearch Joe Linoff wrote: Hi: This is a best practices question. I am really impressed with FreeIPA and I want to make sure that I follow the recommended usage paradigms. What is the best way to do a ldapsearch operation on a FreeIPA client? One approach would be to install LDAP utilities on the client and run ldapsearch. Another approach might be to install the ipa-admintools package on the client. Since all I want to do is a simple query (like ipa user-find on the ipa-server), I wasn't sure whether the ipa-admintools made sense. Your best bet is to use the ipa-admintools package. This way you don't have to work about the LDAP internals. If you have some need for something the tools can't provide you can always fall back to using ldapsearch. You probably don't to install this on every client. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa client - turn off NetworkManager?
Hi: I read somewhere that I should turn off the NetworkManager service on the IPA server. Should I do same on the clients? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Administration question: root user
Thank you. I really appreciate your help and for taking the time to answer so quickly. I will NOT manage root through FreeIPA. Regards, Joe -Original Message- From: Stephen Gallagher [mailto:sgall...@redhat.com] Sent: Wednesday, June 06, 2012 7:15 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Administration question: root user On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: Hi Folks: I am a newbie so I apologize in advance if this is a silly set of questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy with it but I have a couple of questions about root access. When I setup my systems, I configured root manually on each of them. Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. If it does make sense, is it as simple as adding the “root” user in “ipa user-add”? Please don't :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo clients
Hi Folks: I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: user not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd The command /bin/pwd is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html # # Update /etc/nsswitch.conf # cat /etc/nsswitch.conf EOF # # FreeIPA sudo support # sudoers: files ldap sudoers_debug: 1 EOF # # Insert this just after the ipa_server line and restart sssd: # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com # cat /etc/sssd/sssd.conf | \ awk '{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}' /tmp/x cp /tmp/x /etc/sssd/sssd.conf rm -f /tmp/x service sssd restart # # Create the /etc/nslcd.conf file # ls /etc/nslcd.conf cat /etc/nslcd.conf EOF binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com bindpw pwd/sudo ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://cuthbert.foo.example.com sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com EOF # # Set the NIS domain name (even though NIS is not used) # nisdomainname foo.example.com Thank you, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts
Hi Mark: Thank you for your suggestion. I will try it later today. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Sunday, June 03, 2012 11:40 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: Hi: I am a newbie that is trying out FreeIPA for the first time. So far I am extremely impressed with this system but I ran into a problem that I need some help with. I am trying to figure out how to HBAC to restrict a set of users to a specific set of hosts but I am not having any success. Here is the problem statement: I have 2 users: “user1” and “user2” that should only be able to access the host “foobar” on my network. There are many other possible hosts (like “wombat”) that they cannot access. They can login from anywhere using “ssh”. The goal is to restrict students to a specific set of machines. What I tried to do was this: 1. Create a user group called “restricted-users” which I could add users to. 2. Create a HBAC rule named “restricted-users” that a. Defines the host I want to allow them access to (“restricted-host”). b. Defines the user group that is affected by this rule (“restricted-users”). c. Defines the services they are allowed to use on that host (including login). 3. Create a user named “user1” that is enrolled in the “restricted-users” group. I then tried this experiment: 1. ssh –Y user1@foobar a. It worked like a charm. The login worked correctly. 2. ssh –Y user1@wombad a. It also worked like a charm but in this case it was undesired behavior. I am sure that I am missing something really obvious. Any help would be greatly appreciated. Errata: 1. OS: CentOS 6.2 2. FreeIPA: v2.1.3 (9el6) Thank you, Joe Hello Joe, did you disable default allow_all HBAC rule? # ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE With this rule disabled, the policy you described should be properly enforced. When testing HBAC rules you may want to try CLI and Web UI interface to hbactest command, which can help you to test who can use what service on which machine and also which rules did match when the access was allowed. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts
Thank you both. Turning off allow_all did the trick. Now everything works perfectly. This tool rocks! Thanks, Joe -Original Message- From: Stephen Gallagher [mailto:sgall...@redhat.com] Sent: Monday, June 04, 2012 5:10 AM To: Martin Kosek Cc: Joe Linoff; freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote: On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: Hi: I am a newbie that is trying out FreeIPA for the first time. So far I am extremely impressed with this system but I ran into a problem that I need some help with. I am trying to figure out how to HBAC to restrict a set of users to a specific set of hosts but I am not having any success. Here is the problem statement: I have 2 users: “user1” and “user2” that should only be able to access the host “foobar” on my network. There are many other possible hosts (like “wombat”) that they cannot access. They can login from anywhere using “ssh”. The goal is to restrict students to a specific set of machines. What I tried to do was this: 1. Create a user group called “restricted-users” which I could add users to. 2. Create a HBAC rule named “restricted-users” that a. Defines the host I want to allow them access to (“restricted-host”). b. Defines the user group that is affected by this rule (“restricted-users”). c. Defines the services they are allowed to use on that host (including login). 3. Create a user named “user1” that is enrolled in the “restricted-users” group. I then tried this experiment: 1. ssh –Y user1@foobar a. It worked like a charm. The login worked correctly. 2. ssh –Y user1@wombad a. It also worked like a charm but in this case it was undesired behavior. I am sure that I am missing something really obvious. Any help would be greatly appreciated. Errata: 1. OS: CentOS 6.2 2. FreeIPA: v2.1.3 (9el6) Thank you, Joe Hello Joe, did you disable default allow_all HBAC rule? # ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE With this rule disabled, the policy you described should be properly enforced. When testing HBAC rules you may want to try CLI and Web UI interface to hbactest command, which can help you to test who can use what service on which machine and also which rules did match when the access was allowed. If you're still experiencing problems after disabling the default allow_all rule, please submit the relevant section of /var/log/secure so we can see if anything peculiar is occurring in the PAM authentication and authorization. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts
Hi: I am a newbie that is trying out FreeIPA for the first time. So far I am extremely impressed with this system but I ran into a problem that I need some help with. I am trying to figure out how to HBAC to restrict a set of users to a specific set of hosts but I am not having any success. Here is the problem statement: I have 2 users: user1 and user2 that should only be able to access the host foobar on my network. There are many other possible hosts (like wombat) that they cannot access. They can login from anywhere using ssh. The goal is to restrict students to a specific set of machines. What I tried to do was this: 1. Create a user group called restricted-users which I could add users to. 2. Create a HBAC rule named restricted-users that a. Defines the host I want to allow them access to (restricted-host). b. Defines the user group that is affected by this rule (restricted-users). c. Defines the services they are allowed to use on that host (including login). 3. Create a user named user1 that is enrolled in the restricted-users group. I then tried this experiment: 1. ssh -Y user1@foobar a. It worked like a charm. The login worked correctly. 2. ssh -Y user1@wombad a. It also worked like a charm but in this case it was undesired behavior. I am sure that I am missing something really obvious. Any help would be greatly appreciated. Errata: 1. OS: CentOS 6.2 2. FreeIPA: v2.1.3 (9el6) Thank you, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users