Re: [Freeipa-users] OS X Yosemite unable to authenticate
Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the opposite problem: kinit works fine, while I'm unable to see users with Directory Admin ((it always says it cant' connect, either with or without SSL) I disabled anonymous searches in 389-ds, by the way. Nicola Il 21/12/15 07:50, John Obaterspok ha scritto: Hi Cal, Does a kinit work from a terminal? Does it work if you use "kinit user" or just if you use "kinit user@REALM.suffix" -- john 2015-12-20 15:09 GMT+01:00 Cal Sawyer <ca...@blue-bolt.com <mailto:ca...@blue-bolt.com>>: Hi, all I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX 10.10.5 (Yosemite) client Using the excellent instructions at http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, I've populated the specified files, d/l'd the cert, am able to configure Users and Groups objects/attribs and browse both from within OSX's Directory Utility.ldapsearch similarly returns the expected results. In spite of this, i'm unable to authenticate as any IPA-LDAP user on this system dirsrv log on the ipa master shows no apparent errors - remote auth attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the truth, there so much stuff there and being rather inexperienced with LDAP diags i might easily be missing something in the details The linsec.ca <http://linsec.ca> instructions were written in the 10.7-10.8 era so something may have changed since. Having said that, we've had no problems authenticating against our existing OpenLDAP server (which IPA is slated to replace) right up to 10.10.5 with no zero to our Directory Utility setup. Hoping someone here has some contemporary experience with OSX and IPA and for whom this issue rings a bell? many thanks Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW +44 (0)20 7637 5575 <tel:%2B44%20%280%2920%207637%205575> | www.blue-bolt.com <http://www.blue-bolt.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OS X Yosemite unable to authenticate
I had to configure /etc/krb5.conf, and to avoid the requested reboot, I did a "dscacheutil -flushcache", both as the logged in user and as root. I tried enabling the anonymous bind and now also the directory browser (and all the login process) works as expected. Nicola Il 21/12/15 17:39, Cal Sawyer ha scritto: Thanks, John and Nicola Kerberos occurred to me as well late in the day yesterday. Happily (?), knit works fine simply specifying the user in question with no need to suffix with the kerberos realm I did find that my test user had an expired password, which i fixed on the IPA server. This was never flagged up under Linux, btw. It has not change anything, however, other than not prompting for password changes that never take effect. Funnily, it expired in the midst of testing - fun. I was mistaken when i said i was unable to log in - it turns out that it takes almost 10 minutes for a login from the frintend to complete - i just didn't wait long enough. 10 mins is of course unacceptable :) "su - user" and "login user" fail outright after rejecting accept any user's password DNS is fine and i can resolve ldap and kerberos SRV records from the Mac In line with Nicola's experience, i can browse groups and users in the Directory Editor and all attributes appear spot on. Besides modding /etc/pam.d/authorization, adding a corrected edu.mit.kerberos to /LibraryPreferences and setting up the directory per linsec.ca, can anyone think of something i may have missed? It's a real shame that the documentation on this stops around 5 years ago. IPA devs: is there anything i should be on the lookout for in the dirsrv or krb5 logs on the IPA master? I've disabled the secondary to prevent replication from clouding the log events thanks, everyone Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW +44 (0)20 7637 5575 |www.blue-bolt.com On 21/12/15 07:57, Nicola Canepa wrote: Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the opposite problem: kinit works fine, while I'm unable to see users with Directory Admin ((it always says it cant' connect, either with or without SSL) I disabled anonymous searches in 389-ds, by the way. Nicola Il 21/12/15 07:50, John Obaterspok ha scritto: Hi Cal, Does a kinit work from a terminal? Does it work if you use "kinit user" or just if you use "kinit user@REALM.suffix" -- john 2015-12-20 15:09 GMT+01:00 Cal Sawyer <ca...@blue-bolt.com <mailto:ca...@blue-bolt.com>>: Hi, all I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX 10.10.5 (Yosemite) client Using the excellent instructions at http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, I've populated the specified files, d/l'd the cert, am able to configure Users and Groups objects/attribs and browse both from within OSX's Directory Utility. ldapsearch similarly returns the expected results. In spite of this, i'm unable to authenticate as any IPA-LDAP user on this system dirsrv log on the ipa master shows no apparent errors - remote auth attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the truth, there so much stuff there and being rather inexperienced with LDAP diags i might easily be missing something in the details The linsec.ca <http://linsec.ca> instructions were written in the 10.7-10.8 era so something may have changed since. Having said that, we've had no problems authenticating against our existing OpenLDAP server (which IPA is slated to replace) right up to 10.10.5 with no zero to our Directory Utility setup. Hoping someone here has some contemporary experience with OSX and IPA and for whom this issue rings a bell? many thanks Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW +44 (0)20 7637 5575 <tel:%2B44%20%280%2920%207637%205575> | www.blue-bolt.com <http://www.blue-bolt.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accet
Re: [Freeipa-users] Service Accounts via IPA
Maybe you can use /usr/sbin/nologin as the shell? Nicola Il 10/12/15 19:24, Redmond, Stacy ha scritto: Generally I will lock a service account on linux so that the account cannot login, but users can sudo su – to that user. As I don’t have access to the password field in free ipa, what are my options to set this up as a default for service accounts, or how can I modify individual accounts that need access to a system, but should not be able to login to the system. Any help is appreciated. -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and DHCP
I have a RADIUS which authenticates WPA2 via FreeIPA (LDAP) associating the MAC address to the client (by improperly using the "l" field), and I would delegate also DHCP IP management (which has to be fixed through the MAC address) via the same interface. If it is not possible, I will have to configure another LDAP server, and to find a management GUI. Nicola Il 19/10/15 00:35, Fraser Tweedale ha scritto: On Fri, Oct 16, 2015 at 03:01:19PM +0200, Nicola Canepa wrote: Hello. Is there a suggested way to have DHCP IP/MAC associations managed through the IPA web interface? Thank you for any pointer. Nicola Hi Nicola, There was an old design proposal[1] but it was not implemented. The discussion was revived in recent weeks but again the feeling is that there is not a great need. [1] http://www.freeipa.org/page/DHCP_Integration_Design Let us know more about your use case and expectations - more real-world requirements will help inform the discussion! Cheers, Fraser -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and DHCP
Hello. Is there a suggested way to have DHCP IP/MAC associations managed through the IPA web interface? Thank you for any pointer. Nicola -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ACI for full replica
Hello, I'm trying to replicate a subtree of the data from FreeIPA to a "foreign" LDAP server, by using LSC (http://lsc-project.org). The replication seems to work correctly, but I was unable to create an user (maybe even not visible from the web GUI) which could read userPassword field. Which ACI/Role/Group should I use for this purpose? Thank you for any hint: I did not find such information inside the documentation. Nicola -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with replica
Hello, I'm trying to setup a partial replica of the LDAP tree stored in 389-ds by FreeIPA 4.1 (under CentOS 7), so that legacy systems have a local copy of the data needed to authenticate. Those systems have already OpenLDAP installed, so I 'm trying to enable syncrepl from DS to OL. I followed this ticket: https://fedorahosted.org/freeipa/ticket/3967 and I enabled the 2 plugins as indicated. When the slave starts and tries to sync, the ns-slapd process on FreeIPA server dies, with this in syslog: kernel: ns-slapd[4801]: segfault at 0 ip 7f0f041f2db6 sp 7f0ecc7f0f38 error 4 in libc-2.17.so[7f0f0416e000+1b6000] immediately (same second) followed by: named[1974]: LDAP error: Can't contact LDAP server: ldap_sync_poll() failed named[1974]: ldap_syncrepl will reconnect in 60 seconds systemd: dirsrv@XXX.service: main process exited, code=killed, status=11/SEGV There is nothing in access or error log (found in /var/log/dirsrv/INSTANCE) at that second (last log is 30 seconds before the problem). Even if replica doesn't work, I think it shoundn't kill the daemon. The ldif used on the slave: dn: olcDatabase={1}bdb,cn=config changetype: modify replace:olcSyncrepl olcSyncrepl: rid=0001 provider=ldap://AAA.TLD type=refreshOnly interval=00:1:00:00 retry="5 5 300 +" searchbase="YYY" attrs="*,+" bindmethod=simple binddn="uid=XXX,cn=users,cn=accounts,dc=YYY" credentials=ZZZ Nicola -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Partial replica
Hello list. I'm trying to make a test deploy of FreeIPA, and I was wondering if it is possible to authenticate remote sites via LDAP by havong a partial replica based on saome filter (maybe a group, an attribute or similar). Sorry if this is a silly question, but I am trying to explore the possibilities that I could have to slowly replace local authentications spread in various sites by having a central store (backed by FreeIPA) and many partial replicas which would contain what now I have in RADIUS or other authentication sources. Thank you for any advice or pointer you can give to me. Nicola -- Nicola Canepa canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server - ipa-server?
Regarding this, I think the upgrade from freeipa to ipa should be looked into carefully, since I experienced problem o post-upgrade script not being run upon upgrade from freeipa-*-4.0 to ipa-*-4.1 Nicola Il 17/07/15 11:10, Christopher Lamb ha scritto: Consistency sounds good. How would the name change affect yum update? Chris From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Date: 17.07.2015 10:49 Subject:[Freeipa-users] Rename or not to rename (packages only)? freeipa-server - ipa-server? Sent by:freeipa-users-boun...@redhat.com Hello users and developers, I wonder what do you think about naming inconsistency in FreeIPA packages. Packages in Fedora are prefixed with freeipa-* but in RHEL (and derivatives) the packages are named as ipa-*. Given that command line interface is in all cases 'ipa', it seems like a inconsistency. Are there any reasons not to rename freeipa-* *packages* to ipa-*? Naturally name of project would still be FreeIPA :-) This rename would remove the inconsistency which drives me crazy when I need to script something universally for RHEL and Fedora. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem in CLI after upgrade to 4.1.0
I upgraded from freeipa 4.0 to ipa-4.1.0 Users continue to be authenticated, and web GUI works, but from command line for every ipa command (after autheiticating with kinit), I get: [root@ldap-01 ~]# ipa config-show ipa: ERROR: cannot connect to 'https://ldap-01.mmfg.it/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Nicola -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem in CLI after upgrade to 4.1.0
I think the problem is the upgrade from freeipa-* to ipa-*, which does not run the scripts cortectly. Previously I had to run: /usr/sbin/ipa-ldap-updater --upgrade --quiet /dev/null || :/usr/sbin/ipa-upgradeconfig --quiet /dev/null || : /bin/systemctl enable ipa.service Noe I also needed: python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' tempfile=$(mktemp) if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a $tempfile 2/var/log/ipaupgrade.log; then certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i $tempfile /var/log/ipaupgrade.log 21 elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a $tempfile 2/var/log/ipaupgrade.log; then certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i $tempfile /var/log/ipaupgrade.log 21 fi rm -f $tempfile And also the ipa commands work correctly. Nicola Il 16 Luglio 2015 14:01:47 CEST, Nicola Canepa canep...@mmfg.it ha scritto: I upgraded from freeipa 4.0 to ipa-4.1.0 Users continue to be authenticated, and web GUI works, but from command line for every ipa command (after autheiticating with kinit), I get: [root@ldap-01 ~]# ipa config-show ipa: ERROR: cannot connect to 'https://ldap-01.mmfg.it/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Nicola -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as {crypt}*) and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the user-add in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a DS (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the NIS migration documentation (maintaining passwords) with the migration mode, hoping it was what I was looking for. Is there a way so that users are created in FreeIPA once they login in this way? From what you said, I need to use SSSD (I'm going to read the docs ASAP). Is migration mode only used when I also use ipa migrate-ds? Thank you very much. Nicola Il 09/07/15 14:08, Alexander Bokovoy ha scritto: Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o
[Freeipa-users] Migrating from custom auth system
Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? My workaround is to create user in the pam_exec-uted script, but I don't think this is a clean way of doing it, and I have to use LDAP as first login method. Thank you in advance for any link, suggestion or solution. Nicola -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as {crypt}*) and let users login authenticating trhough PAM? Or I could put the user-add in the pam_exec script (but only if the user does not already exists). I'll test both ways. Nicola Il 09/07/15 14:44, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a DS (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the NIS migration documentation (maintaining passwords) with the migration mode, hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: ---8---8---8---8---8---8---8---8---8---8---8---8---8---8---8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8---8---8---8---8---8---8---8---8---8---8---8---8---8--- -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project