Re: [Freeipa-users] exporting ldap certificate
On 7 May 2013 16:50, Martin Kosek mko...@redhat.com wrote: On 05/07/2013 04:51 AM, Peter Brown wrote: On 6 May 2013 17:07, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? Yes, this is a correct assumption. BTW we are just in a process of testing and releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4 when it is released is appreciated. Awesome. I shall install them and let you know how I go. Martin More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
On 6 May 2013 17:07, Martin Kosek mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_**NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] exporting ldap certificate
Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. I have no idea which certificate that is and I have no idea how to export it. Can someone please tell me how to do this? Thanks in advance. Pete. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP authentication for 3rd party
On 12 April 2013 23:59, Rich Megginson rmegg...@redhat.com wrote: On 04/11/2013 11:58 PM, Peter Brown wrote: On 12 April 2013 15:51, Simon Williams simon.willi...@thehelpfulcat.comwrote: I use Atlassian products, but use Crowd to provide single signon. This means that Crowd is the only application that needs to authenticate against LDAP. I found that I had to tell Crowd that the server was 389 DS. I could not get it to work set to OpenLDAP. I had a look at crowd but it seemed like overkill when I could just point everything at FreeIPA. We are a small shop so the extra queries weren't going to affect much. I tried telling my Atlaassian apps that freeipa was a 389 ds server but it refused to work properly. Not sure what that means, exactly. Check the 389 access logs to see what operations Atlassian is performing against 389. I don't remember the exact error and they get used every day and they work as is so I will have to wait for an update to switch it over to see what errors it produces. Slightly strange considering the ldap modules for all of them are the same as the one used in crowd. Regards Simon On 11 Apr 2013 23:36, Peter Brown rendhal...@gmail.com wrote: On 12 April 2013 05:04, John Dennis jden...@redhat.com wrote: On 04/11/2013 02:47 PM, Bartek Moczulski wrote: hi, I've got a problem with using IPA as authentication source over LDAP. Generally there are two approaches to LDAP authentication: 1. bind using admin account and read passwords from user objects (but in ipa you cannot read passwords through ldap, right?) 2. bind to authenticate - service tries to log in to ldap with user's credentials. If login is successful authentication is also succesful - this approach does not work because you cannot login to IPA ldap using bare username, you need a full LDAP DN. Most applications I know of that do bind as user to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. uid=%u,cn=users,cn=accounts,dc=example,dc=com) -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO. I have used this method for Confluence, Jira, Stash, Icinga and Foreman. I will be adding more applications in the future as well. If the application doesn't support Kerberos it's the next best thing in my opinion. I have also use it to get email lists into dovecot and postfix. One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work. Apart from that it works out of the box as they say. Reading passwords and/or password hashes is not supported for security reasons. Now, I've got a 3rd party application supporting both mentioned above appoaches and the question is - how to make it work with ipa? thanks in advance, Bartek. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP authentication for 3rd party
On 12 April 2013 15:51, Simon Williams simon.willi...@thehelpfulcat.comwrote: I use Atlassian products, but use Crowd to provide single signon. This means that Crowd is the only application that needs to authenticate against LDAP. I found that I had to tell Crowd that the server was 389 DS. I could not get it to work set to OpenLDAP. I had a look at crowd but it seemed like overkill when I could just point everything at FreeIPA. We are a small shop so the extra queries weren't going to affect much. I tried telling my Atlaassian apps that freeipa was a 389 ds server but it refused to work properly. Slightly strange considering the ldap modules for all of them are the same as the one used in crowd. Regards Simon On 11 Apr 2013 23:36, Peter Brown rendhal...@gmail.com wrote: On 12 April 2013 05:04, John Dennis jden...@redhat.com wrote: On 04/11/2013 02:47 PM, Bartek Moczulski wrote: hi, I've got a problem with using IPA as authentication source over LDAP. Generally there are two approaches to LDAP authentication: 1. bind using admin account and read passwords from user objects (but in ipa you cannot read passwords through ldap, right?) 2. bind to authenticate - service tries to log in to ldap with user's credentials. If login is successful authentication is also succesful - this approach does not work because you cannot login to IPA ldap using bare username, you need a full LDAP DN. Most applications I know of that do bind as user to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. uid=%u,cn=users,cn=accounts,**dc=example,dc=com) -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO. I have used this method for Confluence, Jira, Stash, Icinga and Foreman. I will be adding more applications in the future as well. If the application doesn't support Kerberos it's the next best thing in my opinion. I have also use it to get email lists into dovecot and postfix. One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work. Apart from that it works out of the box as they say. Reading passwords and/or password hashes is not supported for security reasons. Now, I've got a 3rd party application supporting both mentioned above appoaches and the question is - how to make it work with ipa? thanks in advance, Bartek. __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP authentication for 3rd party
On 12 April 2013 05:04, John Dennis jden...@redhat.com wrote: On 04/11/2013 02:47 PM, Bartek Moczulski wrote: hi, I've got a problem with using IPA as authentication source over LDAP. Generally there are two approaches to LDAP authentication: 1. bind using admin account and read passwords from user objects (but in ipa you cannot read passwords through ldap, right?) 2. bind to authenticate - service tries to log in to ldap with user's credentials. If login is successful authentication is also succesful - this approach does not work because you cannot login to IPA ldap using bare username, you need a full LDAP DN. Most applications I know of that do bind as user to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. uid=%u,cn=users,cn=accounts,**dc=example,dc=com) -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO. I have used this method for Confluence, Jira, Stash, Icinga and Foreman. I will be adding more applications in the future as well. If the application doesn't support Kerberos it's the next best thing in my opinion. I have also use it to get email lists into dovecot and postfix. One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work. Apart from that it works out of the box as they say. Reading passwords and/or password hashes is not supported for security reasons. Now, I've got a 3rd party application supporting both mentioned above appoaches and the question is - how to make it work with ipa? thanks in advance, Bartek. __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Realm distrubuted across data centers
I have no idea if this counts as best practice because I am not affiliated with the FreeIPA development team I personally think SRV records are probably the best idea in this situation. You would have to setup different zones to serve to each datacentre though if you know how to do that. It's not that tricky with views in bind. On 13 March 2013 12:40, Michael ORourke mrorou...@earthlink.net wrote: We have a single realm distributed across 2 data centers and 2 offices with 4 replicated IPA servers (2 in each data center). We are running IPA server and client v2.2.0 on all servers and replication appears to be functioning correctly. What I have noticed is that some servers in DC1, have no connectivity to the IPA servers in DC2, and when you try connecting to them from Office1 you sometimes get a long authentication delay. I suspect this is caused by a timeout waiting for an IPA server in DC2 to respond (which it can't). So I guess my question is, is there a 'best practices' approach to this scenario? __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot obtain CA Certificate
Hi John, I ran into a similar issue with setting up a 2.2 client with a 3.1 server. It turned out to be that port 80 wasn't open on the freeipa server. I would check your ports and see if the right ones are open. I also find that setting up the SRV and TXT records in your dns zone makes setting up clients a lot simpler. On 19 February 2013 00:58, John Moyer john.mo...@digitalreasoning.comwrote: Hello all, I am having an issue using IPA 2.2.0. I am trying to put together a proof of concept set of systems. I've stood up 2 servers on AWS. One is the server one is the client. I am using CentOS 6 to do all this testing on, with the default IPA packages provided from CentOS. I had a fully operational proof of concept finished fully scripted to be built without issues. I shutdown and started these as needed to show to people to get approval for the project. The other day the client stopped enrolling to the IPA server, I have no idea why I assume a patch pushed out broke something since it is a fully scripted install. It does get the most recent patches each time I stand it up so it definitely would pull any new patches that came out. After investigating I am getting this error when I try to manually enroll the client. I haven't been able to find any reference to this error anywhere on the net. Any help would be greatly appreciated! Let me know if any additional details are needed. PLEASE NOTE: Everything below has been sanitized [root@client ~]# ipa-client-install --domain=example.com --server= ipa1.example.com --realm=EXAMPLE.COM --configure-ssh --configure-sshd -p ipa-bind -w blah -U DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.ec2.internal Realm: EXAMPLE.COM DNS Domain: digitalreasoning.com IPA Server: ipa1.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... ipa : ERRORCannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Best OS to use with FreeIPA?
On 19 January 2013 05:25, Brian Topping topp...@codehaus.org wrote: Hi Peter and Dimitri, Thanks for your responses. I think I am going to bite the bullet and put F18 into production. One of the elements that made that easier was recognizing that RHEL 7 was going to be based on Fedora of some sort, and a stripped-down Fedora with SELinux will be plenty secure while I wait for that convergence. It seems that Fedora 18 will be the template for RedHat 7 so it's almost like getting it early. Cheers! Brian On Jan 17, 2013, at 6:19 PM, Dmitri Pal d...@redhat.com wrote: On 01/17/2013 05:45 PM, Brian Topping wrote: Apologies if this has been covered elsewhere, I looked through a few months of archives and the documentation and didn't find anything. What's the best OS to build a production FreeIPA instance on? It seems like Fedora has more recent versions in their repositories (CentOS is still at 2.2.0), but I'd prefer to run CentOS as a general rule. Any quick rules of thumb that I can work from? thanks! Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users It depends on what level of support you expect and what functionality you are looking for. The first distro that gets the bits is Fedora then RHEL, then CentOS with gap of several months each. It is up to you to choose what is best for you and what risks you are willing to take in your production environment. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Hi Albert, Have you tried putting that command in the public key for the user in freeipa and setting the user shell to /sbin/nologin or the equivalent? On 15 December 2012 02:09, Albert Adams bite...@gmail.com wrote: In our environment we have several systems where users require access to the system to setup an SSH tunnel but should not have a shell on the system. Prior to rolling out IPA we accomplished this with the authorized_keys file as follows: command=/usr/bin/perl -e '$|=1; print \Tunnel created, use your webbrowser to connect to the tool\n\;while(1) { print localtime(time) . \\n\; sleep 60}',permitopen=localhost:8834,no-agent-forwarding,no-X11-forwarding Is there a way to accomplish this in IPA? Regards, Albert ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] One time passwords - 2 factor
On 30 November 2012 11:43, Rob Crittenden rcrit...@redhat.com wrote: Steven Jones wrote: Hi, Is it possible to use the freeipa API and and external program to do one time passwords? (password is sent by the external app, sms to smartphone). Not yet. The problem is lack of support in the KDC and this is being actively worked on. We did a proof-of-concept at the Red Hat Summit a couple of years ago using a Yubikey as the OTP source. It was, as they say in New England, wicked cool. It was very much hardcoded though. AFAIK they are working on a plugin interface to make this much easier to do. A lot of the work is being done here: https://fedorahosted.org/**AuthHub/https://fedorahosted.org/AuthHub/ Awesome! Looking forward to that. If I had some spare time I could contribute... rob __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On 1 November 2012 15:07, Stephen Ingram sbing...@gmail.com wrote: On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. I have dovecot authing against freeipa (via pam)and I setup a sasl auth instance in dovecot and have postfix authing against that. I figured why setup another sasl auth daemon when dovecot can do it for me so they effectively use the same authentication source. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. I have most of that worked out but getting delivery addresses for domains that aren't the base is proving tricky. It's looking like I will need to add some extra schemas to the ds so i can add the delivery domain to each user and somehow use that to construct the delivery address. I am not sure I can do that though. I didn't really have to add anything except for one extra attribute. You can group your users into user groups representing the domains they belong to such that Postfix can query whether or not to accept for a domain or not. I added mailAlternateAddress for aliases rather than user multi-value attribute mail so I can have a master email address for each user. It was easy to do with the existing schema (mailRecipient objectclass). BTW if you haven't already figured it out, postmap -q is your friend when setting up your LDAP config in Postfix. Just keep adjusting everything until you get the answer you (and Postfix) expect. I discovered that attribute when I was digging around in the ldif files and I was just wondering why they didn't use that for setting aliases. It would certainly make my ldap queries for postfix a lot simpler. I added the mailRecipient class to the defaults for users and tried to use the ipa user-mod --setattr=mailAlternateAddress= and it is telling me ipa: ERROR: attribute mailAlternateAddress not allowed I have also trying to set a few other non standard attributes that seem to be in the default schemas already and they all give me the same error. Am I missing something? I am half tempted to add the extra components of 389-ds and see it that will let me do what I need. On a side note the freeipa lads seem to be working out how to add multitenancy support so it will be capable of serving multiple separate Kerberos principals. That would help a lot but I need to cobble something together now. Yes, if you want unique uid's within each domain you'll have to wait for that. I gave up on that notion and simply require unique uids for every user regardless of domain and deliver to single domain style mail store setup. yeah that's tempting but I need to have separate domains. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. Thanks in advance. Pete. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users