Re: [Freeipa-users] Proper configuration of service accounts
Rob, Try adding the inetUser objectclass to your system account. You're probably lacking memberOf. Thanks, that worked. My last issue is to add read/search permission on the name attribute as the vendor doesn't offer a way to not include it in a search filter to find user groups. I was in Code 500 many moons ago, Center Network Environment (CNE). Small world :-) The NICS contract covers CNE at Goddard and at the Agency level. I'm setting up a new NMS system for the NASCOM mission network. George Boyce, SAIC/NICS GCC Systems Support NASA GSFC Code 762 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
I forgot to describe the system account that I created. I followed the procedure at https://www.freeipa.org/page/HowTo/LDAP#System_Accounts # LDAPsearch, sysaccounts, etc, ... dn: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=... objectClass: account objectClass: simplesecurityobject objectClass: top uid: LDAPsearch What do I need to change to be able to add this account as a member to a given role? To avoid this: modifying entry cn=A and A,cn=roles,cn=accounts,dc=... ldap_modify: Object class violation (65) George Boyce, SAIC/NICS GCC Systems Support NASA GSFC Code 762 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new role, make the new/updated privileges members of that role 4) Use ldapmodify to make the system account DN member of that role (you just add a new member attribute value) 5) Profit - you should be now able to control permissions to your system account with FreeIPA CLI/UI On step 4 to add the sysaccounts user to the role, I get an error: # cat sysaccount-LDAPsearch-add-role-2.ldif dn: cn=A and A,cn=roles,cn=accounts,dc=... changetype: modify add: member member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=... # ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif SASL/GSSAPI authentication started SASL username: admin@... SASL SSF: 56 SASL data security layer installed. modifying entry cn=A and A,cn=roles,cn=accounts,dc=... ldap_modify: Object class violation (65) Same thing if I use Directory Manager. I was able to add a normal user to the role, using both the GUI and ldapmodify. # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # cat /etc/centos-release CentOS Linux release 7.1.1503 (Core) George Boyce, SAIC/NICS GCC Systems Support NASA GSFC Code 762 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
Boyce, George Robert. (GSFC-762.0)[NICS] wrote: If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new role, make the new/updated privileges members of that role 4) Use ldapmodify to make the system account DN member of that role (you just add a new member attribute value) 5) Profit - you should be now able to control permissions to your system account with FreeIPA CLI/UI On step 4 to add the sysaccounts user to the role, I get an error: # cat sysaccount-LDAPsearch-add-role-2.ldif dn: cn=A and A,cn=roles,cn=accounts,dc=… changetype: modify add: member member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=… # ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif SASL/GSSAPI authentication started SASL username: admin@... SASL SSF: 56 SASL data security layer installed. modifying entry cn=A and A,cn=roles,cn=accounts,dc=… ldap_modify: Object class violation (65) Same thing if I use Directory Manager. I was able to add a normal user to the role, using both the GUI and ldapmodify. Try adding the inetUser objectclass to your system account. You're probably lacking memberOf. # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # cat /etc/centos-release CentOS Linux release 7.1.1503 (Core) George Boyce, SAIC/NICS GCC Systems Support NASA GSFC Code 762 I was in Code 500 many moons ago, Center Network Environment (CNE). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
On 04/03/2015 03:36 PM, Brian Topping wrote: On Apr 3, 2015, at 6:17 AM, Dmitri Pal d...@redhat.com wrote: On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x - 4.1.0 upgrade went smoothly via the CentOS 7.0 - 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under cn=etc, cn=sysaccounts are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are the wrong way for services like Postfix to be doing LDAP queries. The ACIs changed because we tightened them for the read permissions. I hope you would be able to change them so that your service account works again. Here is the root page of the changes that we implemented. http://www.freeipa.org/page/V4/Permissions_V2 http://www.freeipa.org/page/V4/Permissions_V2 System account is probably the right one for Postfix. It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully appreciate what was going to happen until doing the upgrade. Once it was done, I was kind of surprised that the ACL changes replicated to the 3.x server. As luck would have it, I didn't snapshot both servers at the same time before upgrading either, and eventually, the ACLs managed to work their way back to both the 3.x snapshots (one of them was obviously snapshotted after the other one had been installed with 4.1). I couldn't find upgrade notes with gotchas, this might be a good addition if there are somewhere. It was kind of humorous in all. Interesting, I sort of thought this is automatically implied, given that FreeIPA has a fully replicated environment. Based on your recommendation, I added a note to https://www.freeipa.org/page/Upgrade#Words_of_caution As for the service feature itself, please don't apologize. I think you guys did a spectacular job with this feature set. What I was concerned about is making sure I am doing things as closely as possible to future patterns to reduce upgrade costs. I don't know if it's possible to document the pattern without committing to the feature, but it might be helpful. The one thing I would like to discover at this point is whether roles and privileges build in the UI can be used by system accounts. If so, I could stop editing ACLs directly in LDIF, which is error prone and not the kind of thing I remember too well. FreeIPA 4.x permission system can now assign privileges and new permission ACIs to users, groups, hosts, host groups and services. System accounts are not covered, they should be covered when we have API for them. I added this requirement to the respective RFE: https://fedorahosted.org/freeipa/ticket/2801 Brian, what exactly would you like to achieve? There were changes to the default permissions, some objects are only readable by authenticated users - which should apply also to system users. If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new role, make the new/updated privileges members of that role 4) Use ldapmodify to make the system account DN member of that role (you just add a new member attribute value) 5) Profit - you should be now able to control permissions to your system account with FreeIPA CLI/UI -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Proper configuration of service accounts
Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x - 4.1.0 upgrade went smoothly via the CentOS 7.0 - 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under cn=etc, cn=sysaccounts are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are the wrong way for services like Postfix to be doing LDAP queries. Thanks, Brian signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x - 4.1.0 upgrade went smoothly via the CentOS 7.0 - 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under cn=etc, cn=sysaccounts are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are the wrong way for services like Postfix to be doing LDAP queries. The ACIs changed because we tightened them for the read permissions. I hope you would be able to change them so that your service account works again. Here is the root page of the changes that we implemented. http://www.freeipa.org/page/V4/Permissions_V2 System account is probably the right one for Postfix. It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri Thanks, Brian -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
On 04/03/2015 09:36 AM, Brian Topping wrote: On Apr 3, 2015, at 6:17 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x - 4.1.0 upgrade went smoothly via the CentOS 7.0 - 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under cn=etc, cn=sysaccounts are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are the wrong way for services like Postfix to be doing LDAP queries. The ACIs changed because we tightened them for the read permissions. I hope you would be able to change them so that your service account works again. Here is the root page of the changes that we implemented. http://www.freeipa.org/page/V4/Permissions_V2 System account is probably the right one for Postfix. It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully appreciate what was going to happen until doing the upgrade. Once it was done, I was kind of surprised that the ACL changes replicated to the 3.x server. As luck would have it, I didn't snapshot both servers at the same time before upgrading either, and eventually, the ACLs managed to work their way back to both the 3.x snapshots (one of them was obviously snapshotted after the other one had been installed with 4.1). I couldn't find upgrade notes with gotchas, this might be a good addition if there are somewhere. It was kind of humorous in all. As for the service feature itself, please don't apologize. I think you guys did a spectacular job with this feature set. What I was concerned about is making sure I am doing things as closely as possible to future patterns to reduce upgrade costs. I don't know if it's possible to document the pattern without committing to the feature, but it might be helpful. The one thing I would like to discover at this point is whether roles and privileges build in the UI can be used by system accounts. I am eager to know that too, please do not hesitate to share your findings. :-) If so, I could stop editing ACLs directly in LDIF, which is error prone and not the kind of thing I remember too well. Kind regards, Brian Thanks Dmitri Thanks, Brian -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
On Fri, 03 Apr 2015, Dmitri Pal wrote: On 04/03/2015 09:36 AM, Brian Topping wrote: On Apr 3, 2015, at 6:17 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x - 4.1.0 upgrade went smoothly via the CentOS 7.0 - 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under cn=etc, cn=sysaccounts are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are the wrong way for services like Postfix to be doing LDAP queries. The ACIs changed because we tightened them for the read permissions. I hope you would be able to change them so that your service account works again. Here is the root page of the changes that we implemented. http://www.freeipa.org/page/V4/Permissions_V2 System account is probably the right one for Postfix. It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully appreciate what was going to happen until doing the upgrade. Once it was done, I was kind of surprised that the ACL changes replicated to the 3.x server. As luck would have it, I didn't snapshot both servers at the same time before upgrading either, and eventually, the ACLs managed to work their way back to both the 3.x snapshots (one of them was obviously snapshotted after the other one had been installed with 4.1). I couldn't find upgrade notes with gotchas, this might be a good addition if there are somewhere. It was kind of humorous in all. As for the service feature itself, please don't apologize. I think you guys did a spectacular job with this feature set. What I was concerned about is making sure I am doing things as closely as possible to future patterns to reduce upgrade costs. I don't know if it's possible to document the pattern without committing to the feature, but it might be helpful. The one thing I would like to discover at this point is whether roles and privileges build in the UI can be used by system accounts. I am eager to know that too, please do not hesitate to share your findings. :-) I don't think you can achieve that with existing 'ipa permission-add' command because it limits memberof filter to existing IPA groups. We have an update plugin that updates managed permissions and it could be used as a basis to add more permissions declarative-style but right now it can't be used as it is. Definitely worth filing a ticket and fixing this ASAP. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Proper configuration of service accounts
On Apr 3, 2015, at 6:17 AM, Dmitri Pal d...@redhat.com wrote: On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x - 4.1.0 upgrade went smoothly via the CentOS 7.0 - 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under cn=etc, cn=sysaccounts are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are the wrong way for services like Postfix to be doing LDAP queries. The ACIs changed because we tightened them for the read permissions. I hope you would be able to change them so that your service account works again. Here is the root page of the changes that we implemented. http://www.freeipa.org/page/V4/Permissions_V2 http://www.freeipa.org/page/V4/Permissions_V2 System account is probably the right one for Postfix. It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully appreciate what was going to happen until doing the upgrade. Once it was done, I was kind of surprised that the ACL changes replicated to the 3.x server. As luck would have it, I didn't snapshot both servers at the same time before upgrading either, and eventually, the ACLs managed to work their way back to both the 3.x snapshots (one of them was obviously snapshotted after the other one had been installed with 4.1). I couldn't find upgrade notes with gotchas, this might be a good addition if there are somewhere. It was kind of humorous in all. As for the service feature itself, please don't apologize. I think you guys did a spectacular job with this feature set. What I was concerned about is making sure I am doing things as closely as possible to future patterns to reduce upgrade costs. I don't know if it's possible to document the pattern without committing to the feature, but it might be helpful. The one thing I would like to discover at this point is whether roles and privileges build in the UI can be used by system accounts. If so, I could stop editing ACLs directly in LDIF, which is error prone and not the kind of thing I remember too well. Kind regards, Brian Thanks Dmitri Thanks, Brian -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project