Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce
On Tue, 2015-12-01 at 11:34 -0500, Marc Boorshtein wrote: > Simo & Team, > > After talking to the OpenJDK security list it turned out there is a > bug in JDK8. The issue is fixed in JDK9 and after testing I'm running > into a new issue. Same scenario described earlier in this email > chain, but

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce
On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: > > > > How do you acquire the user ticket ? > > > > Using a keytab. Here's a link to the example code I'm using: > https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to > use IPA as the DNS server and I'm passing in

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein
> > How do you acquire the user ticket ? > Using a keytab. Here's a link to the example code I'm using: https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to use IPA as the DNS server and I'm passing in mmosley as the user to impersonate and HTTP/freeipa.rhelent.lan as the

[Freeipa-users] Documentation on the JSON format for ipa-web?

2015-12-01 Thread Marc Boorshtein
FreeIPA Team, I've created a plugin for working with freeipa, but right now its using reverse engineered JSON that I then turned into Java POJOs. It works but I'd like to have something a bit better managed. Is there any documentation or a place in the code base I can look for a more formal

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce
On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: > I can now get a ticket! This is how I originally created the user: > > $ kinit admin > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true ok-as-delegate != ok_to_auth_as_delegate ... I know, it is a little

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein
I can now get a ticket! This is how I originally created the user: $ kinit admin $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true Here's the object in the directory: dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein
Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help! Marc Boorshtein CTO, Tremolo Security, Inc. On Dec 1, 2015 1:14 PM, "Simo Sorce" wrote: > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: > > I can now get a ticket! This is how I originally

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

2015-12-01 Thread Rob Crittenden
Marc Boorshtein wrote: > FreeIPA Team, > > I've created a plugin for working with freeipa, but right now its > using reverse engineered JSON that I then turned into Java POJOs. It > works but I'd like to have something a bit better managed. Is there > any documentation or a place in the code

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein
What projects (including my own) doesn't need better docs? :-) Once I publish the work I'm doing part of that will have a step-by-step on getting this setup. It was pretty easy really if you are comfortable with LDAP. Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703)

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

2015-12-01 Thread Marc Boorshtein
> > IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API > browser. > has 4.2 made it into centos 7 yet? or only in fedora? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

2015-12-01 Thread Marc Boorshtein
Great. Doesn't look like its made it into CentOS yet (still at 7.1). OK, going to go ahead and get it running on Fedora 23. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden wrote:

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

2015-12-01 Thread Jeffrey Stormshak
Looks like I needed to try a couple of options for the /etc/ldap.conf file. Eventually, the original line of 'pam_password md5’ seemed to be causing the error message. I commented it out and I’ll assume by doing so, that its using ‘clear text’ for the LDAP call. I’m using SSL/TLS so I’ll try

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Gašper Bregar
Thank you for the quick reply and a solution. I will try it in the next couple of days. Regards, Gašper On Tue, Dec 1, 2015 at 2:51 PM, Martin Kosek wrote: > On 12/01/2015 02:41 PM, Simo Sorce wrote: > > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > >> On

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Martin Kosek
On 11/30/2015 02:25 PM, Gašper Bregar wrote: > I have been strugling with FreeIPA and AD password sync for a couple of > days now. At first everything was working fine, but then all of a sudden > the synchronization started to fail for me and another user. > > The error in passsync log was > >

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Simo Sorce
On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > On 11/30/2015 02:25 PM, Gašper Bregar wrote: > > I have been strugling with FreeIPA and AD password sync for a couple of > > days now. At first everything was working fine, but then all of a sudden > > the synchronization started to fail for

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Martin Kosek
On 12/01/2015 02:41 PM, Simo Sorce wrote: > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: >> On 11/30/2015 02:25 PM, Gašper Bregar wrote: >>> I have been strugling with FreeIPA and AD password sync for a couple of >>> days now. At first everything was working fine, but then all of a