cluster and LDAP service
by barrykfl@gmail.com
HI:
I already config cluster of 2 servers using corosys and peacemaker.
But the Virtual ip is the resource only.
Is it possible to make ldap 389/639 as a detection of fail then switch?
Regards
Barry
6 years, 4 months
Slow FreeIPA UI
by Maciej Drobniuch
Hi All,
One of my IPA UI is working very slow.
I can observe the issue after moving the VM server onto another host.
The machine itself is not overloaded and the number of CPU cores and RAM
memory went up.
Other IPA UI on other servers are working smoothly.
Any ideas how to troubleshoot that?
Thank You
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
6 years, 5 months
FreeIPA & wireless
by Andrew Meyer
So I was wondering if anyone has FreeIPA setup to do authentication with wireless. We have an ArubaNetworks platform setup to do EAP-PEAP only communicating back to the current OpenLDAP system, but would like to migrate to FreeIPA.
I was able to set this up using Meraki MR18s but I have to use a WPA2-PSK (enterprise) with splash page in order to log into my FreeIPA system. I don't know if I will have to put the password in again I am waiting until tonight to test that.
All of our laptops are Mac OS X running El Capitan and a few running High Sierra (w/ all of them upgrading eventually). We have under 5 laptops running Windows 7-10 and are mostly hard wired.
The issue is that when I log into wireless using FreeIPA I get prompted for a password. It gets added to the keychain but when I shutdown for the night and come back in the next day it asks for the password again the next day.
While researching this issue I found that some people have put SSL certificates on the machines. I don't want to create and enroll an SSL cert for EACH user. I would like to get system-wide one deployed IF this is the correct way to go.
While this may sound like a ArubaNetworks wireless issue I wanted to pose this question to the mailing list just in case there was a step I missed or didn't do something that might have been documented somewhere and to see if anyone else has had this issue.
Thank you in advance!
6 years, 5 months
RADIUS and FreeIPA
by Andrew Meyer
After all the emails (thank you for your help) I have most of my Mac OS X clients authenticating to FreeIPA over wireless. Clients running on a 2014 or newer 10.12.5 and up won't work. I suspect this has to do with the TLS version.
Tell me if I'm approaching this the right way.
I am trying to apply a certificate FROM FreeIPA to FreeRADIUS. I am also trying to register the service within FreeIPA but strugglging with some of the syntax.
I have been following this:FreeIPA: Giving permissions to service accounts. — Firstyear's blog-a-log
|
| |
FreeIPA: Giving permissions to service accounts. — Firstyear's blog-a-log
Firstyear`s blog-a-log | |
|
I'm having some trouble adding the privileges and roles:[andrew.meyer@radius01 ~]$ ipa privilege-add-permission 'Radius service' --permission='Radius Service' Privilege name: Radius Service Description: Privileges needed to allow radiusd servers to operate Failed members: permission: Radius Service: permission not found-----------------------------Number of permissions added 0-----------------------------[andrew.meyer@radius01 ~]$ ipa privilege-add-permission 'Radius service' --permission='Radius service' Privilege name: Radius Service Description: Privileges needed to allow radiusd servers to operate Failed members: permission: Radius service: permission not found-----------------------------Number of permissions added 0-----------------------------[andrew.meyer@radius01 ~]$ ipa role-add 'Radius server' --desc="Radius server role"--------------------------Added role "Radius server"-------------------------- Role name: Radius server Description: Radius server role[andrew.meyer@radius01 ~]$ ipa role-add-privilege --privileges="Radius services" 'Radius server' Role name: Radius server Description: Radius server role Failed members: privilege: Radius services: privilege not found----------------------------Number of privileges added 0----------------------------[andrew.meyer@radius01 ~]$
6 years, 5 months
FreeIPA wiki - emails and notifications working
by Martin Kosek
Hello all,
Related to our dear FreeIPA Wiki running on new platform now, I was able
to do several improvements to the wiki, including enabling email
infrastructure [1] and related support for *notifications*.
You can now Watch a page and you should receive an email when the page
is modified by someone. From the logs, I can see that some of you
already received such emails.
Just as a reminder, I keep remaining list of issues or ideas for the
wiki in [2].
Enjoy!
[1] https://github.com/freeipa/freeipa-wiki/issues/2
[2] https://github.com/freeipa/freeipa-wiki/issues
--
Martin Kosek <mkosek(a)redhat.com>
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.
6 years, 5 months
Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?
by James Swineson
Hi,
I'm planning a FreeIPA fresh installation across multiple datacenters and
offices. Concerned about the risk of DNS DDoS, I wanted to make most nodes
in a mesh VPN so they can replicate without exposing ports to internet.
However, I still need some services over internet. So can I set up every
node just using IP addresses defined in VPN, but leave some nodes open on
Internet? Will it work? Is there any hostname based check? And if it works,
do I need to set up completely different 2 sets of DNS records used in LAN
and WAN?
Thanks,
James Swineson
6 years, 5 months
Re: Expired passwords and generating an OTP token
by Aaron Hicks
Hello the List,
A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.
Feedback so far form Sumit indicates this is incorrect behaviour.
As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose <sbose(a)redhat.com>
Cc: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org>; 'Sumit
Bose' <sbose(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token
Hi Sumit,
I sent those to you directly as I wasn't comfortable posting them to the
list.
Regards,
Aaron
Get Outlook for iOS <https://aka.ms/o0ukef>
_____
From: Sumit Bose <sbose(a)redhat.com <mailto:sbose@redhat.com> >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token
On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
>
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and
ipa-client-install
>
ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.
bye,
Sumit
6 years, 5 months
Re: Creating a permission to manage OTP Tokens
by Aaron Hicks
Sadly no, another person had been creating OTP tokens with the helpagent.
These were tokens owned by the helpagent, but with other user's names.
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 4:00 PM
To: 'freeipa-users(a)lists.fedorahosted.org'
<freeipa-users(a)lists.fedorahosted.org>
Subject: RE: Creating a permission to manage OTP Tokens
Hello the list,
After ignoring things, this now _works_
$kinit helpagent
Password for helpagent(a)TEST.ORG <mailto:helpagent@TEST.ORG> :
$ ipa otptoken-find
--------------------
2 OTP tokens matched
--------------------
Unique ID: otpuser1
Type: TOTP
Owner: otpuser1
Unique ID: otpuser2
Type: TOTP
Owner: otpuser2
----------------------------
Number of entries returned 2
----------------------------
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 10:45 AM
To: 'freeipa-users(a)lists.fedorahosted.org'
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org> >
Subject: Creating a permission to manage OTP Tokens
Hello the list,
We'd like to grant users with the helpdesk role the ability to manipulate
other user's OTP tokens. The minimum would be to add them, delete them, and
enable/disable them.
This is currently possible if an admin sets a token's managedBy attribute
to the helpdesk user's DN. We don't want to grant our helpdesk agents admin
privileges.
So, this is the permission I created:
$ ipa permission-show 'Manage OTP Tokens' --all --raw
dn: cn=Manage OTP Tokens,cn=permissions,cn=pbac,dc=test,dc=org
cn: Manage OTP Tokens
ipapermright: all
ipapermincludedattr: ipatokenOwner
ipapermincludedattr: ipatokenUniqueID
ipapermincludedattr: ipatokenOTPdigits
ipapermincludedattr: ipatokenOTPkey
ipapermincludedattr: ipatokenTOTPclockOffset
ipapermincludedattr: ipatokenTOTPtimeStep
ipapermbindruletype: permission
ipapermlocation: cn=otp,dc=test,dc=org
ipapermtargetfilter: (objectclass=ipaToken)
ipapermissiontype: SYSTEM
ipapermissiontype: V2
aci: (targetattr = "ipatokenOTPdigits || ipatokenOTPkey || ipatokenOwner
|| ipatokenTOTPclockOffset || ipatokenTOTPtimeStep ||
ipatokenUniqueID")(targetfilter = "(objectclass=ipaToken)")(version 3.0;acl
"permission:Manage OTP Tokens";allow (all) groupdn = "ldap:///cn=Manage OTP
Tokens,cn=permissions,cn=pbac,dc=test,dc=org";)
member: cn=Manage OTP Token,cn=privileges,cn=pbac,dc=test,dc=org
memberindirect: cn=helpdesk,cn=roles,cn=accounts,dc=test,dc=org
memberindirect: uid=helpagent,cn=users,cn=accounts,dc=test,dc=org
objectclass: top
objectclass: groupofnames
objectclass: ipapermission
objectclass: ipapermissionv2
However this does not work:
$ kinit helpagent
Password for helpagent(a)TEST.ORG <mailto:helpagent@TEST.ORG> :
$ ipa otptoken-find
--------------------
0 OTP tokens matched
--------------------
----------------------------
Number of entries returned 0
Is there something happening in the back end preventing these permissions
from workin?
Any suggestions?
Regards,
Aaron
6 years, 5 months