Private PEN for OID not accepted
by Matt .
HI guys.
I'm having an issue with my private PEN when I want to add an objectclass and an attribute with the following ldif (99999 is a replacement for my private PEN registered at Iana)
The following output is what I get:
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: attribute type myAttributeName: Unknown attribute syntax OID "1.3.6.1.4.1.99999.1.1.2.2.1"
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: object class ( 1.1.2.1.1 NAME 'customPerson' SUP top SYNTAX 1.3.6.1.4.1.99999.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' ): Failed to parse objectclass, error(2) at ( 1.3.6.1.4.1.99999.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' ))
And this is the (as far as I know) good ldif:
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.1.2.2.1
NAME 'myAttributeName'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.99999.1.1.2.2.1
X-ORIGIN 'Extending FreeIPA' )
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.1.2.1.1
NAME 'customPerson' SUP top
SYNTAX 1.3.6.1.4.1.99999.1.1.2.1.1
AUXILIARY
MAY ( myAttributeName )
X-ORIGIN 'Extending FreeIPA' )
This should work as far as I know and discussed on IRC and I also read it here: https://www.redhat.com/archives/freeipa-users/2017-January/msg00222.html
I hope someone can explain what could be going wrong.
Thanks,
Matt
6 years, 2 months
Forwarders don't work when enabled but do work when disabled
by Matt .
Hi,
Happy and Healty 2018 first of all!
I have something strange on:
# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
Forwarders are not working when they are enabled but when I disable them they work perfectly fine. What kind of strange thing is this ?
6 years, 2 months
New Graphic?
by Striker Leggette
I noticed there is a new logo design on freeipa.org. Is it possible to
get the scalable version of this for a printed banner?
6 years, 2 months
FOSDEM reminder: Identity and Access Management devroom, Feb 3rd 2018
by Alexander Bokovoy
Hi,
If you are in Europe during first weekend of February 2018, we'll be
running an Identity and Access Management devroom at FOSDEM[1] on
Saturday, February 3rd, 2018. FreeIPA and other free/open source
identity and access management solutions will be presented there.
FOSDEM is a primary free software event in Europe that is done by
volunteers to volunteers every year since 2001 in Free University of
Brussels, Belgium. Each year thousands people come to it to meet,
discuss, and collaborate in various areas around free software and
hardware.
I wrote about our experience in organizing Identity Management-related
events at FOSDEM in my blog some time ago[2]. It is now less than two
weeks until the devroom and the greater FOSDEM event will happen, so I'd
like to invite those who might have missed all the signs: it is still
possible to attend. And if you are not at FOSDEM, there will be live
streaming of all devrooms (42 and the main track!) too.
See you in Brussels!
[1] https://fosdem.org/2018/schedule/track/identity_and_access_management/
[2] https://vda.li/en/posts/2017/12/21/FOSDEM-2018-IAM-devroom/
--
/ Alexander Bokovoy
6 years, 2 months
Vault best practices
by Fil Di Noto
I've been using Vaults, I feel like I need some kind of version control, or
historical log of values to recover from mistakenly overwriting vaults.
What do most do?
I notice that some docs have vault-add commands with a --source-vault-id
option. My ipa version doesn't have these options. Are they upcoming or
were they removed?
Another option I don't have is --stdout, for vault-retrieve. I was looking
for ways to pipe or set variables without writing to disk.
6 years, 2 months
Here we go again, configuring Proxmox/Debian Stretch 9.3 as a FreeIPA client
by Alex Corcoles
Hi,
Now that I have my FreeIPA server working in my setup, I'd like to
configure my Proxmox server as an IPA client; both for UNIX users and its
web/API.
As you might be aware, ipa-client-install is only in sid, and it seems to
be problematic. I'm posting everything I'm doing to keep this documented.
$ apt install sudo
$ apt install bind9utils certmonger curl krb5-user libcurl3 libnss3-tools
libnss-sss libpam-sss libsasl2-modules-gssapi-mit libsss-sudo
libxmlrpc-core-c3 oddjob-mkhomedir python-dnspython python-gssapi
python-ldap sssd libbasicobjects0 libcollection4 libcurl3-nss
libini-config5 libref-array1 gnupg2 python-cffi python-cryptography
python-custodia python-dbus python-jwcrypto python-libipa-hbac python-lxml
python-memcache python-netaddr python-netifaces python-nss python-pyasn1
python-qrcode python-setuptools python-usb python-yubico dnsutils keyutils
python-requests
$ wget
http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-client_4.4.4-...
http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-common_4.4.4-...
http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipaclient_4.4....
http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipalib_4.4.4-4...
$ dpkg -i *.deb
$ ipa-client-install -N --mkhomedir
This all seems to work successfully, the server appears on the FreeIPA web
console and even:
$ sss_ssh_authorizedkeys $MY_IPA_USER
works! But ssh, sudo don't work. However if I patch /etc/sssd/sssd.conf and
add nss and pam to [sssd] services, ssh, console login and sudo work!
Questions:
1) Is there anything problematic in my procedure?
2) Whom should I report a bug so /etc/sssd/sssd.conf is generated
correctly? I'm guessing Debian...
3) Proxmox supposedly uses PAM for its web/API auth, but it ignores my
user. It supports LDAP for authentication, though... Would you recommend
using LDAP or trying to coerce PAM into working for IPA?
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
6 years, 2 months
ipa: ERROR: No valid Negotiate header in server response
by Matt .
Hello,
I'm facing an issue on my IPA server (currently 4.6.1, same happened on 4.5.4) with kerberos tickets. As was investigating this and tried to add a server with a admin ticket I get the following on and the IPA server itself and on a client with freeipa-admintools as well:
$kinit admin
$klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin(a)DOMAIN.TLD
Valid starting Expires Service principal
01/21/2018 22:52:35 01/22/2018 22:52:29 HTTP/ipa-01.domain.tld(a)DOMAIN.TLD
01/21/2018 22:52:30 01/22/2018 22:52:29 krbtgt/DOMAIN.TLD(a)DOMAIN.TLD
$ipa service-add HTTP/client-01.domain.tld(a)DOMAIN.TLD
ipa: ERROR: No valid Negotiate header in server response
What is going wrong here ? I cannot find much about it.
Thanks,
Matt
6 years, 2 months
Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation
by Alexandre Pitre
Hi,
I recently deployed a new FreeIPA domain running on CentOS 7.4 and FreeIPA
4.5
The installation went without hiccups but the WebUI isn't working as
expected. Logging in with admin failed with this error:
Login failed due to an unknow reason.
I've seen this issue with every FreeIPA 4.5 replica I've built. As you may
know this is pretty common error with 4.5. I usually just chmod 444
/var/lib/ipa-client/pki/* as pointed out in
https://access.redhat.com/solutions/3178971 and the logging start working
again but not this time with a brand new domain installation.
Permissions are correct for the PEM
ll /var/lib/pki/*
-r--r--r-- 1 root root 4406 Jan 9 14:49 ca-bundle.pem
-r--r--r-- 1 root root 4406 Jan 9 14:49 kdc-ca-bundle.pem
Here's the output of /var/log/httpd/error_log
[Thu Jan 18 01:14:40.543272 2018] [suexec:notice] [pid 12537] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 18 01:14:40.543348 2018] [:warn] [pid 12537]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Jan 18 01:14:40.766070 2018] [auth_digest:notice] [pid 12537] AH01757:
generating secret for digest authentication ...
[Thu Jan 18 01:14:40.766623 2018] [lbmethod_heartbeat:notice] [pid 12537]
AH02282: No slotmem from mod_heartmonitor
[Thu Jan 18 01:14:40.766640 2018] [:warn] [pid 12537]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Jan 18 01:14:40.843105 2018] [mpm_prefork:notice] [pid 12537] AH00163:
Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4
mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Thu Jan 18 01:14:40.843134 2018] [core:notice] [pid 12537] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Jan 18 01:14:48.465191 2018] [:error] [pid 12545] ipa: INFO: ***
PROCESS START ***
[Thu Jan 18 01:14:48.470206 2018] [:error] [pid 12546] ipa: INFO: ***
PROCESS START ***
[Thu Jan 18 01:15:14.020600 2018] [:error] [pid 12545] ipa: INFO: 401
Unauthorized: [Errno 13] Permission denied
Output of /var/log/messages show weird errors:
Jan 18 01:14:36 bo2-tnt-ipa-001 ipa-dnskeysyncd: ipa : ERROR
syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"})
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.102629780
+0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.115268733
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=groups,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.116680963
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=computers,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.117878580
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=ng,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.119338367
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
ou=sudoers,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.120503775
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=users,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.122000132
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.123149308
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.124282277
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.125837472
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.126966928
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.128085824
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.129501796
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.130686657
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.132301267
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.134575956
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.135778559
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.142405173
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not
exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.143655721
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not
exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.233078350
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember
rebuild membership,cn=tasks,cn=config does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.238586332
+0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definitcomn
cn=Password Policy,cn=accounts,dc=ipa,dc=domain,dc=com--no CoS Templates
found, which should be added before the CoS Definitcomn.
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.261575767
+0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will
start in about 5 seconds!
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.268319379
+0000] - ERR - schema-compat-plugin - warning: no entries set up under
ou=sudoers,dc=ipa,dc=domain,dc=com
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.272302862
+0000] - ERR - schema-compat-plugin - warning: no entries set up under
cn=ng, cn=compat,dc=ipa,dc=domain,dc=com
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.279547839
+0000] - ERR - schema-compat-plugin - warning: no entries set up under
cn=computers, cn=compat,dc=ipa,dc=domain,dc=com
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.285336505
+0000] - ERR - schema-compat-plugin - Finished plugin initializatcomn.
Any ideas why ?
Thanks
Alexandre Pitre
6 years, 3 months
hardening question
by Natxo Asenjo
hi,
in chapter 36 (https://access.redhat.com/documentation/en-us/red_hat_
enterprise_linux/7/pdf/linux_domain_identity_authentication_and_policy_
guide/Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_
Authentication_and_Policy_Guide-en-US.pdf) we have instructions on
disabling anonymous binds.
Can I set these settings in dse.ldif instead of using the ldapmodify
commando? I think cn=config is not replicated
So I could still set this in dse.ldif (both to disable anonymous binds as
to force using encryption):
nsslapd-allow-anonymous-access: rootdse
nsslapd-minssf: 56
Thanks!
--
--
Groeten,
natxo
6 years, 3 months
Contribute How-To: LDAP Authentication for Isilon OneFS using FreeIPA
by Aravindh Sampathkumar
Hello all.
I'm a new user having recently deployed a FreeIPA server to supply
authentication for a small scale cluster. One of the first things I did
was to make our storage system (Isilon cluster running OneFS) use
FreeIPA as a authentication provider via LDAP.
Though straightforward, I wish this information was available directly
on the wiki and showed up on Google search for "How to configure
Isilon/OneFS to use FreeIPA".
I'd be happy to add this information into a wiki entry if someone could
give me access to it.
Login to FreeIPA server over SSH, and run the command:
[root@freeipa1 ~]# ldapsearch -x uid=admin | grep dn:
dn: uid=admin,cn=users,cn=compat,dc=nghpc,dc=dk
dn: uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk
Note down uid=admin, cn=accounts,dc=nghpc,dc=dk
and head to Isilon OneFS, where you may configure LDAP using one of the
two methods:
(1) Using the web UI:
Access --> Authentication Providers --> LDAP
+ Add an LDAP provider
Enter an LDAP provider name of choice that is easy to understand. Server URI: ldaps://<ip address or fqdn of FreeIPA server>
Note: If you are using the fqdn, make sure the DNS settings
resolve the fqdn from the command line using nslookup
<fqdn> Base Distinguished Name: dc=nghpc,dc=dk (Enter the details as
obtained from the search command earlier) Bind to: uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk (Enter
the details as obtained from the search command earlier) Enter the password for Admin user and you would have successfully
connected Isilon to FreeIPa via LDAP.
(2) Using the commandline:
Get the status of auth providers before beginning the
configuration: isi auth status
Create a new LDAP provider using the command,
isi auth ldap create test-ldap \
--base-dn="dc=nghpc,dc=dk" \
--bind-dn="uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk" \
--bind-password="mypasswd" \
--server-uris="ldaps://<ip address or fqdn of FreeIPA
server>" \ --groupnet=<groupnet name>
Run the ldap search from the Isilon node to test whether the LDAP
connection works fine:ldapsearch -x uid=admin
You can use the troubleshooting guide from EMC :
https://www.emc.com/collateral/TechnicalDocument/docu63147.pdf
Thanks,
--
Aravindh Sampathkumar
aravindh(a)fastmail.com
6 years, 3 months