January 2018 - FreeIPA-users - Fedora Mailing-Lists

by Matt .

HI guys. I'm having an issue with my private PEN when I want to add an objectclass and an attribute with the following ldif (99999 is a replacement for my private PEN registered at Iana) The following output is what I get: modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: attribute type myAttributeName: Unknown attribute syntax OID "1.3.6.1.4.1.99999.1.1.2.2.1" modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: object class ( 1.1.2.1.1 NAME 'customPerson' SUP top SYNTAX 1.3.6.1.4.1.99999.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' ): Failed to parse objectclass, error(2) at ( 1.3.6.1.4.1.99999.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' )) And this is the (as far as I know) good ldif: dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 1.1.2.2.1 NAME 'myAttributeName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.99999.1.1.2.2.1 X-ORIGIN 'Extending FreeIPA' ) dn: cn=schema changetype: modify add: objectClasses objectClasses: ( 1.1.2.1.1 NAME 'customPerson' SUP top SYNTAX 1.3.6.1.4.1.99999.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' ) This should work as far as I know and discussed on IRC and I also read it here: https://www.redhat.com/archives/freeipa-users/2017-January/msg00222.html I hope someone can explain what could be going wrong. Thanks, Matt

6 years, 2 months

2
2
0 / 0

Forwarders don't work when enabled but do work when disabled

by Matt .

Hi, Happy and Healty 2018 first of all! I have something strange on: # ipa --version VERSION: 4.5.4, API_VERSION: 2.228 Forwarders are not working when they are enabled but when I disable them they work perfectly fine. What kind of strange thing is this ?

6 years, 2 months

2
11
0 / 0

New Graphic?

by Striker Leggette

I noticed there is a new logo design on freeipa.org. Is it possible to get the scalable version of this for a printed banner?

6 years, 2 months

1
0
1 / 0

FOSDEM reminder: Identity and Access Management devroom, Feb 3rd 2018

by Alexander Bokovoy

Hi, If you are in Europe during first weekend of February 2018, we'll be running an Identity and Access Management devroom at FOSDEM[1] on Saturday, February 3rd, 2018. FreeIPA and other free/open source identity and access management solutions will be presented there. FOSDEM is a primary free software event in Europe that is done by volunteers to volunteers every year since 2001 in Free University of Brussels, Belgium. Each year thousands people come to it to meet, discuss, and collaborate in various areas around free software and hardware. I wrote about our experience in organizing Identity Management-related events at FOSDEM in my blog some time ago[2]. It is now less than two weeks until the devroom and the greater FOSDEM event will happen, so I'd like to invite those who might have missed all the signs: it is still possible to attend. And if you are not at FOSDEM, there will be live streaming of all devrooms (42 and the main track!) too. See you in Brussels! [1] https://fosdem.org/2018/schedule/track/identity_and_access_management/ [2] https://vda.li/en/posts/2017/12/21/FOSDEM-2018-IAM-devroom/ -- / Alexander Bokovoy

6 years, 2 months

1
0
0 / 0

Vault best practices

by Fil Di Noto

I've been using Vaults, I feel like I need some kind of version control, or historical log of values to recover from mistakenly overwriting vaults. What do most do? I notice that some docs have vault-add commands with a --source-vault-id option. My ipa version doesn't have these options. Are they upcoming or were they removed? Another option I don't have is --stdout, for vault-retrieve. I was looking for ways to pipe or set variables without writing to disk.

6 years, 2 months

2
1
0 / 0

Here we go again, configuring Proxmox/Debian Stretch 9.3 as a FreeIPA client

by Alex Corcoles

Hi, Now that I have my FreeIPA server working in my setup, I'd like to configure my Proxmox server as an IPA client; both for UNIX users and its web/API. As you might be aware, ipa-client-install is only in sid, and it seems to be problematic. I'm posting everything I'm doing to keep this documented. $ apt install sudo $ apt install bind9utils certmonger curl krb5-user libcurl3 libnss3-tools libnss-sss libpam-sss libsasl2-modules-gssapi-mit libsss-sudo libxmlrpc-core-c3 oddjob-mkhomedir python-dnspython python-gssapi python-ldap sssd libbasicobjects0 libcollection4 libcurl3-nss libini-config5 libref-array1 gnupg2 python-cffi python-cryptography python-custodia python-dbus python-jwcrypto python-libipa-hbac python-lxml python-memcache python-netaddr python-netifaces python-nss python-pyasn1 python-qrcode python-setuptools python-usb python-yubico dnsutils keyutils python-requests $ wget http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-client_4.4.4-... http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-common_4.4.4-... http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipaclient_4.4.... http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipalib_4.4.4-4... $ dpkg -i *.deb $ ipa-client-install -N --mkhomedir This all seems to work successfully, the server appears on the FreeIPA web console and even: $ sss_ssh_authorizedkeys $MY_IPA_USER works! But ssh, sudo don't work. However if I patch /etc/sssd/sssd.conf and add nss and pam to [sssd] services, ssh, console login and sudo work! Questions: 1) Is there anything problematic in my procedure? 2) Whom should I report a bug so /etc/sssd/sssd.conf is generated correctly? I'm guessing Debian... 3) Proxmox supposedly uses PAM for its web/API auth, but it ignores my user. It supports LDAP for authentication, though... Would you recommend using LDAP or trying to coerce PAM into working for IPA? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

6 years, 2 months

2
2
0 / 0

ipa: ERROR: No valid Negotiate header in server response

by Matt .

Hello, I'm facing an issue on my IPA server (currently 4.6.1, same happened on 4.5.4) with kerberos tickets. As was investigating this and tried to add a server with a admin ticket I get the following on and the IPA server itself and on a client with freeipa-admintools as well: $kinit admin $klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin(a)DOMAIN.TLD Valid starting Expires Service principal 01/21/2018 22:52:35 01/22/2018 22:52:29 HTTP/ipa-01.domain.tld(a)DOMAIN.TLD 01/21/2018 22:52:30 01/22/2018 22:52:29 krbtgt/DOMAIN.TLD(a)DOMAIN.TLD $ipa service-add HTTP/client-01.domain.tld(a)DOMAIN.TLD ipa: ERROR: No valid Negotiate header in server response What is going wrong here ? I cannot find much about it. Thanks, Matt

6 years, 2 months

1
1
0 / 0

Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

by Alexandre Pitre

Hi, I recently deployed a new FreeIPA domain running on CentOS 7.4 and FreeIPA 4.5 The installation went without hiccups but the WebUI isn't working as expected. Logging in with admin failed with this error: Login failed due to an unknow reason. I've seen this issue with every FreeIPA 4.5 replica I've built. As you may know this is pretty common error with 4.5. I usually just chmod 444 /var/lib/ipa-client/pki/* as pointed out in https://access.redhat.com/solutions/3178971 and the logging start working again but not this time with a brand new domain installation. Permissions are correct for the PEM ll /var/lib/pki/* -r--r--r-- 1 root root 4406 Jan 9 14:49 ca-bundle.pem -r--r--r-- 1 root root 4406 Jan 9 14:49 kdc-ca-bundle.pem Here's the output of /var/log/httpd/error_log [Thu Jan 18 01:14:40.543272 2018] [suexec:notice] [pid 12537] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jan 18 01:14:40.543348 2018] [:warn] [pid 12537] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Jan 18 01:14:40.766070 2018] [auth_digest:notice] [pid 12537] AH01757: generating secret for digest authentication ... [Thu Jan 18 01:14:40.766623 2018] [lbmethod_heartbeat:notice] [pid 12537] AH02282: No slotmem from mod_heartmonitor [Thu Jan 18 01:14:40.766640 2018] [:warn] [pid 12537] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Jan 18 01:14:40.843105 2018] [mpm_prefork:notice] [pid 12537] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Thu Jan 18 01:14:40.843134 2018] [core:notice] [pid 12537] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Jan 18 01:14:48.465191 2018] [:error] [pid 12545] ipa: INFO: *** PROCESS START *** [Thu Jan 18 01:14:48.470206 2018] [:error] [pid 12546] ipa: INFO: *** PROCESS START *** [Thu Jan 18 01:15:14.020600 2018] [:error] [pid 12545] ipa: INFO: 401 Unauthorized: [Errno 13] Permission denied Output of /var/log/messages show weird errors: Jan 18 01:14:36 bo2-tnt-ipa-001 ipa-dnskeysyncd: ipa : ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"}) Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.102629780 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.115268733 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.116680963 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.117878580 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.119338367 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.120503775 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.122000132 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.123149308 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.124282277 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.125837472 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.126966928 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.128085824 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.129501796 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.130686657 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.132301267 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.134575956 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.135778559 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.142405173 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.143655721 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.233078350 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.238586332 +0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definitcomn cn=Password Policy,cn=accounts,dc=ipa,dc=domain,dc=com--no CoS Templates found, which should be added before the CoS Definitcomn. Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.261575767 +0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.268319379 +0000] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ipa,dc=domain,dc=com Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.272302862 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ipa,dc=domain,dc=com Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.279547839 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=com Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.285336505 +0000] - ERR - schema-compat-plugin - Finished plugin initializatcomn. Any ideas why ? Thanks Alexandre Pitre

6 years, 3 months

4
6
0 / 0

hardening question

by Natxo Asenjo

hi, in chapter 36 (https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/pdf/linux_domain_identity_authentication_and_policy_ guide/Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_ Authentication_and_Policy_Guide-en-US.pdf) we have instructions on disabling anonymous binds. Can I set these settings in dse.ldif instead of using the ldapmodify commando? I think cn=config is not replicated So I could still set this in dse.ldif (both to disable anonymous binds as to force using encryption): nsslapd-allow-anonymous-access: rootdse nsslapd-minssf: 56 Thanks! -- -- Groeten, natxo

6 years, 3 months

2
1
0 / 0

Contribute How-To: LDAP Authentication for Isilon OneFS using FreeIPA

by Aravindh Sampathkumar

Hello all. I'm a new user having recently deployed a FreeIPA server to supply authentication for a small scale cluster. One of the first things I did was to make our storage system (Isilon cluster running OneFS) use FreeIPA as a authentication provider via LDAP. Though straightforward, I wish this information was available directly on the wiki and showed up on Google search for "How to configure Isilon/OneFS to use FreeIPA". I'd be happy to add this information into a wiki entry if someone could give me access to it. Login to FreeIPA server over SSH, and run the command: [root@freeipa1 ~]# ldapsearch -x uid=admin | grep dn: dn: uid=admin,cn=users,cn=compat,dc=nghpc,dc=dk dn: uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk Note down uid=admin, cn=accounts,dc=nghpc,dc=dk and head to Isilon OneFS, where you may configure LDAP using one of the two methods: (1) Using the web UI: Access --> Authentication Providers --> LDAP + Add an LDAP provider Enter an LDAP provider name of choice that is easy to understand. Server URI: ldaps://<ip address or fqdn of FreeIPA server> Note: If you are using the fqdn, make sure the DNS settings resolve the fqdn from the command line using nslookup <fqdn> Base Distinguished Name: dc=nghpc,dc=dk (Enter the details as obtained from the search command earlier) Bind to: uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk (Enter the details as obtained from the search command earlier) Enter the password for Admin user and you would have successfully connected Isilon to FreeIPa via LDAP. (2) Using the commandline: Get the status of auth providers before beginning the configuration: isi auth status Create a new LDAP provider using the command, isi auth ldap create test-ldap \ --base-dn="dc=nghpc,dc=dk" \ --bind-dn="uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk" \ --bind-password="mypasswd" \ --server-uris="ldaps://<ip address or fqdn of FreeIPA server>" \ --groupnet=<groupnet name> Run the ldap search from the Isilon node to test whether the LDAP connection works fine:ldapsearch -x uid=admin You can use the troubleshooting guide from EMC : https://www.emc.com/collateral/TechnicalDocument/docu63147.pdf Thanks, -- Aravindh Sampathkumar aravindh(a)fastmail.com

6 years, 3 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2018