Create Certificate for Load Balancer & end2end HTTPS traffic
by Peter Tselios
Hello,
I want to create an AWS Load Balancer that will use HTTPS end to end.
I want to use my FreeIPA to generate the certificates for the instances and for the ALB.
My questions:
1. Is it possible to issue a certificate from FreeIPA for the AWS ALB since the later will not be a FreeIPA client?
If so, how?
2. If I cannot issue a certificate from the FreeIPA, what alternatives do I have?
Generate a CSR from any linux box and just sign it?
5 years, 5 months
ipa-server-install --uninstall damages all the cluster
by Andrey Bondarenko
Hello,
Just want to share that is known issue to our cluster:
1 - install new replica
2 - install of the replica fails for any reason (in my case it was due to I
am unable to set the server which custodia uses in the ipa-server-istall
command line)
3 - ipa-server-install --uninstall
4 - RUVs from 1970--00-00 and slapd's eating all the CPU they have.
So correct way is always to clean up the failed replica from the cluster
first, not to use --uninstall. It's centos 7.5.
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
5 years, 5 months
Account creation via API not assigning uidNumber
by Callum Smith
Dear All,
When using the API to create an account, if I don't specify the uidnumber I get this error:
missing attribute "uidNumber" required by object class "posixAccount"
I was expecting the uidNumber to function thus: "system will assign one if not provided"
Am I missing something?
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
5 years, 5 months
Setting up Ubuntu client on free IPA
by Jatinder Kumar
Hi,
Actually, I had installed freeipa server on my centos7 machine. But in my
organization, we are using Ubuntu. Could you please give the steps so that
i can add my ubuntu servers as a client in freeipa for ssh access
management.
Thank you
jatinder
5 years, 5 months
kpasswd: Client not found in Kerberos database getting initial ticket
by lune voo
Hello everyone.
I send you this mail because I encountered a strange problem trying to set
a password for a user I just created.
First, I created the user with ipa user-add and for the following result :
Added user <myuser>
Then I added this user into a password policy group and it worked fine :
Then I set a One Time Password for this account and it worked.
Finally I tried to set a complex password fitting the password policy with
the kpasswd command. And here, I encountered the following error message :
kpasswd: Client not found in Kerberos database getting initial ticket
My kpasswd command was like that :
printf "%s\n%s\n%s" '<one_time_password>' '<password>' '<password>' |
kpasswd <myuser>
It works fine usually, this is the first time I see this error message.
I wanted to ask you if you knew what this error message mean ?
For me it is that the user does not exist, but I prefer ask you guys.
The strange things is that, after that, I tried to ipa user-unlock the
account, and it worked o_O.
I'm running 2 IPA masters 3.0.0 on RHEL 6.6.
Best regards.
Lune.
5 years, 5 months
can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?
by Chris Dagdigian
Is it possible to override the AD integration use of DNS queries to find
AD controllers and replace the auto-discovery with a named list of
domain controllers?
We've got a setup in an AWS VPC and we've found that out of the 100 or
so domain controllers in DNS that a few of them refuse to talk to us or
answer ldaps:// queries. After a lot of nmap and DNS probe work we think
we've discovered a number of "bad" controllers that may be responsible
for random password check / login failures in the AWS environment
Can the latest sssd/free-ipa be configured to use a list of "known good"
domain controllers?
Thanks!
Chris
5 years, 5 months
Re: sss_ssh_authorizedkeys returns empty list
by Johannes Falke
For posterity, I had the same issue and fixed it by explicitly setting
ldap_user_ssh_public_key = ipaSshPubKey
in the domain portion of sssd.conf. Otherwise I assume it looks for the
attribute "sshPublicKey", since that's what it's called in the sssd cache
DB.
5 years, 5 months
GSSAPI Error: Unspecified GSS
by mohammad sereshki
HiI got below error ,is there anyone who knows what is this and how can i s=ort it out?
=C2=A0slapd_ldap_sasl_interactive_bind - Error: could not perform interacti=
ve bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): gen=
eric failure: GSSAPI Error: Unspecified GSS failure.=C2=A0 Minor code may p=
rovide more information (Credentials cache file '/tmp/krb5cc_491' not found=
)) errno 0 (Success)
[22/Oct/2018:16:59:33 +031800] slapi_ldap_bind - Error: could not perform i=
nteractive bind for id [] mech [GSSAPI]: error -2 (Local error)
NSMMReplicationPlugin - agmt=3D"cn=3DmeTosrv1.example.com" (drvl124:389): R=
eplication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(=
-1): generic failure: GSSAPI Error: Unspecified GSS failure.=C2=A0 Minor co=
de may provide more information (Credentials cache file '/tmp/krb5cc_491' n=
ot found))
5 years, 5 months
Inconsistencies in account preserved status
by Roderick Johnstone
Hi
This is ipa-server-4.5.4-10.el7_5.4.4.x86_64 on RHEL7.5.
I've got four preserved accounts (out of a few hundred preserved accounts).
On two of the servers they are showing up correctly as preserved with
this command:
ipa user-show <username>.
On the third server the same command shows the users with the preserved
attribute set to false.
Based on a few tests changing (other) accounts it seems that replication
is generally working fine between all the servers.
But:
1) The ipa_check_consistency script is showing all three servers with
the same (correct) number of preserved and active users and is showing a
good replication status for all server replication agreements.
So its not showing fewer preserved accounts on one server correctly.
2) I'm not seeing any replication conflicts on any of the servers
through commands like this:
# ldapsearch -x -D "cn=directory manager" -W -b "dc=example,dc=com"
"nsds5ReplConflict=*" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# search result
search: 2
result: 0 Success
# numResponses: 1
3) The dirsrv error log on server with the users not showing as
preserved is showing the following entries from last May:
[11/May/2018:10:09:31.330807982 +0100] - ERR - managed-entries-plugin -
mep_mod_post_op - Unable to find config for origin entry
"uid=<user>,cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com".
[11/May/2018:10:09:36.294657019 +0100] - ERR - NSMMReplicationPlugin -
write_changelog_and_ruv - Can't add a change for
uid=<user>,cn=users,cn=accounts,dc=example,dc=com (uniqid:
f132de25-54fa11e8-b4d6ec15-cd33af38, optype: 64) to changelog csn
5af55dc9000600040000
I'd appreciate any thoughts as to why there might be an inconsistency
between servers despite there apparently being no replication conflicts
and no indication in the ipa_check_consistency script output.
What might be the best way to resolve this inconsistency between servers?
Thanks
Roderick Johnstone
5 years, 5 months