PKI with IPA
by Maciej Drobniuch
Hey Guys,
I want to use the IPA CA for PKI on some of our web services( mostly of
premises - that's why )
What I do not know is:
1. How to add a profile id for certificate generation for the user so
he/she can paste a CSR and get a certificate.
2. How to turn on/off automatic signing. ( I would like to review the
request before signing )
3. How can I export the IPA revocation list so it's compliant with servers
(CRL format)
4. If this a bad idea?
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
4 years
Overall users experience with Free-IPA
by Duncan Colhoun
Hi All
I hope this is the appropriate forum for this question.
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
So please share any horror/success stories.
Rgds
Duncan
4 years
Dir Mgr passwd won't change?
by Kat
Hi -
Have a replica I did not install CA on. Want to add it. I had lost the
Directory Manager password, so I followed procedure to change it by
editing dse.ldif and replacing the rootpw, but no matter what I do I
keep getting:
[root@ipa-rep2 ~]# ipa-ca-install
Directory Manager (existing master) password:
Directory Manager password is invalid
Scratching my head - has the procedure for changing the Dir Mgr password
changed? I used:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpass...
Any ideas?
-K
4 years
replication test
by ipa@tecnoaccion.com.ar
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying
to have a Nagios check for the replication status (without indicating a
password). I found this article:
<https://danieljamesscott.org/11-articles/application-guides/26-freeipa-re...>.
It's exactly what I want to do
but, when I try to do the ldapmodify thing with
grant_anonymous_replication_view.ldif (only changing
cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f
grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar
Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
do I have to make other changes to the ldif?
or, what is the password I need?
or, is it another way of making this test without indicating passwords
in plaintext?
thanks in advance,
René
4 years
Re: Dir Mgr passwd won't change?
by SOLER SANGUESA Miguel
I changed using this procedure:
Change DM password
You will have to edit the main server config file (dse.ldif). Before you do that, you must shutdown the server. If the server is running and you edit dse.ldif, your changes will be lost:
# stop-dirsrv
Next, generate the new password using the pwdhash command.
# /usr/bin/pwdhash <NEWPASS>
This will print out the hashed password string using the default directory manager password hashing scheme for your instance (SSHA by default). Then
# cd /etc/dirsrv/slapd-<INSTANCE>
Edit dse.ldif (you should have already shutdown the server - see above) - search for nsslapd-rootpw - you will see a line like this:
# nsslapd-rootpw: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
Replace the value with the value printed out by pwdhash and save the file. Then restart the server:
# start-dirsrv
Then test your new password:
# ldapsearch -x -b "cn=accounts,dc=ipa,dc=example,dc=org" "(&(objectclass=ipaservice)(userCertificate=*))" krbPrincipalName -D "cn=directory manager" -w <NEWPASS> -h localhost -p 389
Finally, REPEAT IT FOR ALL THE SERVERS and REPLICAS
Thanks & Regards.
______________________________
Miguel Soler Sangüesa
Consultant - Linux Systems Administrator
OPPV - Linux Server Support
[cid:image001.png@01D3F0F3.BD814080] + 34 96 199 39 24 - EXT 3924
[cid:image002.png@01D3F0F3.BD814080] + 41 22 929 19 13
[cid:image003.jpg@01D3F0F3.BD814080]<https://www.unicc.org/Pages/Home.aspx>
4 years
Setting up HBAC for external users
by Marc Boorshtein
I'm trying to setup an HBAC rule for allowing users from a trust to
access linux servers in a FreeIPA domain. My setup:
1. rhelent.lan - FreeIPA 4.5.0-22
2. ent2k12.domain.com - AD on windows 2012r2
3. boz1 - centos7, member of rhelent.lan
4. External group ad_ext_users
5. POSIX group called hbac_access
6.. HBAC group that has the posix group hbac_access as a member
7. IPA user dvader is a member of hbac_access posix group
8. mmosley(a)ent2k12.domain.com is a member of ad_ext_users external group
When I login as dvader, everything works great. When I login as
mmosley(a)ent2k12.domain.com the connection is closed. This is in
/var/log/seccure:
May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.2
user=mmosley(a)ent2k12.domain.com
May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:account): Access denied
for user mmosley(a)ent2k12.domain.com: 6 (Permission denied)
May 19 13:43:11 box1 sshd[1395]: error: PAM: User account has expired
for mmosley(a)ent2k12.domain.com from 10.8.0.2
May 19 13:43:12 box1 sshd[1395]: fatal: monitor_read: unpermitted request 104
So authentication is working, authorization is failing. Am I missing something?
Thanks
Marc
4 years
How does FreeIPA assign gid and uid numbers to AD users in a trust?
by Marc Boorshtein
I'm working with the ipa web services to provision users across a one
way trust with IPA. I have looked at the id_view_* services and am
trying to wrap my head around a few details:
1. When I ssh into a linux box thats a member of the IPA domain with
my AD user IPA creates an object in LDAP and assigns a gid and uid to
it, but when i create the user in the ID View under the Default Trust
View the information from the object isn't there, BUT when I set the
shell it gets written to the directory object when I update the shell
attribute. Shouldn't the user's gid/uid be visible there as part of
the view?
2. When I add a user from AD to an external group should I specify
the userPrincipalName as the external member?
3. Is there a way to get IPA to trigger the creation of the ldap
object that represents the AD user via a web service instead of
logging in or sudoing over to that user?
Thanks
4 years
ipa-client-install - sssd.conf
by Ronald Wimmer
Hi,
is there a way to configure parameters in sssd.conf when calling
ipa-client-install? It would be very helpful to be able to specify these
parameters:
[sssd]
default_domain_suffix = SOMEDOMAIN
[nss]
homedir_substring = /home
default_shell = /bin/bash
default_shell is the most important one as AD users have /bin/sh as
their default shell.
Regards,
Ronald
4 years
authoritative name-server
by Andrew Meyer
In my current freeipa setup when I go in to the dns zone I see the authoritative name server is incorrect. When I removed the server shouldn't it have changed it?
Also when I go look at the bind config in /var/named/dyndb-ldap/master/example.net/raw the SOA line shows the correct server. Where else would I look to see why the GUI is not showing the right information?
Thank you!
4 years
Integrations with non-linux environments
by Jeffrey Parker
Hello, we have a mixed environment with Windows, Linux, and Mac OSX systems. I was trying to test out FreeIPA for basic authentication in this environment, but so far nothing has worked. Currently for testing I have FreeIPA 4.6.90.pre1 installed. I tried the walkthrough for Mac OSX and kerberos worked, but I could not get the OS login to do anything but local users. Windows desktop system would not even see the kerberos realm so could not do anything, and Windows domain controller when I try to add trust on FreeIPA I get an error that says "ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted login is invalid. This is either duet to a bad username or authentication information." (both may be "None")". In every case I was just following what is shown on the web site for the how to's on this. The Mac system is running high sierra with latest patches. The windows desktop is Windows 10 with latest patches and the windows server is Windows Server 2016, I
used domain functional level 2016, 2008, and 2012, all did the same thing.
4 years
