Translation of Web UI LoginScreen widget
by Levin Stanislav
Dear All,
Let me duplicate myself.
I've expected to see messages in Russian at freeipa web login page. File
LoginScreen.js contains '@i18n:' prefixes for messages and corresponding
translatable text is in mo file already.
That's good. My Accept-Language is 'ru'. But ... all (on this widget) is
still in default English.
As i understand JSON-RPC is not available without IPA authorization by
design and therefore i18n_messages too.
Which approach can be applied to fix translations? Any ideas?
Your help is greatly appreciated.
Thank you.
5 years, 10 months
PKI with IPA
by Maciej Drobniuch
Hey Guys,
I want to use the IPA CA for PKI on some of our web services( mostly of
premises - that's why )
What I do not know is:
1. How to add a profile id for certificate generation for the user so
he/she can paste a CSR and get a certificate.
2. How to turn on/off automatic signing. ( I would like to review the
request before signing )
3. How can I export the IPA revocation list so it's compliant with servers
(CRL format)
4. If this a bad idea?
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
5 years, 10 months
Overall users experience with Free-IPA
by Duncan Colhoun
Hi All
I hope this is the appropriate forum for this question.
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
So please share any horror/success stories.
Rgds
Duncan
5 years, 10 months
Dir Mgr passwd won't change?
by Kat
Hi -
Have a replica I did not install CA on. Want to add it. I had lost the
Directory Manager password, so I followed procedure to change it by
editing dse.ldif and replacing the rootpw, but no matter what I do I
keep getting:
[root@ipa-rep2 ~]# ipa-ca-install
Directory Manager (existing master) password:
Directory Manager password is invalid
Scratching my head - has the procedure for changing the Dir Mgr password
changed? I used:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpass...
Any ideas?
-K
5 years, 10 months
replication test
by ipa@tecnoaccion.com.ar
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying
to have a Nagios check for the replication status (without indicating a
password). I found this article:
<https://danieljamesscott.org/11-articles/application-guides/26-freeipa-re...>.
It's exactly what I want to do
but, when I try to do the ldapmodify thing with
grant_anonymous_replication_view.ldif (only changing
cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f
grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar
Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
do I have to make other changes to the ldif?
or, what is the password I need?
or, is it another way of making this test without indicating passwords
in plaintext?
thanks in advance,
René
5 years, 10 months
Re: Dir Mgr passwd won't change?
by SOLER SANGUESA Miguel
I changed using this procedure:
Change DM password
You will have to edit the main server config file (dse.ldif). Before you do that, you must shutdown the server. If the server is running and you edit dse.ldif, your changes will be lost:
# stop-dirsrv
Next, generate the new password using the pwdhash command.
# /usr/bin/pwdhash <NEWPASS>
This will print out the hashed password string using the default directory manager password hashing scheme for your instance (SSHA by default). Then
# cd /etc/dirsrv/slapd-<INSTANCE>
Edit dse.ldif (you should have already shutdown the server - see above) - search for nsslapd-rootpw - you will see a line like this:
# nsslapd-rootpw: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
Replace the value with the value printed out by pwdhash and save the file. Then restart the server:
# start-dirsrv
Then test your new password:
# ldapsearch -x -b "cn=accounts,dc=ipa,dc=example,dc=org" "(&(objectclass=ipaservice)(userCertificate=*))" krbPrincipalName -D "cn=directory manager" -w <NEWPASS> -h localhost -p 389
Finally, REPEAT IT FOR ALL THE SERVERS and REPLICAS
Thanks & Regards.
______________________________
Miguel Soler Sangüesa
Consultant - Linux Systems Administrator
OPPV - Linux Server Support
[cid:image001.png@01D3F0F3.BD814080] + 34 96 199 39 24 - EXT 3924
[cid:image002.png@01D3F0F3.BD814080] + 41 22 929 19 13
[cid:image003.jpg@01D3F0F3.BD814080]<https://www.unicc.org/Pages/Home.aspx>
5 years, 10 months
Setting up HBAC for external users
by Marc Boorshtein
I'm trying to setup an HBAC rule for allowing users from a trust to
access linux servers in a FreeIPA domain. My setup:
1. rhelent.lan - FreeIPA 4.5.0-22
2. ent2k12.domain.com - AD on windows 2012r2
3. boz1 - centos7, member of rhelent.lan
4. External group ad_ext_users
5. POSIX group called hbac_access
6.. HBAC group that has the posix group hbac_access as a member
7. IPA user dvader is a member of hbac_access posix group
8. mmosley(a)ent2k12.domain.com is a member of ad_ext_users external group
When I login as dvader, everything works great. When I login as
mmosley(a)ent2k12.domain.com the connection is closed. This is in
/var/log/seccure:
May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.2
user=mmosley(a)ent2k12.domain.com
May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:account): Access denied
for user mmosley(a)ent2k12.domain.com: 6 (Permission denied)
May 19 13:43:11 box1 sshd[1395]: error: PAM: User account has expired
for mmosley(a)ent2k12.domain.com from 10.8.0.2
May 19 13:43:12 box1 sshd[1395]: fatal: monitor_read: unpermitted request 104
So authentication is working, authorization is failing. Am I missing something?
Thanks
Marc
5 years, 10 months
How does FreeIPA assign gid and uid numbers to AD users in a trust?
by Marc Boorshtein
I'm working with the ipa web services to provision users across a one
way trust with IPA. I have looked at the id_view_* services and am
trying to wrap my head around a few details:
1. When I ssh into a linux box thats a member of the IPA domain with
my AD user IPA creates an object in LDAP and assigns a gid and uid to
it, but when i create the user in the ID View under the Default Trust
View the information from the object isn't there, BUT when I set the
shell it gets written to the directory object when I update the shell
attribute. Shouldn't the user's gid/uid be visible there as part of
the view?
2. When I add a user from AD to an external group should I specify
the userPrincipalName as the external member?
3. Is there a way to get IPA to trigger the creation of the ldap
object that represents the AD user via a web service instead of
logging in or sudoing over to that user?
Thanks
5 years, 10 months
ipa-client-install - sssd.conf
by Ronald Wimmer
Hi,
is there a way to configure parameters in sssd.conf when calling
ipa-client-install? It would be very helpful to be able to specify these
parameters:
[sssd]
default_domain_suffix = SOMEDOMAIN
[nss]
homedir_substring = /home
default_shell = /bin/bash
default_shell is the most important one as AD users have /bin/sh as
their default shell.
Regards,
Ronald
5 years, 10 months
authoritative name-server
by Andrew Meyer
In my current freeipa setup when I go in to the dns zone I see the authoritative name server is incorrect. When I removed the server shouldn't it have changed it?
Also when I go look at the bind config in /var/named/dyndb-ldap/master/example.net/raw the SOA line shows the correct server. Where else would I look to see why the GUI is not showing the right information?
Thank you!
5 years, 10 months