Re: freeIPA Host certs
by Florence Blanc-Renaud
On 3/19/19 7:07 PM, Azim Siddiqui wrote:
> Hi,
>
> I was wondering is there any way, I can extract the private key and
> certificate from nssdb directory? Bcoz the one key i have is not
> matching to the certifficate.
>
Hi
I am insisting, but please keep freeipa-users in copy.
What do you mean by "extract"? Do you want to remove the key from the
nssdb? or transform it into another format?
To remove a private key from a nssdb, use the certutil command with -F
option. You can find the full format in the man page certutil(1).
If you want to create a PKCS12 file containing the private key and
certificate:
pk12util -o keys.p12 -n $alias -d $NSSDB
If you want a PEM file containing the private key:
pk12util -o keys.p12 -n $alias -d $NSSDB
openssl pkcs12 -in keys.p12 -out cert.key -nodes
If you want a PEM file containing the cert:
certutil -L -d $NSSDB -n $alias -a -o cert.pem
But first of all, which NSSDB directory are you working with? A NSSDB
can contain multiple keys and certificates, and also certificates
without matching private keys. Can you show the content of your NSSDB?
certutil -L -d $NSSDB
certutil -K -d $NSSDB
flo
> Thanks,
> Azeem
>
> On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 3/19/19 4:18 PM, Azim Siddiqui wrote:
> > Hi Florence,
> >
> > Thanks for the info. I will check for the ipa cert-find command
> and will
> > send you the output. Actually, when I am trying to do $ kinit
> admin it
> > is asking for a password. And I am not sure about the password, as I
> > said it was set by the previous system admin.
> >
> Hi
> (re-adding freeipa-users in cc)
>
> if you do kinit -kt /etc/krb5.keytab you should also have enough
> permissions to perform ipa cert-find.
>
> > And also I can see there is nssdb directory on the server. Do you
> by any
> > chance know, what is that for?
> There are many nssdb directories on a FreeIPA system. For instance
> /etc/ipa/nssdb is the NSS database used by the ipa * commands. It
> contains the certificates of the trusted certificate authorities. You
> can find more information re. NSS databases in the man page for
> certutil(1).
>
> >
> > If I have the private key on the server, how can I renew the
> certificate
> > signed by IPA. can you please provide me the steps.
> If you have the private key in $NSSDB database you just need to follow
> the steps provided in my first email
> (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...).
>
> flo
> >
> > thanks & Regards,
> > Azeem
> >
> > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > On 3/18/19 7:50 PM, Azim Siddiqui wrote:
> > > Hi Florence,
> > >
> > > Thanks for your reply.
> > > I am referring to the applications. For example, we have
> > > Apache,haproxy,jenkins,git which uses certs signed by IPA. And
> > now when
> > > I am browsing these applications urls. It is showing, this
> site
> > is not
> > > secured.
> > > And originally, This cert were created by a system admin,
> who is not
> > > working with us now. So its getting hard for me to figure out,
> > how can I
> > > create or renew the certs.
> > >
> > > And I don't see any files ssl.conf or nss.conf in the server.
> > > The output for getcert list command shows this :-
> > > getcert list
> > > Number of certificates and requests being tracked: 0.
> > >
> > >
> > > I just want to create a crt and key file signed by IPA. So
> that I
> > can
> > > use it for the browsers.
> > Hi,
> >
> > please keep the users mailing list in cc, so that everyone
> can get
> > involved/see the resolution.
> >
> > It is difficult to provide advice with so few information.
> Can you
> > start
> > by checking which certificates were already issued by
> FreeIPA, and
> > we'll
> > see if they are expired?
> >
> > $ kinit admin
> > $ ipa cert-find
> >
> > With the full output and based on the subject you'll be able to
> > identify
> > the host or service certs that you are using for your
> applications. For
> > each of these certs, run
> > $ kinit admin
> > $ ipa cert-show <serial number>
> > and the output will show if the cert is expired (check the
> Not After
> > field).
> >
> > For an expired cert, you will be able to renew the cert if
> you still
> > have the private key. The private key location can be found
> by checking
> > the configuration of your applications.
> > For instance apache on rhel or fedora stores its config in
> > /etc/httpd/conf/httpd.conf, which by default loads the modules in
> > conf.modules.d/*.conf and the config files in conf.d/*.conf.
> >
> > flo
> > >
> > > Thanks,
> > > Azeem
> > >
> > >
> > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud
> > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote:
> > >
> > > On 3/15/19 8:16 PM, Azim Siddiqui wrote:
> > > > Hi Florence,
> > > >
> > > > Hope you are doing good. I tried the way you said. But
> > still, it is
> > > > showing certificate is expired.
> > > >
> > > > Let me be more clear about it.
> > > >
> > > > We have apache running with an expired certificate
> which is
> > > signed by
> > > > FreeIPA. Now I want to renew or create a new
> certificate.
> > So can you
> > > > please tell me how can I renew or create a new
> certificate
> > signed by
> > > > Freeipa.
> > > > As whenever I am going to the Apache URL from the
> browser,
> > it is
> > > showing
> > > > site is not secured.
> > > >
> > > > Thanks & Regards,
> > > > Azeem
> > > >
> > > Hi,
> > >
> > > (re-adding freeipa-users in CC).
> > > Can you first confirm that you are referring to a cert for
> > the apache
> > > server *not running on one of the FreeIPA masters*?
> > >
> > > Then please explain how you originally obtained the
> > certificate. Also
> > > include the following information:
> > > - relevant apache configuration (if using mod_ssl, then
> > > /etc/httpd/conf.d/ssl.conf or if using mod_nss,
> > > /etc/httpd/conf.d/nss.conf).
> > > - output of getcert list on the host running apache
> > >
> > > flo
> > >
> > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
> > > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote:
> > > >
> > > > On 12/13/18 4:04 PM, Azim Siddiqui via
> FreeIPA-users
> > wrote:
> > > > > Hello,
> > > > >
> > > > > Hope you are doing good. I have a question
> regarding
> > > freeIPA host
> > > > > certificates.
> > > > > We are using FreeIPA as our LDAP. We have some
> > > certificates for
> > > > hosts ex
> > > > > :- http/uat.com <http://uat.com>
> <http://uat.com> <http://uat.com>
> > <http://uat.com>
> > > <http://uat.com>.
> > > > > And we deploying the certs in Haproxy in PEM
> format.
> > > > > But the certificates for this host has been
> expired.
> > > > > Can you please let me know in detail how to
> renew
> > my expired
> > > > > certificates for the hosts. Please provide
> me the
> > commands
> > > and steps.
> > > > >
> > > > Hi,
> > > >
> > > > from your description I understand that you are
> > referring to
> > > > certificates delivered by IPA CA for one of the
> > IPA-enrolled
> > > hosts, but
> > > > not the master's Server-Cert used for IPA Web GUI.
> > > >
> > > > In this case, how did you obtain the
> certificate? If
> > you used
> > > a method
> > > > similar to what is described in this wiki [1], the
> > certificate
> > > > should be
> > > > monitored by certmonger and automatically renewed.
> > > >
> > > > If you followed instead this wiki [2], the
> certificate
> > is not
> > > > tracked by
> > > > certmonger and needs to be manually renewed.
> You need
> > to do the
> > > > following, assuming that the cert is in a NSS
> database
> > $NSSDB
> > > on the
> > > > IPA
> > > > client:
> > > > - find the key nickname
> > > > # certutil -K -d $NSSDB
> > > > certutil: Checking token "NSS Certificate DB"
> in slot "NSS
> > > User Private
> > > > Key and Certificate Services"
> > > > Enter Password or Pin for "NSS Certificate DB":
> > > > < 0> rsa
> > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS
> > > > Certificate
> > > > DB:Server-Cert
> > > > (note the key nickname for the next command)
> > > >
> > > > - create a new certificate request that will
> re-use the
> > > existing key
> > > > (replace DOMAIN.COM <http://DOMAIN.COM>
> <http://DOMAIN.COM>
> > <http://DOMAIN.COM> <http://DOMAIN.COM>
> > > with your IPA domain, in
> > > > uppercase):
> > > > # certutil -R -d $NSSDB -k "NSS Certificate
> > DB:Server-Cert" -s
> > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM>
> <http://DOMAIN.COM>
> > <http://DOMAIN.COM>
> > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr
> > > > Enter Password or Pin for "NSS Certificate DB":
> > > >
> > > > - request a certificate using the new
> certificate request
> > > > # kinit admin
> > > > # ipa cert-request --principal=HTTP/`hostname`
> > /tmp/web.csr
> > > > (the output will display a Serial Number that
> needs to be
> > > noted for the
> > > > next command)
> > > >
> > > > - remove the previous cert from the NSS database:
> > > > # certutil -D -d $NSSDB -n Server-Cert
> > > >
> > > > - export the certificate to a file, then import the
> > > certificate in the
> > > > NSS database:
> > > > # ipa cert-show $SERIAL_NUMBER
> --out=/tmp/server.crt
> > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i
> > > /tmp/server.crt
> > > >
> > > > HTH,
> > > > flo
> > > >
> > > > [1]
> > > >
> > >
> >
> https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
> > > > [2]
> > https://www.freeipa.org/page/PKI#Manual_certificate_requests
> > > >
> > > > > FreeIPA, version: 4.2.0
> > > > >
> > > > > Thanks & Regards,
> > > > > Azeem
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list --
> > > > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > > Fedora Code of Conduct:
> > > https://getfedora.org/code-of-conduct.html
> > > > > List Guidelines:
> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > >
> > > >
> > >
> >
>
5 years, 1 month
change default freeipa settings for password change/expire and otp timeout
by Jelle de Jong
Hello everybody,
First thank you for the great software and this support list!
I got a few questions:
version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64
1) I need to be able to set the initial password and not have it changed
or expired after I add the user. I need users to be able to login
straight away. What configuration file or policy option? And where can I
change this for all users?
2) I want to change the default timeout for the OTP token, when
generated from the GUI? (I am aware about the option with the CLI)
Thank you in advance,
Kind regards,
Jelle de Jong
5 years, 1 month
Re: change default freeipa settings for password change/expire and otp timeout
by Dmitry Perets
Hi,
I saw another solution for your problem - you can define a user as
"passSyncManager".
Then that particular user will be able to set passwords for other
users without having them immediately expired.
This is especially handy when you have periodic synchronization with
some external account management system, from which you get passwords.
This was described here, but I think it was removed from later
versions of RHEL documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/...
Anyway, I tested it, and I think it worked... maybe one day it stopped
working (or will stop).
Example:
```
# ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password:
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs:
uid=ext-provisioner,cn=users,cn=accounts,dc=ims,dc=telekom,dc=de
```
--
Regards,
Dmitry Perets.
"The more one knows, the less opinions he shares"
-- Wilhelm Schwebel
5 years, 1 month
Announcing SSSD 1.16.4
by Jakub Hrozek
SSSD 1.16.4
===========
The SSSD team is proud to announce the release of version 1.16.4 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
————----
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New Features
^^^^^^^^^^^^
* The list of PAM services which are allowed to authenticate using a
Smart Card is now configurable using a new option
``pam_p11_allowed_services``. (#2926)
* A new configuration option ``ad_gpo_implicit_deny`` was added. This option
(when set to True) can be used to deny access to users even if there is
not applicable GPO. Normally users are allowed access in this situation.
(#3701)
* The LDAP authentication provider now allows to use a different method of
changing LDAP passwords using a modify operation in addition to the
default extended operation. This is meant to support old LDAP servers
that do not implement the extended operation. The password change using
the modification operation can be selected with ``ldap_pwmodify_mode =
"ldap_modify"`` (#1314)
* The ``auto_private_groups`` configuration option now takes a new value
``hybrid``. This mode autogenerates private groups for user entries
where the UID and GID values have the same value and at the same time
the GID value does not correspond to a real group entry in LDAP (#3822)
Security issues fixed
^^^^^^^^^^^^^^^^^^^^^
* CVE-2019-3811: SSSD used to return "/" in case a user entry had no home
directory. This was deemed a security issue because this flaw could
impact services that restrict the user's filesystem access to within
their home directory. An empty home directory field would indicate
"no filesystem access", where sssd reporting it as "/" would grant full
access (though still confined by unix permissions, SELinux etc).
Notable bug fixes
^^^^^^^^^^^^^^^^^
* The IPA provider, in a setup with a trusted Active Directory domain,
did not remove cached entries that were no longer present on
the AD side (#3984)
* The Active Directory provider now fetches the user information from the
LDAP port and switches to using the Global Catalog port, if available
for the group membership. This fixes an issue where some attributes
which are not available in the Global Catalog, typically the home
directory, would be removed from the user entry. (#2474)
* The IPA SELinux provider now sets the user login context even if it is the
same as the system default. This is important in case the user has
a non-standard home directory, because then only adding the user to
the SELinux database ensures the home directory will be labeled properly.
However, this fix causes a performance hit during the first login
as the context must be written into the semanage database.
* The sudo responder did not reflect the case_sensitive domain option
(#3820)
* A memory leak when requesting netgroups repeatedly was fixed (#3870)
* An issue that caused SSSD to sometimes switch to offline mode in case
not all domains in the forest ran the Global Catalog service was
fixed (#3902)
* The SSH responder no longer fails completely if the ``p11_child`` times out
when deriving SSH keys from a certificate (#3937)
* The negative cache was not reloaded after new sub domains were discovered which
could have lead to a high SSSD load (#3683)
* The negative cache did not work properly for in case a lookup fell back to trying
a UPN instead of a name (#3978)
* If any of the SSSD responders was too busy, that responder wouldn't have
refreshed the trusted domain list (#3967)
* A potential crash due to a race condition between the fail over code refreshing
a SRV lookup and back end using its results (#3976)
* Sudo's runAsUser and runAsGroup attributes did not match properly when used in
setups with domain_resolution_order
* Processing of the values from the ``filter_users`` or ``filter_groups`` options
could trigger calls to blocking NSS API functions which could in turn
prevent the startup of SSSD services in case nsswitch.conf contained
other modules than ``sss`` or ``files`` (#3963)
Tickets Fixed
-------------
* `3967 <https://pagure.io/SSSD/sssd/issue/3967>`_ - NSS responder does no refresh domain list when busy
* `2926 <https://pagure.io/SSSD/sssd/issue/2926>`_ - Make list of local PAM services allowed for Smartcard authentication configurable
* `3819 <https://pagure.io/SSSD/sssd/issue/3819>`_ - sssd only sets the SELinux login context if it differs from the default
* `3820 <https://pagure.io/SSSD/sssd/issue/3820>`_ - sudo: search with lower cased name for case insensitive domains
* `3870 <https://pagure.io/SSSD/sssd/issue/3870>`_ - nss: memory leak in netgroups
* `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.
* `3875 <https://pagure.io/SSSD/sssd/issue/3875>`_ - CURLE_SSL_CACERT is deprecated in recent curl versions
* `3902 <https://pagure.io/SSSD/sssd/issue/3902>`_ - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust
* `3901 <https://pagure.io/SSSD/sssd/issue/3901>`_ - sssd returns '/' for emtpy home directories
* `3919 <https://pagure.io/SSSD/sssd/issue/3919>`_ - sss_cache prints spurious error messages when invoked from shadow-utils on package install
* `3845 <https://pagure.io/SSSD/sssd/issue/3845>`_ - The config file validator says that certmap options are not allowed
* `3937 <https://pagure.io/SSSD/sssd/issue/3937>`_ - If p11_child spawned from sssd_ssh times out, sssd_ssh fails completely
* `3961 <https://pagure.io/SSSD/sssd/issue/3961>`_ - sssd config-check reports an error for a valid configuration option
* `3701 <https://pagure.io/SSSD/sssd/issue/3701>`_ - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login.
* `2474 <https://pagure.io/SSSD/sssd/issue/2474>`_ - AD: do not override existing home-dir or shell if they are not available in the global catalog
* `3958 <https://pagure.io/SSSD/sssd/issue/3958>`_ - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls
* `3890 <https://pagure.io/SSSD/sssd/issue/3890>`_ - SSSD changes the memory cache file ownership away from the SSSD user when running as root
* `3942 <https://pagure.io/SSSD/sssd/issue/3942>`_ - RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly
* `3276 <https://pagure.io/SSSD/sssd/issue/3276>`_ - Revert workaround in CI for bug in python-{request,urllib3}
* `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option
* `3983 <https://pagure.io/SSSD/sssd/issue/3983>`_ - filter_users option is not applied to sub-domains if SSSD starts offline
* `3947 <https://pagure.io/SSSD/sssd/issue/3947>`_ - SSSD netgroups do not honor entry_cache_nowait_percentage
* `3984 <https://pagure.io/SSSD/sssd/issue/3984>`_ - IPA: Deleted user from trusted domain is not removed properly from the cache on IPA clients
* `3976 <https://pagure.io/SSSD/sssd/issue/3976>`_ - crash in dp_failover_active_server
* `3957 <https://pagure.io/SSSD/sssd/issue/3957>`_ - sudo: runAsUser/Group does not work with domain_resolution_order
* `1314 <https://pagure.io/SSSD/sssd/issue/1314>`_ - RFE Request for allowing password changes using SSSD in DS which dont follow OID's from RFC 3062
* `3822 <https://pagure.io/SSSD/sssd/issue/3822>`_ - Enable generating user private groups only for users with no primary GID
* `3963 <https://pagure.io/SSSD/sssd/issue/3963>`_ - Responders: processing of `filter_users`/`filter_groups` should avoid calling blocking NSS API
Packaging Changes
-----------------
* Several files in the reference specfile changed permissions to avoid
issues with verifying the file integrity with ``rpm -V`` in case
SSSD runs as a different user than the default user it is configured
with (#3890)
Documentation Changes
---------------------
* The AD provider default value of ``fallback_homedir`` was changed
to ``fallback_homedir = /home/%d/%u`` to provide home directories for
users without the ``homeDirectory`` attribute.
* A new option ``ad_gpo_implicit_deny``, defaulting to False (#3701)
* A new option ``ldap_pwmodify_mode`` (#1314)
* A new option ``pam_p11_allowed_services`` (#2926)
* The ``auto_private_groups`` accepts a new option value ``hybrid`` (#3822)
* Improved documentation of the Kerberos locator plugin
Detailed Changelog
------------------
* Alexey Tikhonov (5):
* Fix error in hostname retrieval
* lib/cifs_idmap_sss: fixed unaligned mem access
* ci/sssd.supp: fixed c-ares-suppress-leak-from-init
* negcache: avoid "is_*_local" calls in some cases
* Monitor: changed provider startup timeout
* Fabiano Fidêncio (1):
* man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey
* Jakub Hrozek (54):
* Updating the version to track 1.16.4 development
* src/tests/python-test.py is GPLv3+
* src/tests/intg/util.py is licensed under GPLv3+
* src/tests/intg/test_ts_cache.py is licensed under GPLv3+
* src/tests/intg/test_sudo.py is licensed under GPLv3+
* src/tests/intg/test_sssctl.py is licensed under GPLv3+
* src/tests/intg/test_ssh_pubkey.py is licensed under GPLv3+
* src/tests/intg/test_session_recording.py is licensed under GPLv3+
* src/tests/intg/test_secrets.py is licensed under GPLv3+
* src/tests/intg/test_pysss_nss_idmap.py is licensed under GPLv3+
* src/tests/intg/test_pam_responder.py is licensed under GPLv3+
* src/tests/intg/test_pac_responder.py is licensed under GPLv3+
* src/tests/intg/test_netgroup.py is licensed under GPLv3+
* src/tests/intg/test_memory_cache.py is licensed under GPLv3+
* src/tests/intg/test_local_domain.py is licensed under GPLv3+
* src/tests/intg/test_ldap.py is licensed under GPLv3+
* src/tests/intg/test_kcm.py is licensed under GPLv3+
* src/tests/intg/test_infopipe.py is licensed under GPLv3+
* src/tests/intg/test_files_provider.py is licensed under GPLv3+
* src/tests/intg/test_files_ops.py is licensed under GPLv3+
* src/tests/intg/test_enumeration.py is licensed under GPLv3+
* src/tests/intg/sssd_passwd.py is licensed under GPLv3+
* src/tests/intg/sssd_nss.py is licensed under GPLv3+
* src/tests/intg/sssd_netgroup.py is licensed under GPLv3+
* src/tests/intg/sssd_ldb.py is licensed under GPLv3+
* src/tests/intg/sssd_id.py is licensed under GPLv3+
* src/tests/intg/sssd_group.py is licensed under GPLv3+
* src/tests/intg/secrets.py is licensed under GPLv3+
* src/tests/intg/ldap_local_override_test.py is licensed under GPLv3+
* src/tests/intg/ldap_ent.py is licensed under GPLv3+
* src/tests/intg/krb5utils.py is licensed under GPLv3+
* src/tests/intg/kdc.py is licensed under GPLv3+
* src/tests/intg/files_ops.py is licensed under GPLv3+
* src/tests/intg/ent_test.py is licensed under GPLv3+
* src/tests/intg/ent.py is licensed under GPLv3+
* src/tests/intg/ds_openldap.py is licensed under GPLv3+
* src/tests/intg/ds.py is licensed under GPLv3+
* src/config/setup.py.in is licensed under GPLv3+
* src/config/SSSDConfig/ipachangeconf.py is licensed under GPLv3+
* Explicitly add GPLv3+ license blob to several files
* SELINUX: Always add SELinux user to the semanage database if it doesn't exist
* pep8: Ignore W504 and W605 to silence warnings on Debian
* LDAP: minor refactoring in auth_send() to conform to our coding style
* LDAP: Only authenticate the auth connection if we need to look up user information
* NSS: Avoid changing the memory cache ownership away from the sssd user
* TESTS: Only use __wrap_sss_ncache_reset_repopulate_permanent to finish test if needed
* UTIL: Add a is_domain_mpg shorthand
* UTIL: Convert bool mpg to an enum mpg_mode
* CONFDB: Read auto_private_groups as string, not bool
* CONFDB/SYSDB: Add the hybrid MPG mode
* CACHE_REQ: Add cache_req_data_get_type()
* NSS: Add the hybrid-MPG mode
* TESTS: Add integration tests for auto_private_groups=hybrid
* Updating the translations for the 1.16.4 release
* Lukas Slebodnik (26):
* krb5_locator: Make debug function internal
* krb5_locator: Simplify usage of macro PLUGIN_DEBUG
* krb5_locator: Fix typo in debug message
* krb5_locator: Fix formatting of the variable port
* krb5_locator: Use format string checking for debug function
* PAM: Allow to configure pam services for Smartcards
* UTIL: Fix compilation with curl 7.62.0
* test_pac_responder: Skip test if pac responder is not installed
* INTG: Show extra test summary info with pytest
* CI: Modify suppression file for c-ares-1.15.0
* sss_cache: Do not fail for missing domains
* intg: Add test for sss_cache & shadow-utils use-case
* sss_cache: Do not fail if noting was cached
* test_sss_cache: Add test case for invalidating missing entries
* pyhbac-test: Do not use assertEquals
* SSSDConfigTest: Do not use assertEquals
* SSSDConfig: Fix ResourceWarning unclosed file
* SSSDConfigTest: Remove usage of failUnless
* BUILD: Fix condition for building sssd-kcm man page
* NSS: Do not use deprecated header files
* sss_cache: Fail if unknown domain is passed in parameter
* test_sss_cache: Add test case for wrong domain in parameter
* test_files_provider: Do not use pytest fixtures as functions
* test_ldap: Do not uses pytest fixtures as functions
* Revert "intg: Generate tmp dir with lowercase"
* ent_test: Update assertions for python 3.7.2
* Michal Židek (1):
* GPO: Add gpo_implicit_deny option
* Pavel Březina (9):
* sudo: respect case sensitivity in sudo responder
* nss: use enumeration context as talloc parent for cache req result
* netgroups: honor cache_refresh_percent
* sdap: add sdap_modify_passwd_send
* sdap: add ldap_pwmodify_mode option
* sdap: split password change to separate request
* sdap: use ldap_pwmodify_mode to change password
* sudo ipa: do not store rules without sudoHost attribute
* be: remember last good server's name instead of fo_server structure
* Sumit Bose (22):
* intg: flush the SSSD caches to sync with files
* LDAP: Log the encryption used during LDAP authentication
* BUILD: Accept krb5 1.17 for building the PAC plugin
* tests: fix mocking krb5_creds in test_copy_ccache
* tests: increase p11_child_timeout
* Revert "IPA: use forest name when looking up the Global Catalog"
* ipa: use only the global catalog service of the forest root
* utils: make N_ELEMENTS public
* ad: replace ARRAY_SIZE with N_ELEMENTS
* responder: fix domain lookup refresh timeout
* ldap: add get_ldap_conn_from_sdom_pvt
* ldap: prefer LDAP port during initgroups user lookup
* ldap: user get_ldap_conn_from_sdom_pvt() where possible
* krb5_locator: always use port 88 for master KDC
* NEGCACHE: initialize UPN negative cache as well
* NEGCACHE: fix typo in debug message
* NEGCACHE: repopulate negative cache after get_domains
* ldap: add users_get_handle_no_user()
* ldap: make groups_get_handle_no_group() public
* ipa s2n: fix typo
* ipa s2n: do not add UPG member
* ipa s2n: try to remove objects not found on the server
* Thorsten Scherf (1):
* CONFIG: add missing ldap attributes for validation
* Tomas Halman (4):
* nss: sssd returns '/' for emtpy home directories
* ssh: sssd_ssh fails completely on p11_child timeout
* ssh: p11_child error message is too generic
* krb5_locator: Allow hostname in kdcinfo files
* Victor Tapia (1):
* GPO: Allow customization of GPO_CROND per OS
* mateusz (1):
* Added note about default value of ad_gpo_map_batch parameter
5 years, 1 month
Need a howto for "Service Account done correctly"
by Will Kay
Hi,
I'm working on binding a Fortinet FW to FreeIPA LDAP for VPN authentication. I did quite some Google searches and found only a few leads. I want make sure I will do this correctly.
1. Setup a "system account" per this FreeIPA Howto https://www.freeipa.org/page/HowTo/LDAP
2. In the HowTO, "note: IPA 4.0 is goign to change the default stance ... to nothing is readable".
I defined the system account per the HowTO with v4.6.4. I assume nothing is readable now.
A) How do verify that the system account can't read the user or groups?
B) How do I grant permission for the "system account" to read user and groups which I need for FW auth?
3. I ran a test on the Fortigate admin GUI
I set Common Name Identifier to "uid", DN to "cn=account,dc=example,dc=com". I was able to test connectivity bind type Simple or Anonymous. I can't see a need for anonymous bind, at least for now. The correct way to disable anonymous bind is modifying nsslapd-allow-anonymous-access ?
Thanks
W
5 years, 1 month
Problem on second trust
by SOLER SANGUESA Miguel
hello,
I have 3 IDM clusters with RHEL 7.5 and ipa-server-4.5.4-10 (they are independents, 1 for my company and other 2 for 2 clients), with domain names:
1) ipa.mydomain.com
2) ipa.client1_domain.com
3) ipa.client2_domain.com
All of them have a trust with an AD domain:
1) ad-domain.mydomain.com
2) client1_domain.com
3) addomain.client2_domain.com
The problem I have it is when I try to create the second trust with clusters 2 and 3 to the same domain I have on the cluster 1 "ad-domain.mydomain.com". I get the following answer:
# ipa trust-add --type=ad AD-domain.mydomain.com --range-type=ipa-ad-trust --server=AD_server.AD-domain.mydomain.com --all
Active Directory domain administrator: ad_admin
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None")
Attached full sanitated log of /var/log/httpd/error_log with debug mode. There the error is:
out: struct lsa_CreateTrustedDomainEx2
result : NT_STATUS_OBJECT_NAME_COLLISION
I have also tried to do the trust on Windows side (the other method explained on the manual with shared password), but AD (Windows server 2008 R2) complains that the trust is already done:
[cid:image007.png@01D4DF0F.11226FC0]
Of course there is no trust between them, (checked on IDM side with "ipa trust-show ad-domain.mydomain.com") and checked also on Windows side
We think it might be because we have the same NETBIOS name "IPA" on both domains that we try to do a trust with "ad-domain.mydomain.com": ipa.mydomain.com (that is already trusted with ad-domain.mydomain.com) and ipa.clientX_domain.com
Is that possible? How can we fix that?
Thanks & Regards.
______________________________
Miguel
5 years, 1 month
urgent help needed, ipa unusable after short power cut
by Marisa Sandhoff
Dear all,
after a short power outage this morning the server hosting our virtual
machine ipa2 (running ipa-server-4.6.4-10) had lost its harddisks. After
a reboot the server and the virtual machine ipa2 are back, but the ipa
service cannot be started (it trys a long time to start pki-tomcat and
then fails).
The attached error messages are the best I could find in the logs ...
any help is much appreciated!!!!
Thanks a lot in advance!
Best regards,
Marisa
[root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# tail -f errors
[18/Mar/2019:14:36:27.539686690 +0100] - ERR - NSMMReplicationPlugin -
ruv_compare_ruv - RUV [changelog max RUV] does not contain element
[{replica 97 ldap://ipa2.pleiades.uni-wuppertal.de:389}
5645e979000000610000 57ac3411000400610000] which is present in RUV
[database RUV]
[18/Mar/2019:14:36:27.545032725 +0100] - WARN - NSMMReplicationPlugin -
replica_check_for_data_reload - For replica o=ipaca there were some
differences between the changelog max RUV and the database RUV. If
there are obsolete elements in the database RUV, you should remove them
using the CLEANALLRUV task. If they are not obsolete, you should check
their status to see why there are no changes from those servers in the
changelog.
[18/Mar/2019:14:36:27.577557647 +0100] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/ipa2.pleiades.uni-wuppertal.de(a)PLEIADES.UNI-WUPPERTAL.DE] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
e-text))
[18/Mar/2019:14:36:27.641236527 +0100] - INFO - slapd_daemon - slapd
started. Listening on All Interfaces port 389 for LDAP requests
[18/Mar/2019:14:36:27.663628433 +0100] - INFO - slapd_daemon - Listening
on All Interfaces port 636 for LDAPS requests
[18/Mar/2019:14:36:27.668455970 +0100] - INFO - slapd_daemon - Listening
on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests
[18/Mar/2019:14:36:28.168206235 +0100] - ERR - schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[18/Mar/2019:14:36:33.531027962 +0100] - ERR - schema-compat-plugin -
warning: no entries set up under
ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de
[18/Mar/2019:14:36:33.969987161 +0100] - ERR - schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de
[18/Mar/2019:14:36:33.987009592 +0100] - ERR - schema-compat-plugin -
Finished plugin initialization.
[root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
ipa2.pleiades.uni-wuppertal.de:389: 10
ipa.pleiades.uni-wuppertal.de:389: 11
Certificate Server Replica Update Vectors:
ipa2.pleiades.uni-wuppertal.de:389: 81
ipa.pleiades.uni-wuppertal.de:389: 1095
ipa.pleiades.uni-wuppertal.de:389: 96
ipacentos7.pleiades.uni-wuppertal.de:389: 86
ipacentos7.pleiades.uni-wuppertal.de:389: 91
ipa2.pleiades.uni-wuppertal.de:389: 97
[root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]#
--
Dr. Marisa Sandhoff
Experimentelle Elementarteilchenphysik
Fakultät für Mathematik und Naturwissenschaften
Bergische Universitaet Wuppertal
Gaussstr. 20
D-42097 Wuppertal, Germany
-------
marisa.sandhoff(a)cern.ch
sandhoff(a)physik.uni-wuppertal.de
Raum D.09.03
Phone +49 202 439 3521
5 years, 1 month
Announcing freeIPA 4.6.5
by Rob Crittenden
The FreeIPA team would like to announce FreeIPA 4.6.5 release!
It can be downloaded from http://www.freeipa.org/page/Downloads.
== Highlights in 4.6.5 ==
=== Enhancements ===
* Honor SRV record priority and weight
* Support for the IPAddr SAN type
* Added more indices to improve performance
=== Bug fixes ===
FreeIPA 4.6.5 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 18 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7883 Cannot install ipa-server on rhel7
* 7852 pki spawn fails for IPA replica install from RHEL6 IPA master
* 7803 Missing index on idnsName
* 7797 SSSD's getservby*() causes performance issues
* 7796 ipa-replica-install fails migrating CentOS 6 to 7
* 7792 Missing index on ipaconfigstring
* 7786 Index accessruletype, hostcategory, ipaenabledflag,
ipserviceport, and ipserviceprotocol by default
* 7777 new prci_definitions memory requirements
* 7775 IPA Upgrade failed with "unable to convert the attribute
u'cACertificate;binary'"
* 7770 searching for ipa users by certificate fails
* 7751 add ipaapi user to the list of allowed uids in [ifp] section in
sssd configuration
* 7731 ipa-advise command points to old URL's.
* 7706 Adding 3rd Party CAs to IPA results in SmartCard preparation
script failure
* 7684 Re-installing replica on the same system displays 'WARNING:
cannot check if port 443 is already configured'
* 7681 ipa server uninstall with -v option displays "IOError: [Errno 9]
Bad file descriptor Logged from file ipautil.py, line 442"
* 7666 ipa-server-install script is failing when using the
"--no-dnssec-validation" parameter combined with the "--forwarder"
* 7659 ipa trust-add fails in FIPS mode.
* 7644 ipa-server-upgrade displays 'DN: cn=Schema
Compatibility,cn=plugins,cn=config does not exists or haven't been updated'
* 7642 Installation fails: Replica Busy
== Detailed changelog since 4.6.4 ==
Aleksei Slaikovskii (1):
Prevent installation with single label domains
Alexander Bokovoy (10):
ipaserver/dcerpc.py: handle indirect topology conflicts
Allow anonymous access to parentID attribute
Move fips_enabled to a common library to share across different
plugins
ipasam: do not use RC4 in FIPS mode
ipa-kdb: reduce LDAP operations timeout to 30 seconds
ipa-sidgen: make internal fetch_attr helper really internal
ipaserver/dcerpc: fix exclusion entry with a forest trust domain
info returned
make sure IPA_CONFDIR is used to check that client is configured
Processing of server roles should ignore errors.EmptyResult
Update template directory with new variables when upgrading
ipa.conf.template
Anuja More (2):
Test for ipa-client-install should not use hardcoded admin principal
Test for ipa-replica-install fails with PIN error for CA-less env.
Armando Neto (11):
ipaserver config plugin: Increase search records minimum limit
Prevent the creation on users and groups with numeric characters only
ipa-client-install: Update how comments are added by ipachangeconf
ipa-server-install: fix zonemgr argument validator
Fix pylint 2.0 return-related violations
Fix pylint 2.0 conditional-related violations
Fix Pylint 2.0 violations
Disable Pylint 2.0 violations
Fix regression: Handle unicode where str is expected
ui_tests: fix test_config::test_size_limits
Fix certificate type error when exporting to file
Christian Heimes (67):
Sort and shuffle SRV record by priority and weight
Increase WSGI process count to 5 on 64bit
Always set ca_host when installing replica
Improve and fix timeout bug in wait_for_entry()
Use common replication wait timeout of 5min
Fix replication races in Dogtag admin code
Use 4 WSGI workers on 64bit systems
Add test case for allow-create-keytab
Require python-ldap with fix for ref counting bug
Use freeipa/ci-ipa-4-6-f27 for PR-CI
Ensure that public cert and CA bundle are readable
Always make ipa.p11-kit world-readable
Make /etc/httpd/alias world readable & executable
Fix permission of public files in upgrader
Catch ACIError instead of invalid credentials
Import ABCs from collections.abc
Query for server role IPA master
Only create DNS SRV records for ready server
Delay enabling services until end of installer
Fix CA topology warning
Fix race condition in get_locations_records()
Auto-retry failed certmonger requests
Wait for client certificates
Tune DS replication settings
Fix DNSSEC install regression
pylint 2.0: node.path is a list
Add tab completion and history to ipa console
Create helper function to upload to temp file
Fix ipa console filename
Handle races in replica config
Teach pylint how our api works
Add pylint ignore to magic config.Env attributes
Fix KRA replica installation from CA master
Rename pytest_plugins to ipatests.pytest_ipa
Fix ipadb_multires resource handling
Don't abuse strncpy() length limitation
has_krbprincipalkey: avoid double free
ipadb_mspac_get_trusted_domains: NULL ptr deref
ipapwd_pre_mod: NULL ptr deref
Allow ipaapi user to access SSSD's info pipe
Copy-paste error in permssions plugin, CID 323649
Fix pytest deprecation warning
pylint 2.2: Fix unnecessary pass statement
pylint: Fix duplicate-string-formatting-argument
pylint: also verify scripts
Address misc pylint issues in CLI scripts
Address pylint violations in lite-server
Address inconsistent-return-statements
Fix Module 'pytest' has no 'config' member
Silence comparison-with-itself in tests
Ignore W504 code style like in travis config
Ignore consider-using-enumerate for now
Address consider-using-in
Fix comparison-with-callable
Fix useless-import-alias
Resolve user/group names in idoverride*-find
Add integration tests for idviews
Add index and container for RFC 2307 IP services
LDAPUpdate: Batch index tasks
Add more LDAP indices
Create reindex task for ipaca DB
Add index on idnsName
Create systemd-user HBAC service and rule
Make conftest compatible with pytest 4.x
Fix systemd-user HBAC rule
Add workaround for slow host/service del
Optimize cert remove case
Felipe Barreto (1):
Fixing tests on TestReplicaManageDel
Florence Blanc-Renaud (43):
ipa client uninstall: clean the state store when restoring hostname
PRCI: extend timeouts
Tests: add integration test for password changes by dir mgr
ipa commands: print 'IPA is not configured' when ipa is not setup
Test: test ipa-* commands when IPA is not configured
DS replication settings: fix regression with <3.3 master
uninstall -v: remove Tracebacks
ipautil.run: add test for runas parameter
Fix ipa-replica-install when key not protected by PIN
ipa-server-install: do not perform forwarder validation with
--no-dnssec-validation
tests: add test for server install with --no-dnssec-validation
ipa-replica-install: fix pkinit setup
Tests: test successful PKINIT install on replica
ipa-replica-install: properly use the file store
Test: scenario replica install/uninstall should restore nss.conf
ipa-advise: fix script for smart card preparation
Bump requires for pki
Bump requires 389-ds-base
Adapt backport to ipa-4-6 branch
ipa-replica-install --setup-adtrust: check for package
ipa-server-trust-ad
ipa-backup: restart services before compressing the backup
ipatest: add functional test for ipa-backup
ipa user-add: add optional objectclass for radius-username
tests: add xmlrpc test for ipa user-add --radius-username
radiusproxy: add permission for reading radius proxy servers
ipatests: add integration test for "Read radius servers" perm
ipa-replica-install: password and admin-password options mutually
exclusive
ipatests: add test for ipa-replica-install options
ipatests: fix test_replica_uninstall_deletes_ruvs
ipaldap.py: fix method creating a ldap filter for IPACertificate
ipatests: add xmlrpc test for user|host-find --certificate
ipa upgrade: handle double-encoded certificates
ipatests: add upgrade test for double-encoded cacert
ipatests: fix TestUpgrade::test_double_encoded_cacert
ipatest: add test for ipa-pkinit-manage enable|disable
PKINIT: fix ipa-pkinit-manage enable|disable
replication: check remote ds version before editing attributes
replica installation: add master record only if in managed zone
ipatests: add test for replica in forward zone
tests: fix failure in
test_topology_TestTopologyOptions:test_add_remove_segment
CRL generation master: new utility to enable|disable
Test: add new tests for ipa-crlgen-manage
ipa server: prevent uninstallation if the server is CRL master
Francisco Trivino (1):
prci_definitions: update vagrant memory topology requirements
François Cami (5):
Add a shared-vault-retrieve test
Add a "Find enabled services" ACI in 20-aci.update so that all
users can find IPA servers and services. ACI suggested by Christian Heimes.
pylintrc: ignore R1720 no-else-raise errors
ipatests: add too-restritive mask tests
ipa-{server,replica}-install: add too-restritive mask detection
Fraser Tweedale (12):
Fix writing certificate chain to file
ipaldap: avoid invalid modlist when attribute encoding differs
rpc: always read response
certupdate: add commentary about certmonger behaviour
cert-request: restrict IPAddress SAN to host/service principals
cert-request: collect only qualified DNS names for IPAddress
validation
cert-request: generalise _san_dnsname_ips for arbitrary cname depth
cert-request: report all unmatched SAN IP addresses
Add tests for cert-request IP address SAN support
cert-request: more specific errors in IP address validation
cert-request: handle missing zone
cert-request: fix py2 unicode/str issues
Ganna Kaihorodova (1):
Add check for occuring traceback during uninstallation ipa master
Ian Pilcher (1):
Allow issuing certificates with IP addresses in subjectAltName
Kaleemullah Siddiqui (1):
Test coverage for multiservers for radius proxy
Michal Reznik (7):
ui_tests: fixes for issues with sending key and focus on element
ui_tests: extend test_config.py suite
ipa_tests: test ssh keys login
test: client uninstall fails when installed using non-existing
hostname
tests: sssd_ssh fd leaks when user cert converted into SSH key
add strip_cert_header() to tasks.py
bump ci-ipa-4-6-f27 PRCI template
Mohammad Rizwan Yusuf (6):
Extended UI test for selfservice permission.
Extended UI test for Certificates
Check if issuer DN is updated after self-signed > external-ca
Check if user permssions and umask 0022 is set when executing
ipa-restore
Test if WSGI worker process count is set to 4
Test error when yubikey hardware not present
Nikhil Dehadrai (1):
Test for improved Custodia key distribution
Oleg Kozlov (1):
Remove stale kdc requests info files when upgrading IPA server
Petr Voborník (1):
ipa-advise: update url of cacerdir_rehash tool
Rob Crittenden (12):
VERSION.m4: Set back to git snapshot
zanata: update translations for ipa-4-6
Use replace instead of add to set new default ipaSELinuxUserMapOrder
Replace some test case adjectives
Rename test class for testing simple commands, add test
replicainstall: DS SSL replica install pick right certmonger host
Disable message about log in ipa-backup if IPA is not configured
Enable LDAP debug output in client to display TLS errors in join
Update mod_nss cipher list so there is overlap with a 4.x master
Add support for multiple certificates/formats to ipa-cacert-manage
Add tests for ipa-cacert-manage install
Send only the path and not the full URI to httplib.request
Robbie Harwood (2):
Clear next field when returnining list elements in queue.c
Add cmocka unit tests for ipa otpd queue code
Sergey Orlov (1):
ipatests: add test for correct modlist when value encoding differs
Serhii Tsymbaliuk (15):
Fix hardcoded CSR in test_webui/test_cert.py
Use random IPs and domains in test_webui/test_host.py
Increase request timeout for WebUI tests
Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)
Use random realmdomains in test_webui/test_realmdomains.py
Fix test_user::test_login_without_username (Web UI test)
Fix unpermitted user session in test_selfservice (Web UI test)
Add SAN extension for CSR generation in test_cert (Web UI tests)
Generate CSR for test_host::test_certificates (Web UI test)
Add cookies clearing for all Web UI tests
Remove unnecessary session clearing in some Web UI tests
Increase some timeouts in Web UI tests
Fix UI_driver.has_class exception. Handle situation when element
has no class attribute
Change Web UI tests setup flow
Fix "Configured size limit exceeded" warning on Web UI
Sumit Bose (1):
ipa-extdom-exop: add instance counter and limit
Thierry Bordaz (1):
In IPA 4.4 when updating userpassword with ldapmodify does not
update krbPasswordExpiration nor krbLastPwdChange
Thomas Woerner (4):
ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
Find orphan automember rules
Fix ressource leak in client/config.c get_config_entry
Fix ressource leak in
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
Tibor Dudlák (4):
Do not check deleted files with `make fastlint`
Re-open the ldif file to prevent error message
Add assert to check output of upgrade
Do not set ca_host when --setup-ca is used
5 years, 1 month
Re: freeIPA Host certs
by Florence Blanc-Renaud
On 3/19/19 4:18 PM, Azim Siddiqui wrote:
> Hi Florence,
>
> Thanks for the info. I will check for the ipa cert-find command and will
> send you the output. Actually, when I am trying to do $ kinit admin it
> is asking for a password. And I am not sure about the password, as I
> said it was set by the previous system admin.
>
Hi
(re-adding freeipa-users in cc)
if you do kinit -kt /etc/krb5.keytab you should also have enough
permissions to perform ipa cert-find.
> And also I can see there is nssdb directory on the server. Do you by any
> chance know, what is that for?
There are many nssdb directories on a FreeIPA system. For instance
/etc/ipa/nssdb is the NSS database used by the ipa * commands. It
contains the certificates of the trusted certificate authorities. You
can find more information re. NSS databases in the man page for certutil(1).
>
> If I have the private key on the server, how can I renew the certificate
> signed by IPA. can you please provide me the steps.
If you have the private key in $NSSDB database you just need to follow
the steps provided in my first email
(https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...).
flo
>
> thanks & Regards,
> Azeem
>
> On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 3/18/19 7:50 PM, Azim Siddiqui wrote:
> > Hi Florence,
> >
> > Thanks for your reply.
> > I am referring to the applications. For example, we have
> > Apache,haproxy,jenkins,git which uses certs signed by IPA. And
> now when
> > I am browsing these applications urls. It is showing, this site
> is not
> > secured.
> > And originally, This cert were created by a system admin, who is not
> > working with us now. So its getting hard for me to figure out,
> how can I
> > create or renew the certs.
> >
> > And I don't see any files ssl.conf or nss.conf in the server.
> > The output for getcert list command shows this :-
> > getcert list
> > Number of certificates and requests being tracked: 0.
> >
> >
> > I just want to create a crt and key file signed by IPA. So that I
> can
> > use it for the browsers.
> Hi,
>
> please keep the users mailing list in cc, so that everyone can get
> involved/see the resolution.
>
> It is difficult to provide advice with so few information. Can you
> start
> by checking which certificates were already issued by FreeIPA, and
> we'll
> see if they are expired?
>
> $ kinit admin
> $ ipa cert-find
>
> With the full output and based on the subject you'll be able to
> identify
> the host or service certs that you are using for your applications. For
> each of these certs, run
> $ kinit admin
> $ ipa cert-show <serial number>
> and the output will show if the cert is expired (check the Not After
> field).
>
> For an expired cert, you will be able to renew the cert if you still
> have the private key. The private key location can be found by checking
> the configuration of your applications.
> For instance apache on rhel or fedora stores its config in
> /etc/httpd/conf/httpd.conf, which by default loads the modules in
> conf.modules.d/*.conf and the config files in conf.d/*.conf.
>
> flo
> >
> > Thanks,
> > Azeem
> >
> >
> > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > On 3/15/19 8:16 PM, Azim Siddiqui wrote:
> > > Hi Florence,
> > >
> > > Hope you are doing good. I tried the way you said. But
> still, it is
> > > showing certificate is expired.
> > >
> > > Let me be more clear about it.
> > >
> > > We have apache running with an expired certificate which is
> > signed by
> > > FreeIPA. Now I want to renew or create a new certificate.
> So can you
> > > please tell me how can I renew or create a new certificate
> signed by
> > > Freeipa.
> > > As whenever I am going to the Apache URL from the browser,
> it is
> > showing
> > > site is not secured.
> > >
> > > Thanks & Regards,
> > > Azeem
> > >
> > Hi,
> >
> > (re-adding freeipa-users in CC).
> > Can you first confirm that you are referring to a cert for
> the apache
> > server *not running on one of the FreeIPA masters*?
> >
> > Then please explain how you originally obtained the
> certificate. Also
> > include the following information:
> > - relevant apache configuration (if using mod_ssl, then
> > /etc/httpd/conf.d/ssl.conf or if using mod_nss,
> > /etc/httpd/conf.d/nss.conf).
> > - output of getcert list on the host running apache
> >
> > flo
> >
> > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
> > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote:
> > >
> > > On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users
> wrote:
> > > > Hello,
> > > >
> > > > Hope you are doing good. I have a question regarding
> > freeIPA host
> > > > certificates.
> > > > We are using FreeIPA as our LDAP. We have some
> > certificates for
> > > hosts ex
> > > > :- http/uat.com <http://uat.com> <http://uat.com>
> <http://uat.com>
> > <http://uat.com>.
> > > > And we deploying the certs in Haproxy in PEM format.
> > > > But the certificates for this host has been expired.
> > > > Can you please let me know in detail how to renew
> my expired
> > > > certificates for the hosts. Please provide me the
> commands
> > and steps.
> > > >
> > > Hi,
> > >
> > > from your description I understand that you are
> referring to
> > > certificates delivered by IPA CA for one of the
> IPA-enrolled
> > hosts, but
> > > not the master's Server-Cert used for IPA Web GUI.
> > >
> > > In this case, how did you obtain the certificate? If
> you used
> > a method
> > > similar to what is described in this wiki [1], the
> certificate
> > > should be
> > > monitored by certmonger and automatically renewed.
> > >
> > > If you followed instead this wiki [2], the certificate
> is not
> > > tracked by
> > > certmonger and needs to be manually renewed. You need
> to do the
> > > following, assuming that the cert is in a NSS database
> $NSSDB
> > on the
> > > IPA
> > > client:
> > > - find the key nickname
> > > # certutil -K -d $NSSDB
> > > certutil: Checking token "NSS Certificate DB" in slot "NSS
> > User Private
> > > Key and Certificate Services"
> > > Enter Password or Pin for "NSS Certificate DB":
> > > < 0> rsa
> 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS
> > > Certificate
> > > DB:Server-Cert
> > > (note the key nickname for the next command)
> > >
> > > - create a new certificate request that will re-use the
> > existing key
> > > (replace DOMAIN.COM <http://DOMAIN.COM>
> <http://DOMAIN.COM> <http://DOMAIN.COM>
> > with your IPA domain, in
> > > uppercase):
> > > # certutil -R -d $NSSDB -k "NSS Certificate
> DB:Server-Cert" -s
> > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM>
> <http://DOMAIN.COM>
> > <http://DOMAIN.COM>" -a -o /tmp/cert.csr
> > > Enter Password or Pin for "NSS Certificate DB":
> > >
> > > - request a certificate using the new certificate request
> > > # kinit admin
> > > # ipa cert-request --principal=HTTP/`hostname`
> /tmp/web.csr
> > > (the output will display a Serial Number that needs to be
> > noted for the
> > > next command)
> > >
> > > - remove the previous cert from the NSS database:
> > > # certutil -D -d $NSSDB -n Server-Cert
> > >
> > > - export the certificate to a file, then import the
> > certificate in the
> > > NSS database:
> > > # ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt
> > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i
> > /tmp/server.crt
> > >
> > > HTH,
> > > flo
> > >
> > > [1]
> > >
> >
> https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
> > > [2]
> https://www.freeipa.org/page/PKI#Manual_certificate_requests
> > >
> > > > FreeIPA, version: 4.2.0
> > > >
> > > > Thanks & Regards,
> > > > Azeem
> > > >
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > Fedora Code of Conduct:
> > https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > >
> > >
> >
>
5 years, 1 month
timeout for IPA command
by Charles Hedrick
It appears that the IPA command uses a host hardwired in /etc/ipa/default.conf.
If that fails, it then gets a list from DNS. This works fine if there’s a connection refused, but if there is no response, it takes so long to time out that most users will give up.
Is there a way to change the timeout?
5 years, 1 month