March 2019 - FreeIPA-users - Fedora Mailing-Lists

by Florence Blanc-Renaud

On 3/19/19 7:07 PM, Azim Siddiqui wrote: > Hi, > > I was wondering is there any way, I can extract the private key and > certificate from nssdb directory? Bcoz the one key i have is not > matching to the certifficate. > Hi I am insisting, but please keep freeipa-users in copy. What do you mean by "extract"? Do you want to remove the key from the nssdb? or transform it into another format? To remove a private key from a nssdb, use the certutil command with -F option. You can find the full format in the man page certutil(1). If you want to create a PKCS12 file containing the private key and certificate: pk12util -o keys.p12 -n $alias -d $NSSDB If you want a PEM file containing the private key: pk12util -o keys.p12 -n $alias -d $NSSDB openssl pkcs12 -in keys.p12 -out cert.key -nodes If you want a PEM file containing the cert: certutil -L -d $NSSDB -n $alias -a -o cert.pem But first of all, which NSSDB directory are you working with? A NSSDB can contain multiple keys and certificates, and also certificates without matching private keys. Can you show the content of your NSSDB? certutil -L -d $NSSDB certutil -K -d $NSSDB flo > Thanks, > Azeem > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <flo(a)redhat.com > <mailto:flo@redhat.com>> wrote: > > On 3/19/19 4:18 PM, Azim Siddiqui wrote: > > Hi Florence, > > > > Thanks for the info. I will check for the ipa cert-find command > and will > > send you the output. Actually, when I am trying to do $ kinit > admin it > > is asking for a password. And I am not sure about the password, as I > > said it was set by the previous system admin. > > > Hi > (re-adding freeipa-users in cc) > > if you do kinit -kt /etc/krb5.keytab you should also have enough > permissions to perform ipa cert-find. > > > And also I can see there is nssdb directory on the server. Do you > by any > > chance know, what is that for? > There are many nssdb directories on a FreeIPA system. For instance > /etc/ipa/nssdb is the NSS database used by the ipa * commands. It > contains the certificates of the trusted certificate authorities. You > can find more information re. NSS databases in the man page for > certutil(1). > > > > > If I have the private key on the server, how can I renew the > certificate > > signed by IPA. can you please provide me the steps. > If you have the private key in $NSSDB database you just need to follow > the steps provided in my first email > (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...). > > flo > > > > thanks & Regards, > > Azeem > > > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud > <flo(a)redhat.com <mailto:flo@redhat.com> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Thanks for your reply. > > > I am referring to the applications. For example, we have > > > Apache,haproxy,jenkins,git which uses certs signed by IPA. And > > now when > > > I am browsing these applications urls. It is showing, this > site > > is not > > > secured. > > > And originally, This cert were created by a system admin, > who is not > > > working with us now. So its getting hard for me to figure out, > > how can I > > > create or renew the certs. > > > > > > And I don't see any files ssl.conf or nss.conf in the server. > > > The output for getcert list command shows this :- > > > getcert list > > > Number of certificates and requests being tracked: 0. > > > > > > > > > I just want to create a crt and key file signed by IPA. So > that I > > can > > > use it for the browsers. > > Hi, > > > > please keep the users mailing list in cc, so that everyone > can get > > involved/see the resolution. > > > > It is difficult to provide advice with so few information. > Can you > > start > > by checking which certificates were already issued by > FreeIPA, and > > we'll > > see if they are expired? > > > > $ kinit admin > > $ ipa cert-find > > > > With the full output and based on the subject you'll be able to > > identify > > the host or service certs that you are using for your > applications. For > > each of these certs, run > > $ kinit admin > > $ ipa cert-show <serial number> > > and the output will show if the cert is expired (check the > Not After > > field). > > > > For an expired cert, you will be able to renew the cert if > you still > > have the private key. The private key location can be found > by checking > > the configuration of your applications. > > For instance apache on rhel or fedora stores its config in > > /etc/httpd/conf/httpd.conf, which by default loads the modules in > > conf.modules.d/*.conf and the config files in conf.d/*.conf. > > > > flo > > > > > > Thanks, > > > Azeem > > > > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > > <flo(a)redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > > Hi Florence, > > > > > > > > Hope you are doing good. I tried the way you said. But > > still, it is > > > > showing certificate is expired. > > > > > > > > Let me be more clear about it. > > > > > > > > We have apache running with an expired certificate > which is > > > signed by > > > > FreeIPA. Now I want to renew or create a new > certificate. > > So can you > > > > please tell me how can I renew or create a new > certificate > > signed by > > > > Freeipa. > > > > As whenever I am going to the Apache URL from the > browser, > > it is > > > showing > > > > site is not secured. > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > Hi, > > > > > > (re-adding freeipa-users in CC). > > > Can you first confirm that you are referring to a cert for > > the apache > > > server *not running on one of the FreeIPA masters*? > > > > > > Then please explain how you originally obtained the > > certificate. Also > > > include the following information: > > > - relevant apache configuration (if using mod_ssl, then > > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > > /etc/httpd/conf.d/nss.conf). > > > - output of getcert list on the host running apache > > > > > > flo > > > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > > <flo(a)redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote: > > > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via > FreeIPA-users > > wrote: > > > > > Hello, > > > > > > > > > > Hope you are doing good. I have a question > regarding > > > freeIPA host > > > > > certificates. > > > > > We are using FreeIPA as our LDAP. We have some > > > certificates for > > > > hosts ex > > > > > :- http/uat.com <http://uat.com> > <http://uat.com> <http://uat.com> > > <http://uat.com> > > > <http://uat.com>. > > > > > And we deploying the certs in Haproxy in PEM > format. > > > > > But the certificates for this host has been > expired. > > > > > Can you please let me know in detail how to > renew > > my expired > > > > > certificates for the hosts. Please provide > me the > > commands > > > and steps. > > > > > > > > > Hi, > > > > > > > > from your description I understand that you are > > referring to > > > > certificates delivered by IPA CA for one of the > > IPA-enrolled > > > hosts, but > > > > not the master's Server-Cert used for IPA Web GUI. > > > > > > > > In this case, how did you obtain the > certificate? If > > you used > > > a method > > > > similar to what is described in this wiki [1], the > > certificate > > > > should be > > > > monitored by certmonger and automatically renewed. > > > > > > > > If you followed instead this wiki [2], the > certificate > > is not > > > > tracked by > > > > certmonger and needs to be manually renewed. > You need > > to do the > > > > following, assuming that the cert is in a NSS > database > > $NSSDB > > > on the > > > > IPA > > > > client: > > > > - find the key nickname > > > > # certutil -K -d $NSSDB > > > > certutil: Checking token "NSS Certificate DB" > in slot "NSS > > > User Private > > > > Key and Certificate Services" > > > > Enter Password or Pin for "NSS Certificate DB": > > > > < 0> rsa > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > > Certificate > > > > DB:Server-Cert > > > > (note the key nickname for the next command) > > > > > > > > - create a new certificate request that will > re-use the > > > existing key > > > > (replace DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > with your IPA domain, in > > > > uppercase): > > > > # certutil -R -d $NSSDB -k "NSS Certificate > > DB:Server-Cert" -s > > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > > > - request a certificate using the new > certificate request > > > > # kinit admin > > > > # ipa cert-request --principal=HTTP/`hostname` > > /tmp/web.csr > > > > (the output will display a Serial Number that > needs to be > > > noted for the > > > > next command) > > > > > > > > - remove the previous cert from the NSS database: > > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > > > - export the certificate to a file, then import the > > > certificate in the > > > > NSS database: > > > > # ipa cert-show $SERIAL_NUMBER > --out=/tmp/server.crt > > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i > > > /tmp/server.crt > > > > > > > > HTH, > > > > flo > > > > > > > > [1] > > > > > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert... > > > > [2] > > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > > > Thanks & Regards, > > > > > Azeem > > > > > > > > > > > > > > > _______________________________________________ > > > > > FreeIPA-users mailing list -- > > > > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > To unsubscribe send an email to > > > > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > Fedora Code of Conduct: > > > https://getfedora.org/code-of-conduct.html > > > > > List Guidelines: > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > > > > > > >

5 years, 1 month

3
4
0 / 0

change default freeipa settings for password change/expire and otp timeout

by Jelle de Jong

Hello everybody, First thank you for the great software and this support list! I got a few questions: version that I am using: ipa-server-4.6.4-10.el7.centos.2.x86_64 1) I need to be able to set the initial password and not have it changed or expired after I add the user. I need users to be able to login straight away. What configuration file or policy option? And where can I change this for all users? 2) I want to change the default timeout for the OTP token, when generated from the GUI? (I am aware about the option with the CLI) Thank you in advance, Kind regards, Jelle de Jong

5 years, 1 month

3
5
0 / 0

Re: change default freeipa settings for password change/expire and otp timeout

by Dmitry Perets

Hi, I saw another solution for your problem - you can define a user as "passSyncManager". Then that particular user will be able to set passwords for other users without having them immediately expired. This is especially handy when you have periodic synchronization with some external account management system, from which you get passwords. This was described here, but I think it was removed from later versions of RHEL documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/... Anyway, I tested it, and I think it worked... maybe one day it stopped working (or will stop). Example: ``` # ldapmodify -x -D "cn=Directory Manager" -W Enter LDAP Password: dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=ext-provisioner,cn=users,cn=accounts,dc=ims,dc=telekom,dc=de ``` -- Regards, Dmitry Perets. "The more one knows, the less opinions he shares" -- Wilhelm Schwebel

5 years, 1 month

2
1
0 / 0

Announcing SSSD 1.16.4

by Jakub Hrozek

SSSD 1.16.4 =========== The SSSD team is proud to announce the release of version 1.16.4 of the System Security Services Daemon. The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for Fedora shortly. Feedback ————---- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users Highlights ---------- New Features ^^^^^^^^^^^^ * The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option ``pam_p11_allowed_services``. (#2926) * A new configuration option ``ad_gpo_implicit_deny`` was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701) * The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with ``ldap_pwmodify_mode = "ldap_modify"`` (#1314) * The ``auto_private_groups`` configuration option now takes a new value ``hybrid``. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822) Security issues fixed ^^^^^^^^^^^^^^^^^^^^^ * CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc). Notable bug fixes ^^^^^^^^^^^^^^^^^ * The IPA provider, in a setup with a trusted Active Directory domain, did not remove cached entries that were no longer present on the AD side (#3984) * The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474) * The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database. * The sudo responder did not reflect the case_sensitive domain option (#3820) * A memory leak when requesting netgroups repeatedly was fixed (#3870) * An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902) * The SSH responder no longer fails completely if the ``p11_child`` times out when deriving SSH keys from a certificate (#3937) * The negative cache was not reloaded after new sub domains were discovered which could have lead to a high SSSD load (#3683) * The negative cache did not work properly for in case a lookup fell back to trying a UPN instead of a name (#3978) * If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967) * A potential crash due to a race condition between the fail over code refreshing a SRV lookup and back end using its results (#3976) * Sudo's runAsUser and runAsGroup attributes did not match properly when used in setups with domain_resolution_order * Processing of the values from the ``filter_users`` or ``filter_groups`` options could trigger calls to blocking NSS API functions which could in turn prevent the startup of SSSD services in case nsswitch.conf contained other modules than ``sss`` or ``files`` (#3963) Tickets Fixed ------------- * `3967 <https://pagure.io/SSSD/sssd/issue/3967>`_ - NSS responder does no refresh domain list when busy * `2926 <https://pagure.io/SSSD/sssd/issue/2926>`_ - Make list of local PAM services allowed for Smartcard authentication configurable * `3819 <https://pagure.io/SSSD/sssd/issue/3819>`_ - sssd only sets the SELinux login context if it differs from the default * `3820 <https://pagure.io/SSSD/sssd/issue/3820>`_ - sudo: search with lower cased name for case insensitive domains * `3870 <https://pagure.io/SSSD/sssd/issue/3870>`_ - nss: memory leak in netgroups * `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds. * `3875 <https://pagure.io/SSSD/sssd/issue/3875>`_ - CURLE_SSL_CACERT is deprecated in recent curl versions * `3902 <https://pagure.io/SSSD/sssd/issue/3902>`_ - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust * `3901 <https://pagure.io/SSSD/sssd/issue/3901>`_ - sssd returns '/' for emtpy home directories * `3919 <https://pagure.io/SSSD/sssd/issue/3919>`_ - sss_cache prints spurious error messages when invoked from shadow-utils on package install * `3845 <https://pagure.io/SSSD/sssd/issue/3845>`_ - The config file validator says that certmap options are not allowed * `3937 <https://pagure.io/SSSD/sssd/issue/3937>`_ - If p11_child spawned from sssd_ssh times out, sssd_ssh fails completely * `3961 <https://pagure.io/SSSD/sssd/issue/3961>`_ - sssd config-check reports an error for a valid configuration option * `3701 <https://pagure.io/SSSD/sssd/issue/3701>`_ - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. * `2474 <https://pagure.io/SSSD/sssd/issue/2474>`_ - AD: do not override existing home-dir or shell if they are not available in the global catalog * `3958 <https://pagure.io/SSSD/sssd/issue/3958>`_ - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls * `3890 <https://pagure.io/SSSD/sssd/issue/3890>`_ - SSSD changes the memory cache file ownership away from the SSSD user when running as root * `3942 <https://pagure.io/SSSD/sssd/issue/3942>`_ - RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly * `3276 <https://pagure.io/SSSD/sssd/issue/3276>`_ - Revert workaround in CI for bug in python-{request,urllib3} * `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option * `3983 <https://pagure.io/SSSD/sssd/issue/3983>`_ - filter_users option is not applied to sub-domains if SSSD starts offline * `3947 <https://pagure.io/SSSD/sssd/issue/3947>`_ - SSSD netgroups do not honor entry_cache_nowait_percentage * `3984 <https://pagure.io/SSSD/sssd/issue/3984>`_ - IPA: Deleted user from trusted domain is not removed properly from the cache on IPA clients * `3976 <https://pagure.io/SSSD/sssd/issue/3976>`_ - crash in dp_failover_active_server * `3957 <https://pagure.io/SSSD/sssd/issue/3957>`_ - sudo: runAsUser/Group does not work with domain_resolution_order * `1314 <https://pagure.io/SSSD/sssd/issue/1314>`_ - RFE Request for allowing password changes using SSSD in DS which dont follow OID's from RFC 3062 * `3822 <https://pagure.io/SSSD/sssd/issue/3822>`_ - Enable generating user private groups only for users with no primary GID * `3963 <https://pagure.io/SSSD/sssd/issue/3963>`_ - Responders: processing of `filter_users`/`filter_groups` should avoid calling blocking NSS API Packaging Changes ----------------- * Several files in the reference specfile changed permissions to avoid issues with verifying the file integrity with ``rpm -V`` in case SSSD runs as a different user than the default user it is configured with (#3890) Documentation Changes --------------------- * The AD provider default value of ``fallback_homedir`` was changed to ``fallback_homedir = /home/%d/%u`` to provide home directories for users without the ``homeDirectory`` attribute. * A new option ``ad_gpo_implicit_deny``, defaulting to False (#3701) * A new option ``ldap_pwmodify_mode`` (#1314) * A new option ``pam_p11_allowed_services`` (#2926) * The ``auto_private_groups`` accepts a new option value ``hybrid`` (#3822) * Improved documentation of the Kerberos locator plugin Detailed Changelog ------------------ * Alexey Tikhonov (5): * Fix error in hostname retrieval * lib/cifs_idmap_sss: fixed unaligned mem access * ci/sssd.supp: fixed c-ares-suppress-leak-from-init * negcache: avoid "is_*_local" calls in some cases * Monitor: changed provider startup timeout * Fabiano Fidêncio (1): * man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey * Jakub Hrozek (54): * Updating the version to track 1.16.4 development * src/tests/python-test.py is GPLv3+ * src/tests/intg/util.py is licensed under GPLv3+ * src/tests/intg/test_ts_cache.py is licensed under GPLv3+ * src/tests/intg/test_sudo.py is licensed under GPLv3+ * src/tests/intg/test_sssctl.py is licensed under GPLv3+ * src/tests/intg/test_ssh_pubkey.py is licensed under GPLv3+ * src/tests/intg/test_session_recording.py is licensed under GPLv3+ * src/tests/intg/test_secrets.py is licensed under GPLv3+ * src/tests/intg/test_pysss_nss_idmap.py is licensed under GPLv3+ * src/tests/intg/test_pam_responder.py is licensed under GPLv3+ * src/tests/intg/test_pac_responder.py is licensed under GPLv3+ * src/tests/intg/test_netgroup.py is licensed under GPLv3+ * src/tests/intg/test_memory_cache.py is licensed under GPLv3+ * src/tests/intg/test_local_domain.py is licensed under GPLv3+ * src/tests/intg/test_ldap.py is licensed under GPLv3+ * src/tests/intg/test_kcm.py is licensed under GPLv3+ * src/tests/intg/test_infopipe.py is licensed under GPLv3+ * src/tests/intg/test_files_provider.py is licensed under GPLv3+ * src/tests/intg/test_files_ops.py is licensed under GPLv3+ * src/tests/intg/test_enumeration.py is licensed under GPLv3+ * src/tests/intg/sssd_passwd.py is licensed under GPLv3+ * src/tests/intg/sssd_nss.py is licensed under GPLv3+ * src/tests/intg/sssd_netgroup.py is licensed under GPLv3+ * src/tests/intg/sssd_ldb.py is licensed under GPLv3+ * src/tests/intg/sssd_id.py is licensed under GPLv3+ * src/tests/intg/sssd_group.py is licensed under GPLv3+ * src/tests/intg/secrets.py is licensed under GPLv3+ * src/tests/intg/ldap_local_override_test.py is licensed under GPLv3+ * src/tests/intg/ldap_ent.py is licensed under GPLv3+ * src/tests/intg/krb5utils.py is licensed under GPLv3+ * src/tests/intg/kdc.py is licensed under GPLv3+ * src/tests/intg/files_ops.py is licensed under GPLv3+ * src/tests/intg/ent_test.py is licensed under GPLv3+ * src/tests/intg/ent.py is licensed under GPLv3+ * src/tests/intg/ds_openldap.py is licensed under GPLv3+ * src/tests/intg/ds.py is licensed under GPLv3+ * src/config/setup.py.in is licensed under GPLv3+ * src/config/SSSDConfig/ipachangeconf.py is licensed under GPLv3+ * Explicitly add GPLv3+ license blob to several files * SELINUX: Always add SELinux user to the semanage database if it doesn't exist * pep8: Ignore W504 and W605 to silence warnings on Debian * LDAP: minor refactoring in auth_send() to conform to our coding style * LDAP: Only authenticate the auth connection if we need to look up user information * NSS: Avoid changing the memory cache ownership away from the sssd user * TESTS: Only use __wrap_sss_ncache_reset_repopulate_permanent to finish test if needed * UTIL: Add a is_domain_mpg shorthand * UTIL: Convert bool mpg to an enum mpg_mode * CONFDB: Read auto_private_groups as string, not bool * CONFDB/SYSDB: Add the hybrid MPG mode * CACHE_REQ: Add cache_req_data_get_type() * NSS: Add the hybrid-MPG mode * TESTS: Add integration tests for auto_private_groups=hybrid * Updating the translations for the 1.16.4 release * Lukas Slebodnik (26): * krb5_locator: Make debug function internal * krb5_locator: Simplify usage of macro PLUGIN_DEBUG * krb5_locator: Fix typo in debug message * krb5_locator: Fix formatting of the variable port * krb5_locator: Use format string checking for debug function * PAM: Allow to configure pam services for Smartcards * UTIL: Fix compilation with curl 7.62.0 * test_pac_responder: Skip test if pac responder is not installed * INTG: Show extra test summary info with pytest * CI: Modify suppression file for c-ares-1.15.0 * sss_cache: Do not fail for missing domains * intg: Add test for sss_cache & shadow-utils use-case * sss_cache: Do not fail if noting was cached * test_sss_cache: Add test case for invalidating missing entries * pyhbac-test: Do not use assertEquals * SSSDConfigTest: Do not use assertEquals * SSSDConfig: Fix ResourceWarning unclosed file * SSSDConfigTest: Remove usage of failUnless * BUILD: Fix condition for building sssd-kcm man page * NSS: Do not use deprecated header files * sss_cache: Fail if unknown domain is passed in parameter * test_sss_cache: Add test case for wrong domain in parameter * test_files_provider: Do not use pytest fixtures as functions * test_ldap: Do not uses pytest fixtures as functions * Revert "intg: Generate tmp dir with lowercase" * ent_test: Update assertions for python 3.7.2 * Michal Židek (1): * GPO: Add gpo_implicit_deny option * Pavel Březina (9): * sudo: respect case sensitivity in sudo responder * nss: use enumeration context as talloc parent for cache req result * netgroups: honor cache_refresh_percent * sdap: add sdap_modify_passwd_send * sdap: add ldap_pwmodify_mode option * sdap: split password change to separate request * sdap: use ldap_pwmodify_mode to change password * sudo ipa: do not store rules without sudoHost attribute * be: remember last good server's name instead of fo_server structure * Sumit Bose (22): * intg: flush the SSSD caches to sync with files * LDAP: Log the encryption used during LDAP authentication * BUILD: Accept krb5 1.17 for building the PAC plugin * tests: fix mocking krb5_creds in test_copy_ccache * tests: increase p11_child_timeout * Revert "IPA: use forest name when looking up the Global Catalog" * ipa: use only the global catalog service of the forest root * utils: make N_ELEMENTS public * ad: replace ARRAY_SIZE with N_ELEMENTS * responder: fix domain lookup refresh timeout * ldap: add get_ldap_conn_from_sdom_pvt * ldap: prefer LDAP port during initgroups user lookup * ldap: user get_ldap_conn_from_sdom_pvt() where possible * krb5_locator: always use port 88 for master KDC * NEGCACHE: initialize UPN negative cache as well * NEGCACHE: fix typo in debug message * NEGCACHE: repopulate negative cache after get_domains * ldap: add users_get_handle_no_user() * ldap: make groups_get_handle_no_group() public * ipa s2n: fix typo * ipa s2n: do not add UPG member * ipa s2n: try to remove objects not found on the server * Thorsten Scherf (1): * CONFIG: add missing ldap attributes for validation * Tomas Halman (4): * nss: sssd returns '/' for emtpy home directories * ssh: sssd_ssh fails completely on p11_child timeout * ssh: p11_child error message is too generic * krb5_locator: Allow hostname in kdcinfo files * Victor Tapia (1): * GPO: Allow customization of GPO_CROND per OS * mateusz (1): * Added note about default value of ad_gpo_map_batch parameter

5 years, 1 month

1
0
0 / 0

Need a howto for "Service Account done correctly"

by Will Kay

Hi, I'm working on binding a Fortinet FW to FreeIPA LDAP for VPN authentication. I did quite some Google searches and found only a few leads. I want make sure I will do this correctly. 1. Setup a "system account" per this FreeIPA Howto https://www.freeipa.org/page/HowTo/LDAP 2. In the HowTO, "note: IPA 4.0 is goign to change the default stance ... to nothing is readable". I defined the system account per the HowTO with v4.6.4. I assume nothing is readable now. A) How do verify that the system account can't read the user or groups? B) How do I grant permission for the "system account" to read user and groups which I need for FW auth? 3. I ran a test on the Fortigate admin GUI I set Common Name Identifier to "uid", DN to "cn=account,dc=example,dc=com". I was able to test connectivity bind type Simple or Anonymous. I can't see a need for anonymous bind, at least for now. The correct way to disable anonymous bind is modifying nsslapd-allow-anonymous-access ? Thanks W

5 years, 1 month

1
0
0 / 0

Problem on second trust

by SOLER SANGUESA Miguel

hello, I have 3 IDM clusters with RHEL 7.5 and ipa-server-4.5.4-10 (they are independents, 1 for my company and other 2 for 2 clients), with domain names: 1) ipa.mydomain.com 2) ipa.client1_domain.com 3) ipa.client2_domain.com All of them have a trust with an AD domain: 1) ad-domain.mydomain.com 2) client1_domain.com 3) addomain.client2_domain.com The problem I have it is when I try to create the second trust with clusters 2 and 3 to the same domain I have on the cluster 1 "ad-domain.mydomain.com". I get the following answer: # ipa trust-add --type=ad AD-domain.mydomain.com --range-type=ipa-ad-trust --server=AD_server.AD-domain.mydomain.com --all Active Directory domain administrator: ad_admin Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None") Attached full sanitated log of /var/log/httpd/error_log with debug mode. There the error is: out: struct lsa_CreateTrustedDomainEx2 result : NT_STATUS_OBJECT_NAME_COLLISION I have also tried to do the trust on Windows side (the other method explained on the manual with shared password), but AD (Windows server 2008 R2) complains that the trust is already done: [cid:image007.png@01D4DF0F.11226FC0] Of course there is no trust between them, (checked on IDM side with "ipa trust-show ad-domain.mydomain.com") and checked also on Windows side We think it might be because we have the same NETBIOS name "IPA" on both domains that we try to do a trust with "ad-domain.mydomain.com": ipa.mydomain.com (that is already trusted with ad-domain.mydomain.com) and ipa.clientX_domain.com Is that possible? How can we fix that? Thanks & Regards. ______________________________ Miguel

5 years, 1 month

2
1
0 / 0

urgent help needed, ipa unusable after short power cut

by Marisa Sandhoff

Dear all, after a short power outage this morning the server hosting our virtual machine ipa2 (running ipa-server-4.6.4-10) had lost its harddisks. After a reboot the server and the virtual machine ipa2 are back, but the ipa service cannot be started (it trys a long time to start pki-tomcat and then fails). The attached error messages are the best I could find in the logs ... any help is much appreciated!!!! Thanks a lot in advance! Best regards, Marisa [root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# tail -f errors [18/Mar/2019:14:36:27.539686690 +0100] - ERR - NSMMReplicationPlugin - ruv_compare_ruv - RUV [changelog max RUV] does not contain element [{replica 97 ldap://ipa2.pleiades.uni-wuppertal.de:389} 5645e979000000610000 57ac3411000400610000] which is present in RUV [database RUV] [18/Mar/2019:14:36:27.545032725 +0100] - WARN - NSMMReplicationPlugin - replica_check_for_data_reload - For replica o=ipaca there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [18/Mar/2019:14:36:27.577557647 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.pleiades.uni-wuppertal.de(a)PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [18/Mar/2019:14:36:27.641236527 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [18/Mar/2019:14:36:27.663628433 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [18/Mar/2019:14:36:27.668455970 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [18/Mar/2019:14:36:28.168206235 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [18/Mar/2019:14:36:33.531027962 +0100] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de [18/Mar/2019:14:36:33.969987161 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de [18/Mar/2019:14:36:33.987009592 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. [root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# ipa-replica-manage list-ruv Directory Manager password: Replica Update Vectors: ipa2.pleiades.uni-wuppertal.de:389: 10 ipa.pleiades.uni-wuppertal.de:389: 11 Certificate Server Replica Update Vectors: ipa2.pleiades.uni-wuppertal.de:389: 81 ipa.pleiades.uni-wuppertal.de:389: 1095 ipa.pleiades.uni-wuppertal.de:389: 96 ipacentos7.pleiades.uni-wuppertal.de:389: 86 ipacentos7.pleiades.uni-wuppertal.de:389: 91 ipa2.pleiades.uni-wuppertal.de:389: 97 [root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# -- Dr. Marisa Sandhoff Experimentelle Elementarteilchenphysik Fakultät für Mathematik und Naturwissenschaften Bergische Universitaet Wuppertal Gaussstr. 20 D-42097 Wuppertal, Germany ------- marisa.sandhoff(a)cern.ch sandhoff(a)physik.uni-wuppertal.de Raum D.09.03 Phone +49 202 439 3521

5 years, 1 month

5
7
0 / 0

Announcing freeIPA 4.6.5

by Rob Crittenden

The FreeIPA team would like to announce FreeIPA 4.6.5 release! It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 4.6.5 == === Enhancements === * Honor SRV record priority and weight * Support for the IPAddr SAN type * Added more indices to improve performance === Bug fixes === FreeIPA 4.6.5 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 18 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets == * 7883 Cannot install ipa-server on rhel7 * 7852 pki spawn fails for IPA replica install from RHEL6 IPA master * 7803 Missing index on idnsName * 7797 SSSD's getservby*() causes performance issues * 7796 ipa-replica-install fails migrating CentOS 6 to 7 * 7792 Missing index on ipaconfigstring * 7786 Index accessruletype, hostcategory, ipaenabledflag, ipserviceport, and ipserviceprotocol by default * 7777 new prci_definitions memory requirements * 7775 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'" * 7770 searching for ipa users by certificate fails * 7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration * 7731 ipa-advise command points to old URL's. * 7706 Adding 3rd Party CAs to IPA results in SmartCard preparation script failure * 7684 Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured' * 7681 ipa server uninstall with -v option displays "IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442" * 7666 ipa-server-install script is failing when using the "--no-dnssec-validation" parameter combined with the "--forwarder" * 7659 ipa trust-add fails in FIPS mode. * 7644 ipa-server-upgrade displays 'DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven't been updated' * 7642 Installation fails: Replica Busy == Detailed changelog since 4.6.4 == Aleksei Slaikovskii (1): Prevent installation with single label domains Alexander Bokovoy (10): ipaserver/dcerpc.py: handle indirect topology conflicts Allow anonymous access to parentID attribute Move fips_enabled to a common library to share across different plugins ipasam: do not use RC4 in FIPS mode ipa-kdb: reduce LDAP operations timeout to 30 seconds ipa-sidgen: make internal fetch_attr helper really internal ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned make sure IPA_CONFDIR is used to check that client is configured Processing of server roles should ignore errors.EmptyResult Update template directory with new variables when upgrading ipa.conf.template Anuja More (2): Test for ipa-client-install should not use hardcoded admin principal Test for ipa-replica-install fails with PIN error for CA-less env. Armando Neto (11): ipaserver config plugin: Increase search records minimum limit Prevent the creation on users and groups with numeric characters only ipa-client-install: Update how comments are added by ipachangeconf ipa-server-install: fix zonemgr argument validator Fix pylint 2.0 return-related violations Fix pylint 2.0 conditional-related violations Fix Pylint 2.0 violations Disable Pylint 2.0 violations Fix regression: Handle unicode where str is expected ui_tests: fix test_config::test_size_limits Fix certificate type error when exporting to file Christian Heimes (67): Sort and shuffle SRV record by priority and weight Increase WSGI process count to 5 on 64bit Always set ca_host when installing replica Improve and fix timeout bug in wait_for_entry() Use common replication wait timeout of 5min Fix replication races in Dogtag admin code Use 4 WSGI workers on 64bit systems Add test case for allow-create-keytab Require python-ldap with fix for ref counting bug Use freeipa/ci-ipa-4-6-f27 for PR-CI Ensure that public cert and CA bundle are readable Always make ipa.p11-kit world-readable Make /etc/httpd/alias world readable & executable Fix permission of public files in upgrader Catch ACIError instead of invalid credentials Import ABCs from collections.abc Query for server role IPA master Only create DNS SRV records for ready server Delay enabling services until end of installer Fix CA topology warning Fix race condition in get_locations_records() Auto-retry failed certmonger requests Wait for client certificates Tune DS replication settings Fix DNSSEC install regression pylint 2.0: node.path is a list Add tab completion and history to ipa console Create helper function to upload to temp file Fix ipa console filename Handle races in replica config Teach pylint how our api works Add pylint ignore to magic config.Env attributes Fix KRA replica installation from CA master Rename pytest_plugins to ipatests.pytest_ipa Fix ipadb_multires resource handling Don't abuse strncpy() length limitation has_krbprincipalkey: avoid double free ipadb_mspac_get_trusted_domains: NULL ptr deref ipapwd_pre_mod: NULL ptr deref Allow ipaapi user to access SSSD's info pipe Copy-paste error in permssions plugin, CID 323649 Fix pytest deprecation warning pylint 2.2: Fix unnecessary pass statement pylint: Fix duplicate-string-formatting-argument pylint: also verify scripts Address misc pylint issues in CLI scripts Address pylint violations in lite-server Address inconsistent-return-statements Fix Module 'pytest' has no 'config' member Silence comparison-with-itself in tests Ignore W504 code style like in travis config Ignore consider-using-enumerate for now Address consider-using-in Fix comparison-with-callable Fix useless-import-alias Resolve user/group names in idoverride*-find Add integration tests for idviews Add index and container for RFC 2307 IP services LDAPUpdate: Batch index tasks Add more LDAP indices Create reindex task for ipaca DB Add index on idnsName Create systemd-user HBAC service and rule Make conftest compatible with pytest 4.x Fix systemd-user HBAC rule Add workaround for slow host/service del Optimize cert remove case Felipe Barreto (1): Fixing tests on TestReplicaManageDel Florence Blanc-Renaud (43): ipa client uninstall: clean the state store when restoring hostname PRCI: extend timeouts Tests: add integration test for password changes by dir mgr ipa commands: print 'IPA is not configured' when ipa is not setup Test: test ipa-* commands when IPA is not configured DS replication settings: fix regression with <3.3 master uninstall -v: remove Tracebacks ipautil.run: add test for runas parameter Fix ipa-replica-install when key not protected by PIN ipa-server-install: do not perform forwarder validation with --no-dnssec-validation tests: add test for server install with --no-dnssec-validation ipa-replica-install: fix pkinit setup Tests: test successful PKINIT install on replica ipa-replica-install: properly use the file store Test: scenario replica install/uninstall should restore nss.conf ipa-advise: fix script for smart card preparation Bump requires for pki Bump requires 389-ds-base Adapt backport to ipa-4-6 branch ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad ipa-backup: restart services before compressing the backup ipatest: add functional test for ipa-backup ipa user-add: add optional objectclass for radius-username tests: add xmlrpc test for ipa user-add --radius-username radiusproxy: add permission for reading radius proxy servers ipatests: add integration test for "Read radius servers" perm ipa-replica-install: password and admin-password options mutually exclusive ipatests: add test for ipa-replica-install options ipatests: fix test_replica_uninstall_deletes_ruvs ipaldap.py: fix method creating a ldap filter for IPACertificate ipatests: add xmlrpc test for user|host-find --certificate ipa upgrade: handle double-encoded certificates ipatests: add upgrade test for double-encoded cacert ipatests: fix TestUpgrade::test_double_encoded_cacert ipatest: add test for ipa-pkinit-manage enable|disable PKINIT: fix ipa-pkinit-manage enable|disable replication: check remote ds version before editing attributes replica installation: add master record only if in managed zone ipatests: add test for replica in forward zone tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment CRL generation master: new utility to enable|disable Test: add new tests for ipa-crlgen-manage ipa server: prevent uninstallation if the server is CRL master Francisco Trivino (1): prci_definitions: update vagrant memory topology requirements François Cami (5): Add a shared-vault-retrieve test Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. pylintrc: ignore R1720 no-else-raise errors ipatests: add too-restritive mask tests ipa-{server,replica}-install: add too-restritive mask detection Fraser Tweedale (12): Fix writing certificate chain to file ipaldap: avoid invalid modlist when attribute encoding differs rpc: always read response certupdate: add commentary about certmonger behaviour cert-request: restrict IPAddress SAN to host/service principals cert-request: collect only qualified DNS names for IPAddress validation cert-request: generalise _san_dnsname_ips for arbitrary cname depth cert-request: report all unmatched SAN IP addresses Add tests for cert-request IP address SAN support cert-request: more specific errors in IP address validation cert-request: handle missing zone cert-request: fix py2 unicode/str issues Ganna Kaihorodova (1): Add check for occuring traceback during uninstallation ipa master Ian Pilcher (1): Allow issuing certificates with IP addresses in subjectAltName Kaleemullah Siddiqui (1): Test coverage for multiservers for radius proxy Michal Reznik (7): ui_tests: fixes for issues with sending key and focus on element ui_tests: extend test_config.py suite ipa_tests: test ssh keys login test: client uninstall fails when installed using non-existing hostname tests: sssd_ssh fd leaks when user cert converted into SSH key add strip_cert_header() to tasks.py bump ci-ipa-4-6-f27 PRCI template Mohammad Rizwan Yusuf (6): Extended UI test for selfservice permission. Extended UI test for Certificates Check if issuer DN is updated after self-signed > external-ca Check if user permssions and umask 0022 is set when executing ipa-restore Test if WSGI worker process count is set to 4 Test error when yubikey hardware not present Nikhil Dehadrai (1): Test for improved Custodia key distribution Oleg Kozlov (1): Remove stale kdc requests info files when upgrading IPA server Petr Voborník (1): ipa-advise: update url of cacerdir_rehash tool Rob Crittenden (12): VERSION.m4: Set back to git snapshot zanata: update translations for ipa-4-6 Use replace instead of add to set new default ipaSELinuxUserMapOrder Replace some test case adjectives Rename test class for testing simple commands, add test replicainstall: DS SSL replica install pick right certmonger host Disable message about log in ipa-backup if IPA is not configured Enable LDAP debug output in client to display TLS errors in join Update mod_nss cipher list so there is overlap with a 4.x master Add support for multiple certificates/formats to ipa-cacert-manage Add tests for ipa-cacert-manage install Send only the path and not the full URI to httplib.request Robbie Harwood (2): Clear next field when returnining list elements in queue.c Add cmocka unit tests for ipa otpd queue code Sergey Orlov (1): ipatests: add test for correct modlist when value encoding differs Serhii Tsymbaliuk (15): Fix hardcoded CSR in test_webui/test_cert.py Use random IPs and domains in test_webui/test_host.py Increase request timeout for WebUI tests Fix test_realmdomains::test_add_single_labeled_domain (Web UI test) Use random realmdomains in test_webui/test_realmdomains.py Fix test_user::test_login_without_username (Web UI test) Fix unpermitted user session in test_selfservice (Web UI test) Add SAN extension for CSR generation in test_cert (Web UI tests) Generate CSR for test_host::test_certificates (Web UI test) Add cookies clearing for all Web UI tests Remove unnecessary session clearing in some Web UI tests Increase some timeouts in Web UI tests Fix UI_driver.has_class exception. Handle situation when element has no class attribute Change Web UI tests setup flow Fix "Configured size limit exceeded" warning on Web UI Sumit Bose (1): ipa-extdom-exop: add instance counter and limit Thierry Bordaz (1): In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange Thomas Woerner (4): ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound Find orphan automember rules Fix ressource leak in client/config.c get_config_entry Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon Tibor Dudlák (4): Do not check deleted files with `make fastlint` Re-open the ldif file to prevent error message Add assert to check output of upgrade Do not set ca_host when --setup-ca is used

5 years, 1 month

1
0
0 / 0

Re: freeIPA Host certs

by Florence Blanc-Renaud

On 3/19/19 4:18 PM, Azim Siddiqui wrote: > Hi Florence, > > Thanks for the info. I will check for the ipa cert-find command and will > send you the output. Actually, when I am trying to do $ kinit admin it > is asking for a password. And I am not sure about the password, as I > said it was set by the previous system admin. > Hi (re-adding freeipa-users in cc) if you do kinit -kt /etc/krb5.keytab you should also have enough permissions to perform ipa cert-find. > And also I can see there is nssdb directory on the server. Do you by any > chance know, what is that for? There are many nssdb directories on a FreeIPA system. For instance /etc/ipa/nssdb is the NSS database used by the ipa * commands. It contains the certificates of the trusted certificate authorities. You can find more information re. NSS databases in the man page for certutil(1). > > If I have the private key on the server, how can I renew the certificate > signed by IPA. can you please provide me the steps. If you have the private key in $NSSDB database you just need to follow the steps provided in my first email (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...). flo > > thanks & Regards, > Azeem > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud <flo(a)redhat.com > <mailto:flo@redhat.com>> wrote: > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > Hi Florence, > > > > Thanks for your reply. > > I am referring to the applications. For example, we have > > Apache,haproxy,jenkins,git which uses certs signed by IPA. And > now when > > I am browsing these applications urls. It is showing, this site > is not > > secured. > > And originally, This cert were created by a system admin, who is not > > working with us now. So its getting hard for me to figure out, > how can I > > create or renew the certs. > > > > And I don't see any files ssl.conf or nss.conf in the server. > > The output for getcert list command shows this :- > > getcert list > > Number of certificates and requests being tracked: 0. > > > > > > I just want to create a crt and key file signed by IPA. So that I > can > > use it for the browsers. > Hi, > > please keep the users mailing list in cc, so that everyone can get > involved/see the resolution. > > It is difficult to provide advice with so few information. Can you > start > by checking which certificates were already issued by FreeIPA, and > we'll > see if they are expired? > > $ kinit admin > $ ipa cert-find > > With the full output and based on the subject you'll be able to > identify > the host or service certs that you are using for your applications. For > each of these certs, run > $ kinit admin > $ ipa cert-show <serial number> > and the output will show if the cert is expired (check the Not After > field). > > For an expired cert, you will be able to renew the cert if you still > have the private key. The private key location can be found by checking > the configuration of your applications. > For instance apache on rhel or fedora stores its config in > /etc/httpd/conf/httpd.conf, which by default loads the modules in > conf.modules.d/*.conf and the config files in conf.d/*.conf. > > flo > > > > Thanks, > > Azeem > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > <flo(a)redhat.com <mailto:flo@redhat.com> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Hope you are doing good. I tried the way you said. But > still, it is > > > showing certificate is expired. > > > > > > Let me be more clear about it. > > > > > > We have apache running with an expired certificate which is > > signed by > > > FreeIPA. Now I want to renew or create a new certificate. > So can you > > > please tell me how can I renew or create a new certificate > signed by > > > Freeipa. > > > As whenever I am going to the Apache URL from the browser, > it is > > showing > > > site is not secured. > > > > > > Thanks & Regards, > > > Azeem > > > > > Hi, > > > > (re-adding freeipa-users in CC). > > Can you first confirm that you are referring to a cert for > the apache > > server *not running on one of the FreeIPA masters*? > > > > Then please explain how you originally obtained the > certificate. Also > > include the following information: > > - relevant apache configuration (if using mod_ssl, then > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > /etc/httpd/conf.d/nss.conf). > > - output of getcert list on the host running apache > > > > flo > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > <flo(a)redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users > wrote: > > > > Hello, > > > > > > > > Hope you are doing good. I have a question regarding > > freeIPA host > > > > certificates. > > > > We are using FreeIPA as our LDAP. We have some > > certificates for > > > hosts ex > > > > :- http/uat.com <http://uat.com> <http://uat.com> > <http://uat.com> > > <http://uat.com>. > > > > And we deploying the certs in Haproxy in PEM format. > > > > But the certificates for this host has been expired. > > > > Can you please let me know in detail how to renew > my expired > > > > certificates for the hosts. Please provide me the > commands > > and steps. > > > > > > > Hi, > > > > > > from your description I understand that you are > referring to > > > certificates delivered by IPA CA for one of the > IPA-enrolled > > hosts, but > > > not the master's Server-Cert used for IPA Web GUI. > > > > > > In this case, how did you obtain the certificate? If > you used > > a method > > > similar to what is described in this wiki [1], the > certificate > > > should be > > > monitored by certmonger and automatically renewed. > > > > > > If you followed instead this wiki [2], the certificate > is not > > > tracked by > > > certmonger and needs to be manually renewed. You need > to do the > > > following, assuming that the cert is in a NSS database > $NSSDB > > on the > > > IPA > > > client: > > > - find the key nickname > > > # certutil -K -d $NSSDB > > > certutil: Checking token "NSS Certificate DB" in slot "NSS > > User Private > > > Key and Certificate Services" > > > Enter Password or Pin for "NSS Certificate DB": > > > < 0> rsa > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > Certificate > > > DB:Server-Cert > > > (note the key nickname for the next command) > > > > > > - create a new certificate request that will re-use the > > existing key > > > (replace DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> <http://DOMAIN.COM> > > with your IPA domain, in > > > uppercase): > > > # certutil -R -d $NSSDB -k "NSS Certificate > DB:Server-Cert" -s > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > - request a certificate using the new certificate request > > > # kinit admin > > > # ipa cert-request --principal=HTTP/`hostname` > /tmp/web.csr > > > (the output will display a Serial Number that needs to be > > noted for the > > > next command) > > > > > > - remove the previous cert from the NSS database: > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > - export the certificate to a file, then import the > > certificate in the > > > NSS database: > > > # ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i > > /tmp/server.crt > > > > > > HTH, > > > flo > > > > > > [1] > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert... > > > [2] > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > Fedora Code of Conduct: > > https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > >

5 years, 1 month

1
0
0 / 0

timeout for IPA command

by Charles Hedrick

It appears that the IPA command uses a host hardwired in /etc/ipa/default.conf. If that fails, it then gets a list from DNS. This works fine if there’s a connection refused, but if there is no response, it takes so long to time out that most users will give up. Is there a way to change the timeout?

5 years, 1 month

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users March 2019