Puppet user management with FreeIPA
by Dan White
Has anyone out there successfully set up Puppet to use FreeIPA as an LDAP provider for user resources ?
I found
https://www.freeipa.org/page/HowTo/LDAP
which says:
This use also has no special rights and is unable to write any data in the IPA LDAP server, only read.
but this page
https://puppet.com/docs/puppet/6.7/types/user.html#user-provider-ldap
says:
User management via LDAP: This provider requires that you have valid values for all of the LDAP-related settings in puppet.conf, including ldapbase. You will almost definitely need settings for ldapuser and ldappassword in order for your clients to write to LDAP.
Thus my dilemma. Can I make the IPA "service account" read-write or can Puppet live with read-only ?
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
4 years, 8 months
DIRSRV external signed cert questions
by Boyd Ako
This involves the `ipa-server-certinstall` command.
1) If I used the option to install P12 for dirsrv, will dirsrv being doing OCSP validation? If so, is there away for me to disable OCSP validation?
2) Is there any documentation or information on what kind of cert the DIRSRV service needs?
==== Cert Info ===
Version: 3 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:97:33:d2:6d:a9:98:72:4c:b0:3d:3e:dc:4c:a5:
7d:61:d2:ae:b9:4b:eb:5e:71:ec:3e:45:62:75:24:
72:06:74:a3:94:03:c4:80:eb:4e:bc:5c:4e:f9:39:
0c:b1:5d:8e:57:ea:42:fb:70:3a:0e:3e:a0:83:62:
6a:1a:47:44:2c:b3:31:cf:26:f0:63:d7:3e:c7:51:
3b:d8:04:17:68:d5:d9:0d:ab:8d:ea:2e:b1:c8:a0:
14:ff:d6:9c:ed:86:ec:2f:07:73:68:c3:5b:2d:bd:
d4:03:74:c7:82:7d:34:fe:d0:9c:fd:cf:8d:50:c9:
d5:eb:eb:af:e8:39:d3:75:e9:c3:d9:78:1c:46:97:
84:91:d5:b4:57:48:d6:c8:4b:ae:64:87:c6:04:94:
8d:c1:8e:ee:f5:59:27:e8:16:9a:92:c2:2a:48:71:
aa:11:10:19:2e:97:7a:d6:b6:76:ba:0d:36:7b:b7:
a1:45:7c:d6:6d:05:13:ff:ba:0a:55:47:8e:86:72:
a2:42:6a:ce:df:2c:78:e6:ab:61:0e:df:eb:99:79:
82:f3:87:97:df:3b:06:f7:9b:47:d8:1f:cb:b3:f0:
d2:58:2c:5a:40:39:00:78:2e:53:e4:c5:70:0a:90:
62:25:f3:88:fc:58:2c:4e:11:47:b7:76:25:a9:68:
16:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:51:C4:8B:33:99:94:C0:7E:BB:36:1D:E3:E2:3A:05:BD:32:74:9D:53
X509v3 Subject Key Identifier:
32:E1:3A:F5:1D:26:AB:A2:FE:E2:E7:6E:21:D2:96:99:87:49:1E:0F
Authority Information Access:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
X509v3 Subject Alternative Name:
X509v3 Certificate Policies:
Policy: 2.16.840.1.101.2.1.11.39
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2
4 years, 8 months
Tomcat certificate issue
by Louis Lagendijk
I have similar problems as the ones described in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
My IPA setup has 2 masters, both running Centos7.6.
Today I got notified by Nagios that there were issues with my second
server, ipa2.
Checking ipactl I noticed that nothing much was running. ipactl start
brought up a message that an upgrade was required (I apparently got an
ipa update yesterday that I installed). The upgrade failed.
Checking my certifcates with getcert list gave me:
.
.
.
Request ID '20181001154055':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-
tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-
tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=HOME.FAZANT.NET
subject: CN=ipa2.home.fazant.net,O=HOME.FAZANT.NET
expires: 2019-04-25 21:33:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181001154056':
so I reset the date to Mar 20 and did a resubmit for the certificate,
that failed (as in the submission went ok, but the cert did not get
renewed)
Checking Flo's blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
and
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
made me execute:
[root@ipa2 ~]# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME
,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
[root@ipa2 ~]#
and
#!/bin/bash
for i in $(certutil -d /etc/pki/pki-tomcat/alias -L | grep cert-pki |
awk '{print $1}') ; do
certutil -d /etc/pki/pki-tomcat/alias -K -f /tmp/pwdfile.txt -n
"$i cert-pki-ca";
done
which resulted in:
root@ipa2 ~]# bash /root/ss
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
< 0> rsa 4286ed93407806ec2727e6244cc3959ec726265e caSigningCert
cert-pki-ca
To answer Frazer's question in the follow up to the mail from last
year: no pki-tomcat is non functional, I do have my second server
though.
Certutil -L gives me:
[root@ipa2 ~]# certutil -L 'ocspSigningCert cert-pki-ca'
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
Any help getting this issue resolved would be much appreciated.
kind regards, Louis
4 years, 8 months
mkhomedir option not working on ubuntu 16.04 clients
by Saurabh Garg
We have our domain controller (ipa-server) running on Redhat 7.6 and ipa-clients are running ubuntu 16.04.
We are using below command for enrolling these ubuntu machines into the domain controller:
ipa-client-install --unattended --domain=example.com --principal=admin --password=changeit@123 --mkhomedir --server=idm.example.com --force-join
When a domain user ssh into any of these ubuntu servers he doesn't see his/her home directory created (although we are using --mkhomedir switch in our enrolment command). We have 150+ servers to fix this problem. Any suggestions.
Thanks,
Saurabh Garg
4 years, 8 months
Removing first freeipa master
by Jo Domsic
Hi to the good people of FreeIPA!
I'm in the process of removing old servers from my datacentar, and I was wondering if I can delete/remove (first created) freeipa server?
I have 4 masters:
[root@server] ipa-replica-manage list
freeipa03.lan: master
freeipa04.lan: master
freeipa01.lan: master <--- I want to delete this one
freeipa02.lan: master
What will happen to servers that have:
[root@server2] cat /etc/ipa/default.conf
#File modified by ipa-client-install
[global]
basedn = dc=lan
realm = LAN
domain = lan
server = freeipa01.lan
host = server2.lan
xmlrpc_uri = https://freeipa01.lan/ipa/xml
enable_ra = True
4 years, 8 months
IPA with multiple legs: hostname resolution
by Dmitry Perets
Hi,
I'd like to ask for your advise for the following topology...
On a given site, IPA server has two legs (two NICs), let's call them "inside NIC" and "outside NIC".
The inside NIC subnet is local to the site. The outside NIC subnet is interconnecting sites.
All the local clients talk to IPA via the inside NIC. But to setup a replica on another site, we must reach IPA via outside NIC (the inside subnet is not routable beyond the local site boundaries).
So the question arises: how to configure proper DNS resolution for the hostname of the IPA server itself?
DNS is handled by IPA itself, fully in our control.
So we have two options:
1. We create two A records for the same IPA hostname, let's say "ipa.site1.example.com". But then not sure if it will work fine... Technically, two IPs for the same name means load-balancing, right? So will I have intermittent connectivity issues, because it will return inside and outside IP interchangebly?
2. We create a new DNS name, e.g. "ipa-outside-site1.example.com", for the outside IP, and manually add it to the @ entry of "example.com", so that wannabe-replica on the remote site can use that FQDN as its master IPA. Will this work fine..? Will it not cause issues to the local clients on site1, who must keep using IPA with inside IP? Will it not cause issues on IPA server itself for some reason?
Please share your experience on this!
Thanks.
4 years, 8 months
SNI Certificates
by Christian Reiss
Hey folks,
Really quick question. If a host, say web01.example.com is online, in
IPA et all but serving supremecustomer.com and I would need a
(ipa-signed, which suffices) cert, would this be the right way?
Assumptions: - All commands executed on web01.example.com
- /etc/ssl/ipa & perms are OK.
cert="supremecustomer.com"
ipa host-add ${cert} --desc="Dummy Host / ${cert}"
--location="$(hostname -f)"
ipa host-add-managedby ${cert} --hosts="$(hostname -f)"
ipa service-add HTTP/${cert}
ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)"
ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k
/etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert}
chown root:nginx /etc/ssl/ipa/${cert}.{key,crt}
chmod 0640 /etc/ssl/ipa/${cert}.{key,crt}
Is this still the way to go? Is there a way around "One dummy host per
SNI Certificate" in any way?
Cheers,
Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 8 months
ipa user-del and UI fails, as well, ldapdelete
by Sandor Juhasz
We have an entry, what after clicking delete on the UI got partially
deleted.
The compat tree entry is gone.
The accounts tree entry is there.
ldapsearch finds the entry by uid, but does fail by dn.
ipa user-show <USERID> finds the user
ipa user-del <USERID> says no such user
ldapdelete fails to delete the entry by dn with err=32
Web ui shows user
User content can be modified from ipa cli and web ui - like name, shell,
but cannot be deleted
Other entries can be created and deleted without issue.
We have 4way master-master replication. Tried cli on 3 and got same result
and issue.
The third is not touched and the entry is available there both accounts and
compat tree.
ipa-server-4.6.4-10.el7.centos.3.x86_64
CentOS Linux release 7.6.1810 (Core)
On full broken master:
# <USERID>, users, accounts, cxn
dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn
gecos: FOO BAR
displayName: FOO BAR
krbLastAdminUnlock: 20190807124134Z
krbLoginFailedCount: 0
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn
memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn
memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn
gidNumber: <GID>
uidNumber: <UID>
ipaUniqueID: <RANDOMUNIQUEID>
cn: BAZ
givenName: FOO
krbPrincipalName: <USERID>@CXN
mail: <MAIL>
homeDirectory: /home/<USERID>
sn: BAR
initials: cU
loginShell: /bin/false
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
krbCanonicalName: <USERID>@CXN
uid: <USERID>
mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
krbPasswordExpiration: 20170615133527Z
krbLastPwdChange: 20170615133527Z
krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A
On untouched master:
# <USERID>, users, compat, cxn
dn: uid=<USERID>,cn=users,cn=compat,dc=cxn
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: BAZ
cn: BAZ
uidNumber: <UID>
gidNumber: <GID>
loginShell: /bin/false
homeDirectory: /home/<USERID>
ipaAnchorUUID:: somerandomuuid
uid: <USERID>
# <USERID>, users, accounts, cxn
dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn
gecos: FOO BAR
displayName: FOO BAR
krbLastAdminUnlock: 20190807124134Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn
memberOf: cn=group1,cn=groups,cn=accounts,dc=cxn
memberOf: cn=group2,cn=groups,cn=accounts,dc=cxn
gidNumber: <GID>
krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A
krbLastPwdChange: 20170615133527Z
krbPasswordExpiration: 20170615133527Z
mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
uid: <USERID>
krbCanonicalName: <USERID>@CXN
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/false
initials: cU
sn: BAR
homeDirectory: /home/<USERID>
mail: <MAIL>
krbPrincipalName: <USERID>@CXN
givenName: FOO
cn: BAZ
ipaUniqueID: randomuniqueid
uidNumber: <UID>
--
*Sándor Juhász*
System Administrator
*ChemAxon* *Kft*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
4 years, 8 months
Unable to perform cross forest trust with AD
by Darvid Kairne
Attempting to create a one-way trust from freeIPA to AD. Both are fresh installations and up to date. ADDS on 2k19 and FreeIPA on CentOS 7.
After running `ipa-adtrust-install` running 'smbclient -L ipaserver.ipa.example.net -k' only returns `Reconnecting with SMB1 for workgroup listing.`
The error I receive when running `ipa trust-add` is `ipa: ERROR: an internal error has occurred`. At this point the trust appears in the incoming trusts in AD.
Both firewalls disabled. Both realms have integrated dns and conditional forwarders set up. All SRV records are resolvable in both directions. I manually created `_kerberos._udp.dc._msdcs.ad.example.com.` as it was not present.
4 years, 8 months