hide domain of AD users on Solaris clients?
by Amos
Our IPA servers are in a one-way AD trust. Since all of our users are in
AD, I take advantage of the SSSD settings on the clients to hide the
@AD_REALM from their login names, and use AD_REALM as the default_realm.
This works nicely.
Solaris clients, however, do not have the convenience of SSSD. I
understand that the fully-qualified login names are required for systems
using the compat feature so that the IPA servers know to lookup those users
in AD. Still, I was wondering if there is anyway of doing something
similar on Solaris to hide the domain part if it is the default. I had
hoped that maybe an idview would do it, but seems unlikely.
Amos
1 year, 7 months
Is it possible to use the FreeIPA LDAP interface to authenticate AD users?
by Chris Dagdigian
My use case on AWS involves ephemeral or auto-scaling servers that do
not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've
been able to configure a light test client that trusts the IPA CA
certificate and will become an LDAPS client of the FreeIPA server
This works great for local IPA users but I'm trying to think this
through and I'm not sure if I can use LDAP to authenticate an AD user?
Is this even possible?
This is my working sssd.conf for a test client that just uses LDAP --
works great for resolving users and groups that are local IPA users but
so far I can't resolve any of the AD resident users:
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ipa001.ipa.example.com/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/pki/tls/
default_shell = /bin/bash
override_shell = /bin/bash
Is there any method using ldap_search_base or an override of the Default
Trust View that would allow me to deploy a client that only talks LDAP
to FreeIPA but is able to resolve and authenticate AD users? I'm
wondering if this is even possible or if I'm looking at a lost cause.
Thanks!
Chris
1 year, 7 months
Error during FreeIPA installation
by Charles Sibbald
I get an error during freeIPA ansible install which does not seem to make sense.
I have the following inventory file:
```cat inventory/hosts.cluster
[ipaserver]
freeipa-1 ansible_host=10.27.3.1 ansible_port=22 ansible_user='centos' ansible_sudo_pass='centos' ansible_ssh_private_key_file='~/.ssh/id_rsa'
freeipa-2 ansible_host=10.27.3.2 ansible_port=22 ansible_user='centos' ansible_sudo_pass='centos' ansible_ssh_private_key_file='~/.ssh/id_rsa'
[ipaserver:vars]
ipaserver_setup_dns=yes
ipaserver_auto_forwarders=yes
ipaserver_no_firewalld=no
ipaadmin_password=ADMPassword1
ipadm_password=DMPassword1
ipaserver_setup_dns=yes
ipaserver_domain=packet.das-schiff.io
ipaserver_realm=packet.das-schiff.io
ipaserver_no_host_dns=false
[ipareplicas]
ipareplica1.test.local
[ipareplicas:vars]
ipaclient_force_join=yes
[ipaclients]
ipaclient1.test.local
ipaclient2.test.local
[ipaclients:vars]
#ipaclient_use_otp=yes
ipaclient_allow_repair=yes
[ipa:children]
ipaserver
ipareplicas
ipaclients
[ipa:vars]
ipaadmin_password=password1
ipadm_password=password1
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
and the following hosts file contents:
```cat /etc/hosts
::1 freeipa-2.packet.das-schiff.io freeipa-2
10.27.3.2 freeipa-2.packet.das-schiff.io freeipa-2
```
however I keep getting the following error:
```
<10.27.3.1> (1, b'\n{"failed": true, "msg": "", "exception": " File \\"/tmp/ansible_ipaserver_prepare_payload_0ik3mxe2/ansible_ipaserver_prepare_payload.zip/ansible/modules/ipaserver_prepare.py\\", line 350, in main\\n File \\"/usr/lib/python3.6/site-packages/ipaserver/install/dns.py\\", line 270, in install_check\\n True, options.ip_addresses)\\n File \\"/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py\\", line 484, in get_server_ip_address\\n raise ScriptError()\\n", "invocation": {"module_args": {"dm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "ip_addresses": [], "domain": "packet.das-schiff.io", "realm": "PACKET.DAS-SCHIFF.IO", "hostname": "freeipa-1.packet.das-schiff.io", "no_host_dns": true, "setup_adtrust": false, "setup_kra": false, "setup_dns": true, "external_ca": false, "allow_zone_overlap": false, "reverse_zones": [], "no_reverse": false, "auto_reverse": false, "forwarders": [], "no_forwar
ders": false, "auto_forwarders": true, "no_dnssec_validation": false, "enable_compat": false, "setup_ca": true, "_hostname_overridden": true, "force": false, "ca_cert_files": [], "external_cert_files": [], "external_ca_type": null, "external_ca_profile": null, "subject_base": null, "ca_subject": null, "forward_policy": null, "netbios_name": null, "rid_base": null, "secondary_rid_base": null}}}\n', b'OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017\r\ndebug1: Reading configuration data /home/casibbald/.ssh/config\r\ndebug1: /home/casibbald/.ssh/config line 1: Applying options for *\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_re
quest_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 3029733\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\nThe hostname resolves to the localhost address (127.0.0.1/::1)\nPlease change your /etc/hosts file so that the hostname\nresolves to the ip address of your network interface.\nThe KDC service does not listen on localhost\n\nPlease fix your /etc/hosts file and restart the setup program\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\n')
<10.27.3.1> Failed to connect to the host via ssh: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/casibbald/.ssh/config
debug1: /home/casibbald/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 3029733
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
The hostname resolves to the localhost address (127.0.0.1/::1)
Please change your /etc/hosts file so that the hostname
resolves to the ip address of your network interface.
The KDC service does not listen on localhost
Please fix your /etc/hosts file and restart the setup program
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 1
The full traceback is:
File "/tmp/ansible_ipaserver_prepare_payload_0ik3mxe2/ansible_ipaserver_prepare_payload.zip/ansible/modules/ipaserver_prepare.py", line 350, in main
File "/usr/lib/python3.6/site-packages/ipaserver/install/dns.py", line 270, in install_check
True, options.ip_addresses)
File "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line 484, in get_server_ip_address
raise ScriptError()
fatal: [freeipa-1]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"_hostname_overridden": true,
"allow_zone_overlap": false,
"auto_forwarders": true,
"auto_reverse": false,
"ca_cert_files": [],
"ca_subject": null,
"dm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"domain": "packet.das-schiff.io",
"enable_compat": false,
"external_ca": false,
"external_ca_profile": null,
"external_ca_type": null,
"external_cert_files": [],
"force": false,
"forward_policy": null,
"forwarders": [],
"hostname": "freeipa-1.packet.das-schiff.io",
"ip_addresses": [],
"netbios_name": null,
"no_dnssec_validation": false,
"no_forwarders": false,
"no_host_dns": true,
"no_reverse": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"realm": "PACKET.DAS-SCHIFF.IO",
"reverse_zones": [],
"rid_base": null,
"secondary_rid_base": null,
"setup_adtrust": false,
"setup_ca": true,
"setup_dns": true,
"setup_kra": false,
"subject_base": null
}
},
"msg": ""
}
```
1 year, 7 months
Deploying freeipa-client with ansible-freeipa behind haproxy
by Ulrich-Lorenz Schlüter
Hello there,
when I deploy the freeipa-client to hosts behind a haproxy most of the
hostnames get changed to the rDNS entry of the haproxy. The
freeipa-clients get enrolled with this name. I know I can set --hostname
but how to do this with ansible-freeipa?
Thanks in advance & best regards
Uli
1 year, 7 months
Question about ID Views in AD Trust
by Vinícius Ferrão
Hello,
I’m aware that we can make overrides on AD users with the Default Trust View object on IPA. I’ve created another one for specific users named “Clients Trust” and added three user accounts there. Made the overrides that I want, and when I checked with getent on a Linux client, the overrides aren’t worked.
On the new ID view, there’s this Host options, so I checked two hosts that I’m interested, and still didn’t override.
As a last resort I’ve reset sssd cache, with sss_cache -E, but no success either.
So the question is: Is it supported to override AD users in other trust than the default trust view? If yes how can I debug with the override isn’t working?
Thank you all.
1 year, 7 months
ipa migrate failing
by Per Qvindesland
Hi
While running the command: echo password123 | ipa migrate-ds --with-compat ldap://ipofldap:389 --bind-dn="cn=admin,dc=company,dc=com" --base-dn=dc=company,dc=com --user-container=ou=people --group-container=ou=groups --scope=subtree then it's failing with ipa:
ERROR: group LDAP search did not return any result (search base: ou=groups,dc=company,dc=com, objectclass: groupofuniquenames, groupofnames)
No matter how i change the command to ipa migrate-ds ldap://ldapserver:389 --bind-dn="cn=admin,dc=example,dc=com" then it still fails with the same error
Does anyone know how I can resolve this? in the sladp errors logs I see this:
[26/Oct/2020:11:18:18.622956777 +0100] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
[26/Oct/2020:11:18:19.228133838 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.229323016 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.229952707 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.230652382 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.231285195 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.231934733 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.232593780 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.233232479 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.233866104 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.234486443 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.235118913 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.235747974 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.236394872 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.237060940 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.237715214 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.238356425 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.244588134 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.246571311 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.247223136 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
[26/Oct/2020:11:18:19.343344230 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
[26/Oct/2020:11:18:19.348552041 +0100] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[26/Oct/2020:11:18:19.378667333 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
[26/Oct/2020:11:18:19.381366608 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
[26/Oct/2020:11:18:19.383976582 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-PROXDYNAMICS-COM.socket for LDAPI requests
[26/Oct/2020:11:24:47.858883691 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 1 max work q size 2 max work q stack size 2
[26/Oct/2020:11:24:47.958419078 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins
[26/Oct/2020:11:24:49.018815611 +0100] - INFO - bdb_pre_close - Waiting for 4 database threads to stop
[26/Oct/2020:11:24:50.544575094 +0100] - INFO - bdb_pre_close - All database threads now stopped
[26/Oct/2020:11:24:50.557264313 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed
[26/Oct/2020:11:24:50.558354653 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 5 op stack objects
[26/Oct/2020:11:24:50.558915217 +0100] - INFO - main - slapd stopped.
[26/Oct/2020:11:25:31.985322130 +0100] - INFO - slapd_extract_cert - CA CERT NAME: PROXDYNAMICS.COM IPA CA
[26/Oct/2020:11:25:32.004250734 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
[26/Oct/2020:11:25:32.204204240 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[26/Oct/2020:11:25:32.784801369 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[26/Oct/2020:11:25:32.785394876 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[26/Oct/2020:11:25:32.785945734 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
[26/Oct/2020:11:25:32.786493194 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[26/Oct/2020:11:25:32.787079571 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
[26/Oct/2020:11:25:32.787564682 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[26/Oct/2020:11:25:32.788075487 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[26/Oct/2020:11:25:32.788559673 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[26/Oct/2020:11:25:32.789102837 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[26/Oct/2020:11:25:32.789589594 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[26/Oct/2020:11:25:32.790077677 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[26/Oct/2020:11:25:32.790578956 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[26/Oct/2020:11:25:32.791113852 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[26/Oct/2020:11:25:32.791943466 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[26/Oct/2020:11:25:32.792531988 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[26/Oct/2020:11:25:32.793207244 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[26/Oct/2020:11:25:32.793713859 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[26/Oct/2020:11:25:32.794224928 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[26/Oct/2020:11:25:32.794737674 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[26/Oct/2020:11:25:32.795251667 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[26/Oct/2020:11:25:32.795769593 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[26/Oct/2020:11:25:32.796287159 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[26/Oct/2020:11:25:32.796807154 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[26/Oct/2020:11:25:32.797403513 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[26/Oct/2020:11:25:32.797932212 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[26/Oct/2020:11:25:32.798459755 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[26/Oct/2020:11:25:32.799030910 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[26/Oct/2020:11:25:32.799573067 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[26/Oct/2020:11:25:32.800109380 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[26/Oct/2020:11:25:32.800638525 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[26/Oct/2020:11:25:33.345680476 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[26/Oct/2020:11:25:33.346491118 +0100] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[26/Oct/2020:11:25:33.347161756 +0100] - INFO - main - 389-Directory/1.4.2.4 B2020.255.2048 starting up
[26/Oct/2020:11:25:33.347693917 +0100] - INFO - main - Setting the maximum file descriptor limit to: 262144
[26/Oct/2020:11:25:34.438699059 +0100] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
[26/Oct/2020:11:25:34.442181997 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[26/Oct/2020:11:25:34.448132662 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[26/Oct/2020:11:25:34.453494825 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[26/Oct/2020:11:25:34.458647975 +0100] - NOTICE - ldbm_back_start - found 3868940k physical memory
[26/Oct/2020:11:25:34.459245844 +0100] - NOTICE - ldbm_back_start - found 3334504k available
[26/Oct/2020:11:25:34.459802577 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 96723k
[26/Oct/2020:11:25:34.460371153 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 131072k
[26/Oct/2020:11:25:34.461129521 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 65536k
[26/Oct/2020:11:25:34.462282548 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 131072k
[26/Oct/2020:11:25:34.463016641 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 65536k
[26/Oct/2020:11:25:34.464194998 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 131072k
[26/Oct/2020:11:25:34.464956271 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 65536k
[26/Oct/2020:11:25:34.465703802 +0100] - NOTICE - ldbm_back_start - total cache size: 683215667 B;
[26/Oct/2020:11:25:35.118987768 +0100] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
[26/Oct/2020:11:25:35.119820971 +0100] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[26/Oct/2020:11:25:35.408089893 +0100] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
[26/Oct/2020:11:25:35.408739079 +0100] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[26/Oct/2020:11:25:35.409291926 +0100] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
[26/Oct/2020:11:25:35.699507155 +0100] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
[26/Oct/2020:11:25:35.700197858 +0100] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[26/Oct/2020:11:25:35.993821262 +0100] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
[26/Oct/2020:11:25:35.995400166 +0100] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[26/Oct/2020:11:25:35.996128828 +0100] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
[26/Oct/2020:11:25:36.676724884 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.677458024 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.678097744 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.678801681 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist
[26/Oct/2020:1 1:25:36.679445978 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.680107840 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.680752352 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.681421435 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.682075173 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.682731538 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.683392435 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.683961442 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.684550864 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.685159287 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.685757939 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.686370905 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.692387853 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.694119273 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.694778890 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
[26/Oct/2020:11:25:36.790882675 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
[26/Oct/2020:11:25:36.796103722 +0100] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[26/Oct/2020:11:25:36.826914731 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
[26/Oct/2020:11:25:36.828243699 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
[26/Oct/2020:11:25:36.829512166 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
Regards
Per
1 year, 7 months
LDAP documentation
by Dominik Vogt
Hi Folks,
whats the authoritative place to look for documentation of the
ipa-server's LDAP database please? (The structure of the
database.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
1 year, 7 months
LDAP login using the poco library
by Dominik Vogt
Background:
On an ipa-client, our customer wants to implement login to a
custom made service using the poco c++ library. There's something
about ldap authenticators on this page:
pocoproject.org/pro/docs/00400-OSPAuth.html
The customer already hat this implemented with a non-ipa LDAP
setup, but we don't have access to the source code.
Questions:
1) Is there any experience implementing ldap based authentication
in an ipa ecosystem using poco? Examples, instructions, anything?
2) Is there some code example or even example program for ldap
authentication without poco, in any language ( But C/C++
preferred)?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
1 year, 7 months
New IPA servers and existing trust
by Ronald Wimmer
Several months ago we set up two IPA servers for a separate department.
We also set up a trust to AD. Then the project went on hold. Today I was
told that they want to continue using IPA.
The IPA servers are using CentOS 7.x. Regarding the trust setup, would
it work to add two OL 8.1 servers and remove the old CentOS servers
afterwards? Or is there a better way to do that?
Cheers,
Ronald
1 year, 7 months
HBAC and external groups (AD trust)
by Giulio Casella
Hi,
I have a IPA setup, in trust with active directory.
I noticed a strange behaviour in HBAC.
In details:
I have a group ("extgroup"), defined as external, containing an active
directory user ("user(a)ad.dom.ain").
I defined a HBAC rule ("allow_AD_ssh") to permit ssh to a host to users
belonging to "extgroup", but the HBAC test (performed with
"user(a)ad.dom.ain") fails. I'm sure the cause is the "Who" section of the
HBAC rule (if I leave "Anyone" it works). So the HBAC is defined as:
WHO: User group "extgroup"
ACCESSING: host I want to give access to
SERVICE: sshd
I was pretty sure it was a incompatibility of HBAC rules with external user.
But if I define a standard (POSIX) group (let say "intgroup"), make
"extgroup" member of "intgroup" and use "intgroup" in the definition of
the (section "who" of) HBAC rule, it works like a charm.
Why direct use of external group is not working? Is it a bug? Or is
there a reason I cannot see?
TIA
Cheers,
Giulio
1 year, 7 months
