Use of LDAP Configuration UI Web Console
by G Col
Hi Fedora team,
I have configured FreeIPA and I have finally a web interface to access to the configuration and the different settings, it is exciting that works. However, I am not entire sure how to configure LDAP groups and LDAP users. The current menus I can see are the following ones:
Identity / Policy / Authentication / Network Services / IPA Server
Then each section has subsections, but I cannot find the LDAP option or functionality. Is a plugin that I will need to install manually from the CLI?
Thank you for your help,
GCol
2 years, 11 months
Kerberos setup in IPA server and IPA clients
by iulian roman
I have setup an Idm environment with replica and AD trust. I have the following realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local
EXAMPLE.LOCAL is the AD realm with dns domain example.local
All the clients have the DNS domain example.local and are/will be enrolled to the IPA domain.
In the IPA servers I had the following entries (added by the installation process) in /etc/krb5.conf :
server
=====
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
client
====
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev02.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
Because of various issues (either replication did not work, either clients could not query AD), I had removed entries on the server config (at some point i had .example.local = EXAMPLE.LOCAL but that broke the replication between ipa servers ) and now it looks like that:
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
My question is , how should the [domain_realm] section of the /etc/krb5.conf look like on both ipa server and ipa client ?
Is dns_lookup_realm = true and dns_lookup_kdc = true enough in the [libdefaults] section or should these realm be explicitly added ? What are the tradeoffs of not using them ?
2 years, 11 months
server install - You are attempting to import a cert with the same issuer
by lejeczek
Hi guys.
That is quite bizarre, don't you think? It's a first master
installation.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] CalledProcessError: CalledProcessError(Command
['/usr/bin/certutil', '-d',
'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', 'PRIV.COM IPA
CA', '-t', 'CT,C,C', '-a', '-f',
'/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned non-zero
exit status 255: 'certutil: could not decode certificate:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to
import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.\n')
CalledProcessError(Command ['/usr/bin/certutil', '-d',
'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', 'PRIV.COM IPA
CA', '-t', 'CT,C,C', '-a', '-f',
'/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned non-zero
exit status 255: 'certutil: could not decode certificate:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to
import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.\n')
The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
It's a new install, certainly there is no
'/etc/dirsrv/slapd-PRIV-COM' prior to install.
regards, L.
2 years, 12 months
Cert lookup from CLI or Webui causes SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
by Jim Richard
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
... 70 more
Current versions are:
CentOS 8:
ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream
ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream
ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Jim Richard
System Administrator III
jrichard(a)placeiq.com | (646) 338-8905 | www.placeiq.com
2 years, 12 months