May 2021 - FreeIPA-users - Fedora Mailing-Lists

Use of LDAP Configuration UI Web Console

by G Col

Hi Fedora team, I have configured FreeIPA and I have finally a web interface to access to the configuration and the different settings, it is exciting that works. However, I am not entire sure how to configure LDAP groups and LDAP users. The current menus I can see are the following ones: Identity / Policy / Authentication / Network Services / IPA Server Then each section has subsections, but I cannot find the LDAP option or functionality. Is a plugin that I will need to install manually from the CLI? Thank you for your help, GCol

2 years, 11 months

2
3
0 / 0

Kerberos setup in IPA server and IPA clients

by iulian roman

I have setup an Idm environment with replica and AD trust. I have the following realms and domains: IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local EXAMPLE.LOCAL is the AD realm with dns domain example.local All the clients have the DNS domain example.local and are/will be enrolled to the IPA domain. In the IPA servers I had the following entries (added by the installation process) in /etc/krb5.conf : server ===== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL client ==== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev02.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL Because of various issues (either replication did not work, either clients could not query AD), I had removed entries on the server config (at some point i had .example.local = EXAMPLE.LOCAL but that broke the replication between ipa servers ) and now it looks like that: [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL My question is , how should the [domain_realm] section of the /etc/krb5.conf look like on both ipa server and ipa client ? Is dns_lookup_realm = true and dns_lookup_kdc = true enough in the [libdefaults] section or should these realm be explicitly added ? What are the tradeoffs of not using them ?

2 years, 11 months

2
4
0 / 0

server install - You are attempting to import a cert with the same issuer

by lejeczek

Hi guys. That is quite bizarre, don't you think? It's a first master installation. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', 'PRIV.COM IPA CA', '-t', 'CT,C,C', '-a', '-f', '/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned non-zero exit status 255: 'certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.\n') CalledProcessError(Command ['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', 'PRIV.COM IPA CA', '-t', 'CT,C,C', '-a', '-f', '/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned non-zero exit status 255: 'certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information It's a new install, certainly there is no '/etc/dirsrv/slapd-PRIV-COM' prior to install. regards, L.

2 years, 12 months

2
3
0 / 0

Cert lookup from CLI or Webui causes SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry

by Jim Richard

From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) ... 70 more Current versions are: CentOS 8: ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream 389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream 389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Jim Richard System Administrator III jrichard(a)placeiq.com | (646) 338-8905 | www.placeiq.com

2 years, 12 months

3
5
0 / 0

DNS - trusted-keys via IPA's tools - ?

by lejeczek

hi everybody I want to ask if we have a way of adding trusted-keys? Official/recommended VS by fiddling/non-recommended ? many thanks, L.

2 years, 12 months

1
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2021