FreeIPA httpd service stopped suddenly and not restarting !
by GAURAV Pande
Hi Team ,
We had a strange issue where our FreeIPA GUI was down when checked from backend server the httpd service is not starting and we are not able to figure it out based on errors from var/log/httpd what can be the issue , helpful if anyone can help here . Thanks
$ sudo ipactl restart
Starting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Starting httpd Service
Failed to start httpd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl
LOGS :
$ sudo tail -f /var/log/httpd/error_log
[Fri Mar 04 06:59:21.220847 2022] [core:notice] [pid 16345] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Mar 04 06:59:21.221844 2022] [suexec:notice] [pid 16345] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Mar 04 06:59:21.313573 2022] [:error] [pid 16345] Password for slot internal is incorrect.
[Fri Mar 04 06:59:21.316345 2022] [:error] [pid 16345] NSS initialization failed. Certificate database: /etc/httpd/alias.
[Fri Mar 04 06:59:21.316401 2022] [:error] [pid 16345] SSL Library Error: -8177 The security password entered is incorrect
[Fri Mar 04 07:21:47.374010 2022] [core:notice] [pid 16745] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Mar 04 07:21:47.374961 2022] [suexec:notice] [pid 16745] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Mar 04 07:21:47.477234 2022] [:error] [pid 16745] Password for slot internal is incorrect.
[Fri Mar 04 07:21:47.480302 2022] [:error] [pid 16745] NSS initialization failed. Certificate database: /etc/httpd/alias.
[Fri Mar 04 07:21:47.480333 2022] [:error] [pid 16745] SSL Library Error: -8177 The security password entered is incorrect
2 years, 1 month
How to disable password Change on FreeIPA client for user who login First time .
by GAURAV Pande
Hi Team ,
I have a FreeIPA client registered successfully on FreeIPA server under Host section , but when a user try to login first time he is always asked to change is password , it seems a default behavior ? If yes could you let me know how can we change this or what configuration are required on Client or FreeIPA server side ? Looking forward for your response . Thanks !
2 years, 1 month
Allow AD users to manage multiple certificates
by Pedro Bezunartea Lopez
Hi!
This is our currently working setup:
- AD Domain: ourdomain.local (working fine for Windows users' authentication, Domain Controllers, etc...)
- IPA Domain: idm.ourdomain.local (Trust relation successfully setup with the Domain Controllers)
- AD users can login to the IPA Server with their AD credentials.
Goal: Allow AD users to add and manage their own certificates for different services (VPN access and the like). The workflow would be something like:
1. Users adds a new CSR. (The user creates his key and generates the CSR locally)
2. IPA admins approve and issue the certificate.
3. The user downloads the certificate.
"Local" IPA users can add certificate requests in their profile by clicking on Actions > New Certificate.
AD users are only allowed to edit their profile description, GECOS, Login shell, add SSH public keys and add Certificates in PEM format, not add Certificate Requests.
We have tried a few things already:
- Certificate Mappings. They are designed for user authentication to idm.ourdomain.local, no go.
- From the docs https://www.freeipa.org/page/Active_Directory_trust_setup: Allow access for users from AD domain to protected resources: Which "protected resource" allows for users' certificates?
- From RH docs: CHAPTER 73. ENABLING AD USERS TO ADMINISTER IDM: AD users can administer IDM, but they cannot add a new Certificate Signing Request to their own profile.
Any ideas?
Sorry for the length of the post... TIA
Pedro.
2 years, 1 month
