January 2023 - FreeIPA-users - Fedora Mailing-Lists

FreeIPA-Kubernetes Setup

by Ronald Wimmer

Hi, are there any plans (or maybe ongoing work already) to let FreeIPA run in a K8s environment? Cheers, Ronald

3 days, 5 hours

6
8
0 / 0

Ensure that IPA user can be resolved upon SystemD-Unit start

by Ronald Wimmer

I do have a sytemd service unit that uses an IPA used. However, upon reboot it seems that that particular IPA user is not available upon start of that particular systemd service. Using "After=sssd.service" is not sufficient. What would you recommend in this case? (I am looking for a reliable systemd solution and do not want to rely on a script checking for a particular user with getent for example) Cheers, Ronald

1 month

2
3
0 / 0

Removal & clean up certificates from o=ipaca

by David Goudet

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

1 month, 1 week

4
5
2 / 0

Force LDAPS and 636 port

by Alex Ivanov

Greetings, I'm struggling to find a comprehensive guide on how to block LDAP and 389 port on FreeIPA and force usage of LDAPS and 636 port for all clients and connections. I would really appreciate a link or a hint.

1 month, 1 week

5
6
0 / 0

ipa-replica-install fails when I use custom certificates

by Peter Tselios

I have installed the ipa server by using the following command: --------- ipa-server-install --realm "EXAMPLE.COM" -p 'password' -a 'password' --hostname="server.example.com" -n example.com --ip-address="10.1.4.2" --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt --dirsrv-pin='' --http-cert-file=/etc/pki/tls/certs/example.com.crt --http-cert-file=/etc/pki/tls/private/example.com.pem --http-pin='' --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem --mkhomedir -N --no-host-dns --unattended --------- Which works perfectly fine. However, I cannot make it work with ipa-replica-install since there is no option for --ca-cert-file. So, how can I install a replica with custom certificates?

1 month, 1 week

6
12
0 / 0

Custom ssl cert for freeipa docker

by Leo O

Hello Guys, I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time? Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.

1 month, 2 weeks

3
4
0 / 0

Re-enrolling and keeping hostkeys

by Steve Brasier

Hi. I'm looking at using `ipa-client-install --keytab` to re-enrole a VM after reimaging. However this changes the host's ssh keys, which is undesirable in this case. Is there a "smart" way of preventing that? Or is this comment from 10 years ago the correct way to reset it: https://pagure.io/freeipa/issue/2655#comment-320195 thanks Steve

1 month, 2 weeks

2
2
0 / 0

Re: Explanation on how Smartcard Authentication works with all it's componants.

by Rob Crittenden

r0nam1 wrote: > So far it's a lot of 'I thinks'. I think I've configured OpenSC and > pcscd correctly, I think I've configured SSSD correctly, and I think > I've configured PAM correctly, if you can give me a list of relevant > logs or test commands (Even full directory's of logs) I'll do what I can. Please keep responses on the list. The log to see depends on the behavior. Some additional readings (some are rather old but still relevant): https://floblanc.wordpress.com/?s=smart https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-... rob

1 month, 2 weeks

5
7
0 / 0

Converting self-signed root CA to intermediate CA

by Schrock, Chad - 0336 - MITLL

Hi everyone, We have a small-ish RHEL 7 IdM (4.6.8) domain that is currently running with a self-signed root CA. All is well and good, except we've been told that we have to play nice with the rest of the organization now, which includes changing the self-signed root CA in to an intermediate CA. I remember a discussion on here about converting an IdM root CA in to an intermediate CA, but for the life of me I can't find the discussion or any related documentation. (Was I hallucinating?) So: * Is what I'm talking about even possible? * If it is possible, is there some documentation somewhere where I can read up on the process and potential risks? * If it isn't possible, short of creating a new domain[1] and moving all of the clients to it, what might work here? [1] - I'm not against this, however, we have several replica IdM servers at remote sites that are on the other end of low-bandwidth high-latency satellite links. Having the various IdM servers talk amongst themselves for regular domain updates hasn't been a problem. We've never been able to create a new replica at our remote sites though. Thank you all for your time, Chad -- Chad Schrock, he/him Supporting MIT Lincoln Laboratory, Lexington, MA

1 month, 3 weeks

2
2
0 / 0

FreeIPA external groups showing SID and not User Friendly name

by Ty zang

Hi all, I have a FreeIPA 4.6.8 with some Linux groups added. They are external groups that have external members (AD groups) via their trust with AD. So everything works, but clicking and viewing the external group under the web app shows the SID. Is there a package or something missing that would cause it to show SID instead of name of group, or is this a by design thing? I am fairly certain that months ago, it was showing group name, not SID which is why I ask.

1 month, 3 weeks

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2023