February 2023 - FreeIPA-users - Fedora Mailing-Lists

by Francis Augusto Medeiros-Logeay

Hi, I am writing a little plugin for FreeIPA, and I'm starting to get the hang of it - I got to insert menus, display a list of entries with the possibility to add, change and delete entries. So far, so good. I have two questions: - How do I use the 'association' type? I want to display entries based on the entry I clicked, the same way I show members of a group when I click on a group. I saw this option when checking the source code for group ui, but I don't know exactly how to display entries queried based on the selected entry; - Is there a drop down menu possibility that shows all entries, as to select them as basis for a nested search of other entries? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

1 year, 2 months

1
0
0 / 0

how to identify indirect mount maps

by Rob Verduijn

Hello, When somebody has created a direct mount map without adding any keys. How can you see that it is an indirect mount map ? Also how can you see what the mount point is of the indirect mount map ? I can't seem to find an option to check for this ? Cheers Rob

1 year, 2 months

2
2
0 / 0

Authority Key Identifier Extension in SSL certificate

by omar gonzales

FreeIPA Users, I'm unable to generate a SSL certificate with the dirName and serial number fields in X509v3 Authority Key Identifier Extension. I only get the keyid I tried to use a customized certificate profile which was successfully imported. Here is part of the certificate profile that I used to get at least the serial number in the X509v3 Authority Key Identifier Extension policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.9.default.name=Authority Key Identifier Extension Default policyset.serverCertSet.9.default.params.authorityCertSerialNumber=100 Please see attached capture for the desired output (SSL cert) Please let me know what I should do. Thanks Omar

1 year, 2 months

1
0
0 / 0

LDAP question

by Francis Augusto Medeiros-Logeay

Hi, I am wondering: 1 - Does the 389 server support aliases? I can't make it work and saw on a few old forum posts that it doesn't. 2 - I am working on a new attribute type and wonder how can I add a constraint so that its value on an entry must be unique across the directory. Any tips? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

1 year, 2 months

2
2
0 / 0

log permission issues with "ipa-replica-manage re-initialize" in almalinux 8

by Grant Janssen

users were reporting password change issues. ipa_check_consistency and cipa showed synchronization issues. grant@ef-idm04:~[20230211-7:01][#211]$ ipa-replica-manage re-initialize --from ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission denied: '/var/log/ipa/cli.log' Update in progress, 6 seconds elapsed Update succeeded grant@ef-idm04:~[20230211-7:02][#212]$ I am in the middle of a migration from 7 —> 8 (3 of 5 servers are still CentOS 7) The almalinux 8 systems showed an issue with log permissions when I executed the sync. The CentOS 7 systems did not output any error. ipa_check_consistency and cipa show these are all “in sync” now. what can I do to resolve these log issues, so next time I won’t see these again? thanx - grant

1 year, 2 months

2
1
0 / 0

Removal & clean up certificates from o=ipaca

by David Goudet

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

1 year, 2 months

4
5
2 / 0

Show attributes of objectclass

by Francis Augusto Medeiros-Logeay

Hi, A very basic question, but can't find a proper answer: How do I show all attributes of an objectclass? I tried a few commands that are supposed to work on openldap, but can't have the same results in FreeIPA. Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

1 year, 2 months

1
1
0 / 0

Overriding sudo noexec Defaults

by Mathieu Baudier

Hello, with IPA v4.10.0 on RHEL 9.1, the IPA servers are configured with the security profile ANSSI-BP-028 (high) which mandates the sudo Defaults 'noexec' (commands cannot execute subprocesses). Along with other restrictive Defaults, it has been set automatically by OpenSCAP during OS installation, in the /etc/sudoers file. But there are quite a few situations where we need EXEC rights (typically some IPA utilities, such as ipa-healthcheck). During the initial configuration of the systems we had a local 'install' user, in the wheel group, and to which we gave blanket sudo EXEC rights. But now that IPA is up and running, I am struggling to configure working around the 'noexec' Defaults for real operators managed by IPA. I have tried three approaches, which all failed: 1) In an IPA sudo rule, configure Options to override the 'noexec' Defaults. I tried with both !noexec -=noexec but it had no effect and I did not see it listed in sudo -l, and noexec was still there. 2) In an IPA sudo command definition, add EXEC. That is, I created an IPA sudo command with the value: EXEC: ALL but this command appeared with the : escaped by \: (ALL : ALL) EXEC\: ALL 3) In an IPA sudo rule, use the 'ignore_local_sudoers' Option. The sudoers man page says "If set via LDAP, parsing of /etc/sudoers will be skipped. This is intended for Enterprises [...]". This could be an appropriate approach to reconstitute these Security Profiles constraints centrally in IPA instead of locally, but the 'ignore_local_sudoers' Option does not seem to be picked up: sudo -l keep showing the Defaults configured locally (including 'noexec') Am I doing something wrong? What would be the best approach to pursue? More generally, I noticed that changes in the IPA sudo rules are not effective immediately, even after a logout/login. Is there some caching? Or should I restart a service? If I reboot the system, the changes are taken, but this is a bit heavy. Thanks in advance! Mathieu

1 year, 2 months

1
0
0 / 0

Issue with Login PIN Prompting with SSSD and krb5_child.

by r0 nam1

Apologies for my previous thread mess, I've learned to keep it neat. In following my previous thread (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...) I've discovered what I believe to be the issue when trying to login with Smartcards. When running kinit already logged in it can prompt for a pin and successfully use that data to verify the certificate. Then when trying to login from tty1 with pam_sss.so require_cert_auth present, the krb5 child attempts to kinit: ''' DEBUG(SSSDBG_TRACE_FUNC, "Attempting kinit for realm [%s]\n",realm_name); kerr = kr->krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, password_or_responder(password), sss_krb5_prompter, kr, 0, NULL, kr->options); if (kr->pd->cmd == SSS_PAM_PREAUTH && kerr != KRB5KDC_ERR_KEY_EXP) { /* Any errors except KRB5KDC_ERR_KEY_EXP are ignored during pre-auth, * only data is collected to be send back to the client. * KRB5KDC_ERR_KEY_EXP must be handled separately to figure out the * possible authentication methods to update the password. */ DEBUG(SSSDBG_TRACE_FUNC, "krb5_get_init_creds_password returned [%d] during pre-auth.\n", kerr); return 0; } else { if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); ''' https://github.com/SSSD/sssd/blob/master/src/providers/krb5/krb5_child.c Looking at the source code for the process I've come to the conslusion that for SOME REASON, the kinit pin prompt fails after entering my Username, Password, then prompting for a smartcard. It seems like p11_child sees the smartcard inserted, lets the krb5_child run, and somehow fails when prompting for a pin. Even though the child 'fails' the login is never denied with any smartcard, one just needs to be present, the side effect of this is that a Kerberos ticket is never granted, but the Login does succeed. Unfortunately that's everything I've been able to find, anyone able to help with the info I've provided?

1 year, 2 months

2
7
0 / 0

Help-Query IPA-Client Re-Enrollment

by Polavarapu Manideep Sai

HI Team, I have a query I have two replica servers which are replicating with master server Replica1[Old]-hostname1.com --- 10 client nodes integrated at Replica1 Replica2[New]-hostname2.com --- No client nodes integrated at Replica2 Now I want to remove Replica1, which is having issues Now the query is can I re-enrol all 10 clients to Replica2[hostname2.com], without going for uninstallation of ipa-client Regards Sai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

1 year, 2 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2023