IPA sub-domain in a lab?
by Amos
We currently use (Free)IPA (what's provided by Redhat) in a forest trust
relationship with our Active Directory domains. All accounts are defined in
AD with the necessary POSIX attributes. The only things locally defined
within IPA are the automounter maps, sudo rules, and HBAC rules. (I must
say, these HBAC rules work rather nicely!)
A research group wants to create their own OU in AD to manage and rely on
AD for authentication. Centralized sudo rule configuration is also
important to them. They would like to have internal DNS for their lab of
entirely Linux machines so that these systems are more easily accessible
from within the lab instead of relying exclusively on IP addresses. (We use
Infoblox for centralized DNS, but since this is a private lab, there's a
question as to whether to leverage our Infoblox DNS or to use DNS in their
own IPA instance.)
On one hand, it makes sense to set them up using IPA. If so, would these
servers be in a sub-domain of the central IPA? They would need to be able
to manage this instance of IPA, but we would not want them to have admin
rights on the central IPA servers. Under this scenario, would the trust to
AD remain?
I'm fairly comfortable with the principles behind IPA, but only so far as
we're talking about the global environment. Setting things up in
semi-connected labs like this would be new to us, at least since we moved
to IPA.
There is some pressure to have their lab bind directly to AD. I pointed out
that currently there would be no way to centrally manage the sudo rules.
However, we're also currently considering adding the sudo schema to AD,
which if we did, might take care of that.
So, I'm just trying to wrap my head around all the possible approaches and
weigh the pros and cons with either approach. Any insight would be greatly
appreciated.
Thanks.
9 months
Visibility/access of Freeipa users to windows on trusted AD
by Francis Augusto Medeiros-Logeay
Hi,
I have searched this everywhere, but can't find it.
I want to grant access to a FreeIPA user to a Windows machine. When I
try to grant the user access on windows, adding it like
FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both
domains, but every place where I see the trusted domain on Windows (for
example when configuring a GPO) I can't search for FreeIPA users.
Is this how it is supposed to be, or how can I see my FreeIPA users on
Windows the same way I see AD users on my freeipa linux clients?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
9 months
Replace external CA and certificates to self-signed ones.
by luckydog xf
Hello, list,
Our FreeIPA is 4.9.8 and the domain is wingon.hk. Initially, we installed external CA and certificates by following this link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
And it works fine.
The certificate expired on Aug 03 22:16:17 2023. We want to replace the certificate of HTTP only because Unlike Mod_NSSDB, it's easy to install by placing two files PEM and Key.
And we plan to replace external certificate of dirsrv with self-signed one.
=== httpd ===
# certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
WINGON.HK IPA CA CT,C,C
Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C
Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
Server-Cert u,u,u
# certutil -d /etc/httpd/alias/ -n Server-Cert -L
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:5c:79:e8:d9:7d:6a:b4
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert
s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A
rizona,C=US"
Validity:
Not Before: Sat Jul 02 22:16:17 2022
Not After : Thu Aug 03 22:16:17 2023
Subject: "CN=*.wingon.hk"
====
So is Server-Cert of HTTP used ? It does not matter because we can still log in on the web. Because we replace the cert and key already. Can we remove this one ?
====== dirsrv ===============
===============> /etc/dirsrv/slapd-WINGON-HK/
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=*.wingon.hk u,u,u
WINGON.HK IPA CA CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US C,,
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L -n 'CN=*.wingon.hk'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:5c:79:e8:d9:7d:6a:b4
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert
s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A
rizona,C=US"
Validity:
Not Before: Sat Jul 02 22:16:17 2022
Not After : Thu Aug 03 22:16:17 2023
Subject: "CN=*.wingon.hk"
=========
As you can see it's expired already. How can replace this with self-signed one ?
I used
certutil -d /etc/dirsrv/slapd-SAP-WINGON-HK/ -n Server-Cert -D
ipa-getcert request -d /etc/dirsrv/slapd-WINGON-HK/ -n ‘CN=*.wingon.hk' -K ldap/`hostname` -N CN=`hostname`,O=WINGON.HK -g 2048 -p /etc/dirsrv/slapd-WINGON-HK/pwdfile.txt
But it failed.
Thanks for your help.
9 months
Multiple problems, looking to migrate off current cluster
by Rusty Shackleford
After several years of not-well-understood management of our
freeipa-cluster, it is finally in a sad enough state to get business
priority on planning/implementing a migration. The environment is el7 for
both old and new. I understand that the there is a MoM, so my plan was
basically this:
1. Add a replica.
2. transfer whatever MoM-specific bits exist to the new replica (do not
know what all of those are)
3 start removing all old replicas (do I need to have the new one
replicating with at least one other new host before removing all old
replicas?)
4. Lather, rinse, repeat until all old servers are no longer replicating
with new servers and can be terminated.
This will also be a practice run at an as-yet unplanned migration to the
el8 or el9 stack.
The MoM questions arose because we lost a MoM years ago before we even knew
the first master was special and now we have two uid ranges. I'd like to
see if we can move that back to a single range (whether it fully contains
the 2, I don't care as long as users do not have to be migrated).
Beyond that, I'd like some opinion on the best topology. Back in the day,
it was said that too many replicas was problematic for the load on the
servers. We are trying to avoid that while increasing responsiveness to the
7000+ hosts (spread across 3 regions). Often, we get kerberos timeouts
registering new hosts with ipa-client-install. Or get sssd timing out after
the fact. So any help on topo layout would be _greatly_ appreciated.
Thanks a bunch!
9 months, 1 week
Rocky 8: how to set security-policy to FUTURE without losing FreeIPA?
by Harald Dunkel
Hi folks,
our security scanner complains about weak ciphers in Rocky 8
(httpd and ssh). security policy is set to "DEFAULT". If I set
it to "FUTURE", then httpd is not started anymore (breaking
ipa.service) due to some short keys. From the httpd error
log:
[Tue Aug 01 07:15:37.847520 2023] [suexec:notice] [pid 13991:tid 140196092746048] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 01 07:15:37.849785 2023] [ssl:emerg] [pid 13991:tid 140196092746048] AH02562: Failed to configure certificate ipaca8.example.com:443:0 (with chain), check /var/lib/ipa/certs/httpd.crt
[Tue Aug 01 07:15:37.849826 2023] [ssl:emerg] [pid 13991:tid 140196092746048] SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
AH00016: Configuration Failed
The httpd key and cert was generated by FreeIPA just a few
weeks ago, so I wonder how to proceed in this case? Upgrade
to Rocky 9 to get better defaults?
Regards
Harri
9 months, 1 week