New plugin almost ready - postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have almost finished a plugin for FreeIPA, so that admins can have similar functionality found on Postfix Admin.
https://github.com/oculos/freeipa-postfixadmin/blob/main/README.md
freeipa-postfixadmin/README.md at main · oculos/freeipa-postfixadmin
github.com
There is already a good plugin that does a bit of that, but the goal is a bit different. My main goal is not to mix up postfix configuration with groups and hosts, but have separate entities for domain, aliases and virtual domains, in addition to mailboxes.
It was written mostly to allow me to migrate my mailboxes from MySQL to FreeIPA, and I don’t have a huge postfix configuration - I only have multiple domains, mailboxes, aliases and virtual domains, so that’s the functionality I wanted with this plugin.
There are a few things missing before this can go in production («production» here means to actually migrate my mailboxes to FreeIPA), adding a mailbox to ipa users on the gui being the most important one.
I would appreciate any comments and feedbacks regarding this plugin. It wasn’t easy to understand the logic on how to write one, but I got the hang of it (for simple stuff).
Best,
Francis
5 months, 4 weeks
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
6 months
Installing FreeIPA server + replica using Ansible Role FreeIPA
by Finn Fysj
The installation of IPA server and replica does not produce desired result.
Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master.
Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid.
Example of the IPA server role:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
6 months, 2 weeks
Free IPA DNS Issues
by Pradeep KNS
Hello Team,
While setting up Freeipa in my Linux infrastructure.I noticed a strange
warning. I would like to clarify before rolling into production.
*DNS zone alpha-grep.com <http://alpha-grep.com>. already exists in DNS and
is handled by server(s): ['ns2.', 'ns1.'] Please make sure that the domain
is properly delegated to this IPA server.*
Detailed installation log i have updated in this link. Please suggest me
will it be any security flaw in future.Before installing it on production.
https://bpa.st/AMITK
7 months
IPA Upgrade failure during CA phase
by Vinícius Ferrão
Hello,
After running yum update on a EL7.9 system FreeIPA was unable to start asking for manual upgrade.
So I performed the required command, without success:
[root@headnode pki]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: saving configuration
[2/9]: disabling listeners
[3/9]: enabling DS global lock
[4/9]: disabling Schema Compat
[5/9]: starting directory server
[6/9]: updating schema
[7/9]: upgrading server
[8/9]: stopping directory server
[9/9]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
CA did not start in 300.0s
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Tha /var/log/ipaupgrade.log file is 75k lines long, but looking at it after some hours I think the relevant data is the following:
2023-09-26T22:22:23Z DEBUG stdout=ERROR: No kra subsystem in instance pki-tomcat.
2023-09-26T22:22:35Z DEBUG stderr=
2023-09-26T22:22:35Z DEBUG Starting pki-tomcatd@pki-tomcat.
2023-09-26T22:22:35Z DEBUG Starting external process
2023-09-26T22:22:35Z DEBUG args=/bin/systemctl start pki-tomcatd(a)pki-tomcat.service
2023-09-26T22:22:36Z DEBUG Process finished, return code=0
2023-09-26T22:22:36Z DEBUG stdout=
2023-09-26T22:22:36Z DEBUG stderr=
2023-09-26T22:22:36Z DEBUG Starting external process
2023-09-26T22:22:36Z DEBUG args=/bin/systemctl is-active pki-tomcatd(a)pki-tomcat.service
2023-09-26T22:22:36Z DEBUG Process finished, return code=0
2023-09-26T22:22:36Z DEBUG stdout=active
2023-09-26T22:22:36Z DEBUG stderr=
2023-09-26T22:22:36Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2023-09-26T22:22:36Z DEBUG waiting for port: 8080
2023-09-26T22:22:36Z DEBUG Failed to connect to port 8080 tcp on ::1
2023-09-26T22:22:36Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1
2023-09-26T22:22:38Z DEBUG SUCCESS: port: 8080
2023-09-26T22:22:38Z DEBUG waiting for port: 8443
2023-09-26T22:22:38Z DEBUG SUCCESS: port: 8443
2023-09-26T22:22:38Z DEBUG Start of pki-tomcatd(a)pki-tomcat.service complete
2023-09-26T22:22:38Z DEBUG Waiting until the CA is running
2023-09-26T22:22:38Z DEBUG request POST http://DOMAIN:8080/ca/admin/ca/getStatus
2023-09-26T22:22:38Z DEBUG request body ''
2023-09-26T22:22:42Z DEBUG response status 500
2023-09-26T22:22:42Z DEBUG response headers Server: Apache-Coyote/1.1
2023-09-26T22:22:42Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2023-09-26T22:22:42Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2023-09-26T22:22:42Z DEBUG Waiting for CA to start…
So it seems that the CA is broken.
On /var/log/pki; I can find this:
cat pki-server-upgrade-10.5.*
Upgrading PKI server configuration at Mon Sep 18 01:38:43 -03 2023.
Upgrading from version 10.5.9 to 10.5.17:
1. Update audit events
Upgrading from version 10.5.17 to 10.5.18:
1. Fix EC admin certificate profile
Upgrading from version 10.5.18 to 10.5.18:
1. Add caAuditSigningCert profile
2. Fix the authentication for caServerKeygen_UserCert profile
ERROR: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg'
Failed upgrading pki-tomcat/ca subsystem.
Upgrade failed in pki-tomcat/ca: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg'
Continue (Yes/No) [Y]? Traceback (most recent call last):
File "/sbin/pki-server-upgrade", line 211, in <module>
main(sys.argv)
File "/sbin/pki-server-upgrade", line 204, in main
upgrader.upgrade()
File "/usr/lib/python2.7/site-packages/pki/upgrade.py", line 623, in upgrade
self.upgrade_version(version)
File "/usr/lib/python2.7/site-packages/pki/upgrade.py", line 613, in upgrade_version
case_sensitive=False).lower()
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 142, in read_text
value = input(message)
EOFError: EOF when reading a line
But nothing more.
Any ideia of what I should be looking for?
Thanks.
7 months, 2 weeks
Keytab issues after upgrade to Fedora 38
by Djerk Geurts
Today was my second attempt to lift FreeIPA servers to Fedora 38 from 37. Again it failed.
Sync and healthchecks were fine, but an (admin) user can't log into the WebUI and can't do sudo. Login works because I do key based authentication.
Kinit admin works, but kinit alone doesn't.
I have a hunch that a keytab gets corrupted somewhere, but I'm baffled as to why this wouldn't present as different errors.
Has anyone experienced similar issues? I've rolled the servers back, so don't have much in the way of logs at the moment.
7 months, 2 weeks
FreeIpa LDAP authentication
by Duarte Petiz
Hey everyone!
I have been using freeipa since 2 months ago.
Now i asked for an internal pentest and the pentesters found this:
Without authentication they can obtain information about our freeipa (that
uses ldap as backend as you know).
ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389
"(objectClass=*)"
There is any way to protect it? How can I achieve that?
--
*Kind Regards*
*Duarte Petiz*
*DevOps Team Lead *| jscrambler.com
7 months, 2 weeks