So I followed the directions to add it to my dev freeipa servers, restarted the httpd.
But when I go to log in at
https://myserver/idp as admin or myself, I get 401
Unauthorized no matter what. This is what I need to install the server:
sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
I see this in /var/log/messages:May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9215]]]:
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication
failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:34:04 freeipa01-dev
[sssd[ldap_child[9217]]]: Failed to initialize credentials using keytab
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted
LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9219]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.
Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev
[sssd[ldap_child[9221]]]: Failed to initialize credentials using keytab
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted
LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9223]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.
Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev
[sssd[ldap_child[9224]]]: Failed to initialize credentials using keytab
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted
LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9228]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.
Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev
[sssd[ldap_child[9230]]]: Failed to initialize credentials using keytab
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted
LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9238]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.
Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev
[sssd[ldap_child[9240]]]: Failed to initialize credentials using keytab
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted
LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9243]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.
Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev
[sssd[ldap_child[9245]]]: Failed to initialize credentials using keytab
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted
LDAP connection.
This is what is in /var/log/http/error_log:[Thu May 17 13:55:56.263306 2018]
[authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user
andrew.meyer: Authentication failure, referer:
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_tr...
May 17 13:55:59.673795 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO
AUTH DATA Client did not send any authentication headers, referer:
https://freeipa01-dev.example.local/idp/login/form[Thu May 17 13:56:05.735790 2018]
[authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user
admin: Error in service module, referer:
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_tr...
May 17 13:56:08.232387 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO
AUTH DATA Client did not send any authentication headers, referer:
https://freeipa01-dev.example.local/idp/login/form[Thu May 17 13:56:14.206573 2018]
[auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send
any authentication headers, referer:
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_tr...
May 17 14:39:17.674883 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO
AUTH DATA Client did not send any authentication headers, referer:
https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:21.039126 2018]
[auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send
any authentication headers, referer:
https://freeipa01-dev.example.local/idp/[Thu May 17
14:39:32.032374 2018] [authnz_pam:warn] [pid 8830] [client 10.1.6.250:51742] PAM
authentication failed for user admin: Error in service module, referer:
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_tr...
On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote:
Has anyone installed this on their prod FreeIPA installation? I need
to hook FreeIPA into some other auth systems that don't support LDAP.
I'm
using FreeIPA with Ipsilon for quite a few years for my home setup.
I even added integration for Ipsilon to HackMD:
https://github.com/hackmdio/hackmd/pull/732
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...