Hi All,

I have recently applied the CentOS 7.4 updates which includes installation
of FreeIPA 4.5. Prior to the update we were running CentOS 7.3 (the
original OS for this system) and FreeIPA 4.4 and the platform has been
regularly updated without issue. We operate a master and replica pair at a
single location.

Since upgrading to FreeIPA 4.5 user authentication is behaving
inconsistently with relation to OTP - we use password+OTP for all user
authentication.

Our platform is available behind a VPN provided by a Cisco ASA where the
authentication is handled by FreeIPA using an interim LDAP bind on a
dedicated system account (i.e. https://www.freeipa.org/page/HowTo/LDAP).
Since the update *this connection does not accept OTP* tokens but does work
with password only - in contrast with our security policy.

Once connected the user can then SSH into the system - for this connection
the normal authentication (password+otp) works - password only does not
work here. With an SSH session to the IPA master I can run ldapsearch and
authenticate with password+otp only. The web UI also requires password+otp.

To clarify the system should not accept any user logins using password only
and the acceptance of this on our VPN connection quite concerning. Is
anyone able to offer advice on how to dig deeper and resolve the issue?

Some system details:

---
$ sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

$ sudo rpm -qa| grep ipa
ipa-common-4.5.0-21.el7.centos.1.2.noarch
ipa-server-dns-4.5.0-21.el7.centos.1.2.noarch
ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch
ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
ipa-client-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
sssd-ipa-1.15.2-50.el7_4.2.x86_64
python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
libipa_hbac-1.15.2-50.el7_4.2.x86_64
python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
--

There is an additional "symptom" present on the web UI - every visit to the
login screen now gets two HTTP BASIC authentication pop-ups - typically we
would just get one and dismiss it to proceed to normal logon. Not sure if
that is at all relevant. Each popup appears in the apache error log as
separate GSSAPI errors - shown below. Not a problem, just different.

--
[Mon Sep 18 14:09:07.974254 2017] [auth_gssapi:error] [pid 7810] [client
172.18.0.1:53298] NO AUTH DATA Client did not send any authentication
headers, referer: https://pci-fram-ipa1.domain.net/ipa/ui/
[Mon Sep 18 14:09:09.712143 2017] [auth_gssapi:error] [pid 3101] [client
172.18.0.1:53304] NO AUTH DATA Client did not send any authentication
headers, referer: https://pci-fram-ipa1.domain.net/ipa/ui/
--

Thanks,

Calllum
-- 
Callum Guy
Head of Information Security
X-on
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to