Hi All, I have recently applied the CentOS 7.4 updates which includes installation of FreeIPA 4.5. Prior to the update we were running CentOS 7.3 (the original OS for this system) and FreeIPA 4.4 and the platform has been regularly updated without issue. We operate a master and replica pair at a single location.
Since upgrading to FreeIPA 4.5 user authentication is behaving inconsistently with relation to OTP - we use password+OTP for all user authentication. Our platform is available behind a VPN provided by a Cisco ASA where the authentication is handled by FreeIPA using an interim LDAP bind on a dedicated system account (i.e. https://www.freeipa.org/page/HowTo/LDAP). Since the update *this connection does not accept OTP* tokens but does work with password only - in contrast with our security policy. Once connected the user can then SSH into the system - for this connection the normal authentication (password+otp) works - password only does not work here. With an SSH session to the IPA master I can run ldapsearch and authenticate with password+otp only. The web UI also requires password+otp. To clarify the system should not accept any user logins using password only and the acceptance of this on our VPN connection quite concerning. Is anyone able to offer advice on how to dig deeper and resolve the issue? Some system details: --- $ sudo ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful $ sudo rpm -qa| grep ipa ipa-common-4.5.0-21.el7.centos.1.2.noarch ipa-server-dns-4.5.0-21.el7.centos.1.2.noarch ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch ipa-client-common-4.5.0-21.el7.centos.1.2.noarch ipa-client-4.5.0-21.el7.centos.1.2.x86_64 ipa-server-4.5.0-21.el7.centos.1.2.x86_64 python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch sssd-ipa-1.15.2-50.el7_4.2.x86_64 python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch libipa_hbac-1.15.2-50.el7_4.2.x86_64 python2-ipalib-4.5.0-21.el7.centos.1.2.noarch ipa-server-common-4.5.0-21.el7.centos.1.2.noarch -- There is an additional "symptom" present on the web UI - every visit to the login screen now gets two HTTP BASIC authentication pop-ups - typically we would just get one and dismiss it to proceed to normal logon. Not sure if that is at all relevant. Each popup appears in the apache error log as separate GSSAPI errors - shown below. Not a problem, just different. -- [Mon Sep 18 14:09:07.974254 2017] [auth_gssapi:error] [pid 7810] [client 172.18.0.1:53298] NO AUTH DATA Client did not send any authentication headers, referer: https://pci-fram-ipa1.domain.net/ipa/ui/ [Mon Sep 18 14:09:09.712143 2017] [auth_gssapi:error] [pid 3101] [client 172.18.0.1:53304] NO AUTH DATA Client did not send any authentication headers, referer: https://pci-fram-ipa1.domain.net/ipa/ui/ -- Thanks, Calllum -- Callum Guy Head of Information Security X-on -- Callum Guy Head of Information Security X-on -- *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org