On Чцв, 12 вер 2024, Daniel Pätzold via FreeIPA-users wrote:
Hi, i am using docker image freeipa/freeipa-server:almalinux-9
and did use docker-compose.yml:
...
hostname: ipa.example.com
environment:
IPA_SERVER_HOSTNAME: ipa.example.com
TZ: "Europe/Berlin"
PASSWORD: 'XXX'
# DEBUG_NO_EXIT: 1
command:
- -U
- --domain=clients.ipa.example.com
# Must match the last part of the Domain-Name and must be upper case and
routed to the domain
- --realm=EXAMPLE.COM
This is a mistake: you should keep the realm and the primary domain the
same. Do not make deviate from this rule.
Another mistake is that you are trying to use a IPA server hostname
equal to the domain name: ipa.example.com while clearly there is going
to be a domain clients.ipa.example.com, so ipa.example.com is a domain
zone.
IPA server installer derives --domain from hostname's if unspecified
(.e.g ipa.example.com -> domain.com -> base DN will be
dc=example,dc=com). It also prevents having a hostname equal to the DNS
domain.
But if --domain was specified, it will use that value to generate base DN
(dc=clients,dc=ipa,dc=example,dc=com). The problem is that all the rest
of the code expects realm be equal to primary domain and thus base DN be
dc=example,dc=com.
If you want to deploy in clients.ipa.example.com but still use
EXAMPLE.COM, don't specify --domain other than example.com. Create
initial server in a DNS zone that is accessible prior to installation or
will be directly created during installation if installing with
integrated DNS. Make sure that the DNS domain which is equal to the one
of Kerberos realm is owned by you (or created by the integrated DNS).
Integrated DNS case (--setup-dns) is important to understand because you
are deploying DNS zone for --domain value here. IPA installer will not
create any other DNS zone inside this new DNS zone and it will not
create a DNS zone for the hostname of IPA server if it is outside of the
primary DNS domain as well. DNS zone equal to Kerberos realm must have
corresponding DNS records pointing to IPA servers. If not using
integrated DNS, a sample zone file will be generated.
In general:
- DNS zones will have to exist prior to deployment or expected to be
created during the deployment. However, only DNS zone for
the primary domain will be created by IPA installer. (Reverse zones
are a different story but it is not relevant here).
- There is a direct relationship between primary domain (specified with
--domain), Kerberos realm (--realm), and LDAP base DN. Primary IPA
domain must always be equal to IPA Kerberos realm. DNS zone for the
primary domain must be owned by IPA deployment in a sense that no
other Kerberos realm would be using it and DNS records for IPA
Kerberos realm should be present in it.
- if you want to deploy IPA clients outside of the primary IPA DNS
domain, it is enough to specify --domain <primary IPA domain> to
allow autodiscovery, regardless of the DNS domain used. Man page for
ipa-client-install has a lot of details about that.
- if you want to deploy IPA replicas outside of the primary IPA DNS
domain, make sure to use proper --domain for the primary domain, not
your DNS domain of the replica.
Most of these details are already described at
https://www.freeipa.org/page/Deployment_Recommendations
- --http-pin=XXX
- --dirsrv-pin=XXX
- --setup-dns
# - --no-host-dns
# Both passwords will be taken from env PASSWORD:
# - --ds-password=SOMEThinK
# - --admin-password=SOMEThinK
#NTP - not needed, this is the server which time is taken from
/etc/localtime see volumes
#This server has also a chrony-daemon running here to sync time
- --no-ntp
# - --ntp-server=172.0.0.11
- --auto-forwarders
# - --forwarder=192.168.178.1
#Error: Unable to determine the amount of available RAM
- --skip-mem-check
...
where ipa-server-install is called with arguments of "command:"
The DNS is set up right :
DNS Resource Records: clients.ipa.example.com.
...
The service is setup to be on hostname: Service:
DNS/[email protected]
But for LDAP i cannot see ressources, only the service in freeipa:
Service: ldap/[email protected]
Using an Browser (jxplorer) to access LDAP, connecting to
cn=etc,dc=clients,dc=ipa,dc=example,dc=com i can see a "changelog"
directly after connecting
cn changelog
objectClass nsContainer
objectClass top
changeNumber 45
changeTime 20240911092231Z
changeType modify
objectClass changelogentry
objectClass extensibleObject
objectClass top
targetDn idnsname=clients.ipa.example.com.,cn=dns,dc=example,dc=com
changes (non string data)
targetuniqueid 64af5c10xxx
Don't know what that means, but it seems like it redirects to
cn=etc,dc=example,dc=com, as the directory list is showing
dc=example,dc=com only.
in cmd ldapsearch still, i cannot query
cn=etc,dc=clients,dc=ipa,dc=example,dc=com...
Is that a feature of LDAP/389ds ? Maybe leading to ipa-server-install
use dc=example,dc=com and setting up "change top", but SSSD/ldapsearch
cannot use it? or is it a bug in ipa-server-setup?
Is there a way to change basedn for ldap after installation?
--
Mit freundlichen Grüßen
Daniel Pätzold
Konsulent
M+49 151 51705386
[email protected]
Penta Energy GmbH, Wildganssteig 32a, 13503 Berlin
HRB Nr. 228730 B | Geschäftsführer: Dr. Stefan Reuter
Am 11.09.24 um 13:57 schrieb Florence Blanc-Renaud:
Hi,
On Wed, Sep 11, 2024 at 1:45 PM Daniel Paetzold via FreeIPA-users
<[email protected]> wrote:
I have setup FreeIPA to use a domain like clients.ipa.example.com
<http://clients.ipa.example.com>
When starting SSSD now, it tries to find th
ipaDomainResolutionOrder in
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=clients,dc=ipa,dc=example,dc=com]
at this DN, my LDAP Instance has no informations (no result).
So SSSD is refusing to work with:
[sdap_get_generic_ext_step] (0x0400): [RID#1] calling
ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=clients,dc=ipa,dc=example,dc=com].
[sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs:
[ipaDomainResolutionOrder]
[ipa_domain_resolution_order_done] (0x0040): [RID#1] Failed to get
the domains' resolution order configuration from the server [22]:
Wrong Argument
I can sucessfully query the LDAP- Tree at
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=penta-energy,dc=de]
at the server
neither
cn=etc,dc=ipa,dc=penta-energy,dc=de
nor
cn=etc,dc=clients,dc=ipa,dc=example,dc=com
is working.
i setup freeipa-install with domain=clients.ipa.example.com
<http://clients.ipa.example.com>
what have i done wrong?
Should LDAP deliver dc=clients,dc=ipa,dc=example,dc=com or is
cn=etc,dc=penta-energy,dc=de right and SSSD is doing it wrong?
If the server was installed with *ipa-server-install --domain
clients.ipa.example.com <http://clients.ipa.example.com>*, then the
LDAP server will create the entries below
dc=clients,dc=ipa,dc=example,dc=com.
How exactly did you setup the server? Any idea how the tree below
cn=etc,dc=penta-energy,dc=de was created?
flo
Regard, Daniel
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
