[Freeipa-users] Possible to extract password of ldap
Hi : Is it possible to read clear text of password of ipa users by admin ? I m facing the issue of half rollout as half vol.of users changed password already. And if i deploy and reset all password then it may make issue for this half and we dont have records which user password sent . -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/30/2014 02:31 PM, Ade Lee wrote: > On Tue, 2014-07-29 at 17:49 -0700, Erinn Looney-Triggs wrote: >> Ok, well I tried deleting it using certutil it deletes both, I tried using keytool to see if it would work any better, no dice there. I'll try the rename, but at this point I am not holding my breath on that, it seems all operation are a bit too coarse. It seems the assumption was being made that there would only be one of each nickname. Which frankly makes me wonder how any of this kept running after the renewal. For now I'll see what I can do on a copy of the db using python. >>> >>> It is a little strange that there are multiple 'caSigningCert >>> cert-pki-ca' as this is the CA itself. It should be good for >>> 20 years and isn't something that the current renewal code >>> handles yet. >>> >>> You probably won't have much luck with python-nss. It can >>> handle reading PKCS#12 files but I don't believe it can write >>> them (access to key material). >>> >>> I'm not sure why certutil didn't do the trick. This should >>> work, if you want to give it another try. I'm assuming that >>> /root/cacert.p12 has the latest exported certs, adjust as >>> necessary: >>> >>> # certutil -N -d /tmp/test # pk12util -i /root/cacert.p12 -d >>> /tmp/test # certutil -D -d /tmp/test -n '' >>> >>> certutil should delete the oldest cert first, it always has >>> for me. >>> >>> rob >>> >> >> Ok folks I managed to clean up the certificate DB so there is >> only one valid certificate for each service. Installation >> continued pass that step and then failed shortly thereafter on >> configuring the ca. So here is my new error: >> >> >> pkispawn: ERROR... Exception from Java Configuration >> Servlet: Error while updating security domain: >> java.io.IOException: 2 pkispawn: DEBUG... Error Type: >> HTTPError pkispawn: DEBUG... Error Message: 500 >> Server Error: Internal Server Error pkispawn: DEBUG >> ... File "/usr/sbin/pkispawn", line 374, in main rv = >> instance.spawn() File >> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", >> >> line 128, in spawn >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File >> "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", >> line 2998, in configure_pki_data response = >> client.configure(data) File >> "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in >> configure r = self.connection.post('/rest/installer/configure', >> data, headers) File >> "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in >> post r.raise_for_status() File >> "/usr/lib/python2.7/site-packages/requests/models.py", line 638, >> in raise_for_status raise http_error >> >> >> 2014-07-30T00:27:48Z CRITICAL failed to configure ca instance >> Command '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqX9SGx' returned >> non-zero exit status 1 2014-07-30T00:27:48Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> >> line 638, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-replica-install", line 667, in main CA = >> cainstance.install_replica_ca(config) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> >> line 1678, in install_replica_ca >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> >> line 478, in configure_instance >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 364, in start_creation method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> >> line 604, in __spawn_instance >> raise RuntimeError('Configuration of CA failed') >> >> 2014-07-30T00:27:48Z DEBUG The ipa-replica-install command >> failed, exception: RuntimeError: Configuration of CA failed >> >> And from the pki-tomcat/ca debug log: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML start >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML: >> status=0 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: >> getDomainXML: domainInfo=> standalone="no"?>IPAipa.example.com44344344344380FALSEpki-cadTRUE10 >> >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: Cloning a domain master >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ipa.example.com port=443 >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: >> updateSecurityDomain: failed to update security domain using >> admin port 443: org.xml.sax.SAXParseException; lineNumber: 1; >> columnNumber: 50; White spaces are required between publicId and >> systemId. [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: >> updateSecurityDomain: now trying agent port with client auth >> [30/Jul/20
[Freeipa-users] Users not inheriting groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi List, I am running into some odd issues with IPA and users not inheriting all groups they are a member of. I spent a lot of time nesting groups so that when we add a user all of the groups they need with one group setting (a boon for automation). However I am finding a small percentage of users who are in the proper groups in IPA but the server does not pick up all the groups involved, until I add those specific users to the group in question. For clarity: 1) Most users inherit groups fine 2) A small percentage (2-3% discovered so far) Do not inherit one or more of the needed groups. 3) Work around found by adding users directly to group instead of nested in proper group (though less than ideal) Versions Client: Linux 2.6.32-431.11.2.el6.x86_64 #1 SMP x86_64 GNU/Linux ipa-client-3.0.0-37.el6.x86_64 libsss_sudo-1.9.2-129.el6_5.4.x86_64 libsss_idmap-1.9.2-129.el6_5.4.x86_64 libsss_autofs-1.9.2-129.el6_5.4.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64 Servers (both identical): Linux 2.6.32-431.17.1.el6.x86_64 #1 SMP x86_64 GNU/Linux ipa-server-3.0.0-37.el6.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 libsss_autofs-1.9.2-129.el6_5.4.x86_64 libsss_idmap-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64 Thanks, Bill G. CENIC www.cenic.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJT2sZjAAoJEJFMz73A1+zr4NIP+QEjmG5EgwLAHhEUPIp9znxp EgJR2xRFl9I+WRh2L1+y5MDGiJwTPCSwak6IRRchbfXNkPNt8xND27LjG5mWynxT kG1nwxF2aczXlUkaA2GDO5524Dj7MwULUoum8xN5Br0VzL9fAblH4Gzh+ZeSZr2W g7r2LelucygELaxQxP8Q/aBoDGnZMlQSahB36MaOwy4wQ+2E/Bp7scShFerBdqaK kRcXRNlGAMtGkOpLT7sf7WYMcVWcY6EX8ZoTB36qucia5C+oGY0psAkaYgJw0tC9 Aht0rj+ZJZqVKoTa1iybfTnfxwrokxFPM1VMOYrXZrWrq1M97KKoPK/mqKoC9spA leNcSJ8yjtTXEFS4RPI4kA9VrujF+4qvKIwZ4EM4Fli2zaFhwmeywtrP/SAMmAGO fbqkEYn4MWrqpRXFSFGpqiycCnXGINMVJkWCWPN89lWX7124cDZJi5PpzAhukWk3 a6Diycia60oY8iAcDqDejO2mXFLO+5iJ+Xaxlr0noKXvMhV1qIEpVNR3wuqcF43W aByAuhvmEhKfJFM4IaZcYI3E8ozblLmY2RH+q5r4vRHWd+10eN+TKhN/kDOEY9gp ELOZ0kxgKkYICJc4gL0VW2fQiVDwQ+2O8LgmLeGOpcic8Yp3yUoEzX+5Z1frVFU5 iGIDDYYNNXU6OmbOOuv+ =MI8L -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] memberof plugin?
Hi, I must be missing something obvious in getting memberof plugin to work.. Any ideas? Thanks in advance... ~K -- ./fixup-memberof.pl -D 'cn=Directory Manager' -b 'dc=red,dc=lemon,dc=com' -w - -v ldap_initialize( ldap://localhost:7389 ) add objectclass: top extensibleObject add cn: memberOf_fixup_2014_7_26_22_33_31 add basedn: dc=red,dc=lemon,dc=com adding new entry "cn=memberOf_fixup_2014_7_26_22_33_31, cn=memberOf task, cn=tasks, cn=config" ldap_add: No such object (32) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PatternFly questions
Hi, Sorry for delay - paternity leave took me away from work rather abruptly. Do you still want RFE's written up for these? My brain might have been fried when I thought about this, but is there any mileage in creating an elasticsearch (or similar) database of the useful fields and using that for searching? If LDAP searches are the limiting factor that is. Keeping the databases in sync might be an issue, but the elasticsearch database would be read-only for users and would allow a potentially richer method of searching. Back at work on Monday, so should be able to write up some RFE's then if they're still needed. Cheers D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 18 July 2014 16:09 To: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] PatternFly questions On 07/18/2014 09:23 AM, Martin Kosek wrote: > On 07/18/2014 03:12 PM, Dmitri Pal wrote: >> On 07/18/2014 08:17 AM, Innes, Duncan wrote: >>>Hi Petr, >>> >>> On 18/07/2014 11:24, Petr Vobornik wrote: Hello Duncan, thank you for the input. If you or somebody else have any Web UI >>> ideas/RFEs, feel free to write them down. I would like to know what people don't like or would like to have. On 18.7.2014 10:21, Innes, Duncan wrote: > Just poking around the new 4.0 demo page and very much liking what > I >>> see. This will make a > big difference in use on large estates. > > A couple PatternFly related questions though: > > 1. The tables don't sort by column if I click on a column header. >>> Is this not available in PatternFly yet, >or have FreeIPA decided against implementing it? First just a note about PatternFly. It's not really a widget library, >>> it is(or should be) more of a set of patterns and styles. But the referential implementation is built on Bootstrap 3, so >>> it is very easy to adopt. PatternFly doesn't have an official pattern for table sorting yet, but it has styles for >>> DataTables (jQuery table plugin) which can do it. I don't remember any decision against it -> could be implemented if >>> there is enough will and user demand. Sorting can be done on client side and on server side. Client side is >>> limited to issue #2 - only 20 items, so it is not really helpful. And server side (IPA API) doesn't support specifying a sort attribute >>> atm. You would like the server-side sorting, right? >>> Hadn't considered there to be an option. When I looked at the >>> PatternFly demos I hadn't thought about it, but the speed that >>> FreeIPA pulls data out for rendering, I suppose it would have to be. >>> Even our modest estate (at a few hundred users and hosts) would slow >>> down far too much if the full dataset was sent. >>> >>> The other possibilities thrown up by PatternFly are also >>> interesting; add/remove columns, resize columns etc. I know some of >>> these are still on the drawing board, but there are demo pages >>> available already. >>> > 2. Browsing the screen on a large monitor still leaves the user > page >>> (at least) limited to around 22 rows. > This leaves the bottom third of my browser empty. The table > uses >>> the full width of the browser, can it > not use the full height too? I have and idea/plan to make it configurable - to specify the number >>> of items and also to allow disabling of paging. The more rows the slower the UI is. Also paging has its own issues >>> which are not straightforward to solve: - >>> http://www.redhat.com/archives/freeipa-devel/2012-August/msg00295.ht >>> ml True. What's the biggest time factor in loading large tables? >>> >>> When admining estates with tens of thousands of entries, however, >>> much emphasis needs to be placed on the table filters. No admin in >>> their right mind is going to be performing actions on all entries >>> simultaneously. Similar to Foreman's filters, could FreeIPA allow >>> (example) in the hosts screen a filter of "hostgroup = groupX" to >>> show only hosts belonging to that group? Or filtering users with >>> "manager = 'Duncan Innes'"? >> Please open RFEs. This is really a valuable feedback. > I think we are somewhat talking about this RFE: > > https://fedorahosted.org/freeipa/ticket/2388 > > Maybe it is time to resurrect it from Ticket Deferred milestone given > it would bring big value for large user deployments. > > The API and the mighty LDAP search engine is already there: > > ipa user-add --first=Test --last=User manager ipa user-add > --first=Test --last=User employee --manager manager ipa user-add > --first=Test --last=User employee2 --manager manager ipa group-add > testgroup --desc test ipa group-add-member testgroup --users employee2 > > > # ipa user-find --manager manager --pkey-only > --- > 2 users matched
Re: [Freeipa-users] FreeIPA + Chef
On Thu, Jul 31, 2014 at 11:55 AM, Ash Alam wrote: > Hi > > I am currently deploying CentOS and FreeIPA and i am looking for some > recommendation on chef cookbooks. I have googled around but haven't found > anything that is current. I found a git repo from "Sean OMeara" but last > contribution was 3 years ago. > > If anyone can point me in the right direction i would very grateful. > > Thank You I've got a puppet module that I'm actively working on... https://github.com/purpleidea/puppet-ipa If you don't find a ready chef module, you can consider using puppet instead, or start porting it to chef. A lot of the code can be re-used, since my module contains a good amount of puppet. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + Chef
Hi I am currently deploying CentOS and FreeIPA and i am looking for some recommendation on chef cookbooks. I have googled around but haven't found anything that is current. I found a git repo from "Sean OMeara" but last contribution was 3 years ago. If anyone can point me in the right direction i would very grateful. Thank You -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
On Thu, Jul 31, 2014 at 03:23:50PM +, Nordgren, Bryce L -FS wrote: > > > Well, the users are definitely going to be in IPA (or AD via IPA). However, > > they *will* exist in both IPA and locally during the migration period. If > > they > > have the same UID/GIDs in both places (local and IPA), then I will need to > > prefer IPA to 'files' in nsswitch.conf. The main reason I want to > > duplicate the > > local UID/GID's in IPA is to retain file permissions. > > The initial state and final state of your domain is identical to the initial > and final states of each individual machine. The transition period is > composed of some machines being migrated and some machines not migrated yet. > Those which are not migrated yet have the users in /etc/passwd and have no > knowledge of ipa. Those which are migrated should get users from ipa and the > duplicate users purged out of /etc/passwd. Setting up a machine with ipa and > forgetting to delete the users out of /etc/passwd is probably asking for > trouble. +1 also please note that reversing the order of files and sss must be handled with extreme care. For instance, if someone was smart enough to name a user in IPA with the same name as some daemon user, then you'd effectivelly shadow the daemon account from the machine.. Luckily sssd explicitly doesn't handle root, so even if you reversed the order of files and sss, the sss nsswitch module would just punt on any requests for root. > > This is a separate problem from keeping UIDs the same or not. If you've got > NFS set up, you need to either simultaneously migrate all the machines which > share files, or you need to keep UIDs/GIDs the same so you can migrate > individual machines at your leisure. Separately, you need to tradeoff how > much work it is to configure FreeIPA to just continue with your current > scheme (set it up to allocate UIDs picking up where you left off) vs. "find > and chown" files on all your machines as part of the migration process. If > neither option sounds attractive to you, perhaps you may find it acceptable > to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA > uses after it takes over. > > Bryce > > > > > This electronic message contains information generated by the USDA solely for > the intended recipients. Any unauthorized interception of this message or the > use or disclosure of the information it contains may violate the law and > subject the violator to civil or criminal penalties. If you believe you have > received this message in error, please notify the sender and delete the email > immediately. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> Well, the users are definitely going to be in IPA (or AD via IPA). However, > they *will* exist in both IPA and locally during the migration period. If > they > have the same UID/GIDs in both places (local and IPA), then I will need to > prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate > the > local UID/GID's in IPA is to retain file permissions. The initial state and final state of your domain is identical to the initial and final states of each individual machine. The transition period is composed of some machines being migrated and some machines not migrated yet. Those which are not migrated yet have the users in /etc/passwd and have no knowledge of ipa. Those which are migrated should get users from ipa and the duplicate users purged out of /etc/passwd. Setting up a machine with ipa and forgetting to delete the users out of /etc/passwd is probably asking for trouble. This is a separate problem from keeping UIDs the same or not. If you've got NFS set up, you need to either simultaneously migrate all the machines which share files, or you need to keep UIDs/GIDs the same so you can migrate individual machines at your leisure. Separately, you need to tradeoff how much work it is to configure FreeIPA to just continue with your current scheme (set it up to allocate UIDs picking up where you left off) vs. "find and chown" files on all your machines as part of the migration process. If neither option sounds attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA uses after it takes over. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> I wouldn't recommend duplicating your users, pick one and use that. If you > want to be able to manage your users, groups, HBAC, sudo, etc. > centrally then you'll want the users in IPA. But if you leave them locally you > may end up with corner case problems. > > If you *do* end up adding your local users to IPA then yeah, you've got a > decision to make. Either your use the existing UID/GID which is probably fine > (though you may want to look adding a local range) or you let IPA assign a > new UID from its own range, then you have to quickly change file ownership > on all enrolled systems. > Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions. Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
Baird, Josh wrote: >> So if I understand this right, you're planning on two back to back user >> migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your >> current "local" users coincidentally the same as your current AD users? > > Well - I will likely try to skip the Local -> FreeIPA and just go directly to > FreeIPA -> AD. My main question though still remains - do I force the same > local UID/GIDs to the IPA/AD users? I'm just looking for advice on local > user to IPA migration strategies. I wouldn't recommend duplicating your users, pick one and use that. If you want to be able to manage your users, groups, HBAC, sudo, etc. centrally then you'll want the users in IPA. But if you leave them locally you may end up with corner case problems. If you *do* end up adding your local users to IPA then yeah, you've got a decision to make. Either your use the existing UID/GID which is probably fine (though you may want to look adding a local range) or you let IPA assign a new UID from its own range, then you have to quickly change file ownership on all enrolled systems. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> So if I understand this right, you're planning on two back to back user > migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your > current "local" users coincidentally the same as your current AD users? Well - I will likely try to skip the Local -> FreeIPA and just go directly to FreeIPA -> AD. My main question though still remains - do I force the same local UID/GIDs to the IPA/AD users? I'm just looking for advice on local user to IPA migration strategies. Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/30/2014 02:31 PM, Ade Lee wrote: > On Tue, 2014-07-29 at 17:49 -0700, Erinn Looney-Triggs wrote: >> Ok, well I tried deleting it using certutil it deletes both, I tried using keytool to see if it would work any better, no dice there. I'll try the rename, but at this point I am not holding my breath on that, it seems all operation are a bit too coarse. It seems the assumption was being made that there would only be one of each nickname. Which frankly makes me wonder how any of this kept running after the renewal. For now I'll see what I can do on a copy of the db using python. >>> >>> It is a little strange that there are multiple 'caSigningCert >>> cert-pki-ca' as this is the CA itself. It should be good for >>> 20 years and isn't something that the current renewal code >>> handles yet. >>> >>> You probably won't have much luck with python-nss. It can >>> handle reading PKCS#12 files but I don't believe it can write >>> them (access to key material). >>> >>> I'm not sure why certutil didn't do the trick. This should >>> work, if you want to give it another try. I'm assuming that >>> /root/cacert.p12 has the latest exported certs, adjust as >>> necessary: >>> >>> # certutil -N -d /tmp/test # pk12util -i /root/cacert.p12 -d >>> /tmp/test # certutil -D -d /tmp/test -n '' >>> >>> certutil should delete the oldest cert first, it always has >>> for me. >>> >>> rob >>> >> >> Ok folks I managed to clean up the certificate DB so there is >> only one valid certificate for each service. Installation >> continued pass that step and then failed shortly thereafter on >> configuring the ca. So here is my new error: >> >> >> pkispawn: ERROR... Exception from Java Configuration >> Servlet: Error while updating security domain: >> java.io.IOException: 2 pkispawn: DEBUG... Error Type: >> HTTPError pkispawn: DEBUG... Error Message: 500 >> Server Error: Internal Server Error pkispawn: DEBUG >> ... File "/usr/sbin/pkispawn", line 374, in main rv = >> instance.spawn() File >> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", >> >> line 128, in spawn >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File >> "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", >> line 2998, in configure_pki_data response = >> client.configure(data) File >> "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in >> configure r = self.connection.post('/rest/installer/configure', >> data, headers) File >> "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in >> post r.raise_for_status() File >> "/usr/lib/python2.7/site-packages/requests/models.py", line 638, >> in raise_for_status raise http_error >> >> >> 2014-07-30T00:27:48Z CRITICAL failed to configure ca instance >> Command '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqX9SGx' returned >> non-zero exit status 1 2014-07-30T00:27:48Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> >> line 638, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-replica-install", line 667, in main CA = >> cainstance.install_replica_ca(config) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> >> line 1678, in install_replica_ca >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> >> line 478, in configure_instance >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 364, in start_creation method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> >> line 604, in __spawn_instance >> raise RuntimeError('Configuration of CA failed') >> >> 2014-07-30T00:27:48Z DEBUG The ipa-replica-install command >> failed, exception: RuntimeError: Configuration of CA failed >> >> And from the pki-tomcat/ca debug log: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML start >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML: >> status=0 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: >> getDomainXML: domainInfo=> standalone="no"?>IPAipa.example.com44344344344380FALSEpki-cadTRUE10 >> >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: Cloning a domain master >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ipa.example.com port=443 >> [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: >> updateSecurityDomain: failed to update security domain using >> admin port 443: org.xml.sax.SAXParseException; lineNumber: 1; >> columnNumber: 50; White spaces are required between publicId and >> systemId. [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: >> updateSecurityDomain: now trying agent port with client auth >> [30/Jul/20
Re: [Freeipa-users] FreeIPA + Ipsilon
On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote: > Hi, > > Thanks for the reply, unfortunately I can not find the package on > Scientific Linux, is there a workaround? I saw from the lasso mailing list that you built the lasso package yourself, make sure you built the python bindings, they are part of the same source tree. Attached find a .spec file you can use top build lasso on EL6 platforms, until it will become available "officially". This will build and install the python binding correctly. Simo. > Thanks. > > Luca Tartarini > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > > > On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > > > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > > > Hi everyone, > > > > > > > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > > > > configuration is the following: Service Provider (host with Scientific > > > > Linux 6) with ipsilon-client and Identity Provider (another host with > > > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the > > configuration > > > > feasible and/or correct? > > > > If it is, then I am stuck in the installation of ipsilon-client because > > > > after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, > > > > when I finally run: > > > > > > > > ipsilon-client-install --saml-idp-metadata > > > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > > > > > I get this error about lasso: > > > > > > > > Traceback (most recent call last): > > > > File "/usr/bin/ipsilon-client-install", line 20, in > > > > from ipsilon.tools.saml2metadata import Metadata > > > > File > > "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > > > line 22, in > > > > import lasso > > > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > > > import _lasso > > > > ImportError: No module named _lasso > > > > > > > > Does anyone know if it's a problem about lasso's configuration or I > > forgot > > > > something about ipsilon-client? > > > > > > > > Thanks in advance. > > > > > > > > Luca Tartarini > > > > > > Not sure, _lasso.so should be provided by lasso-python package: > > > > > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > > > lasso-python-2.4.0-4.el6.x86_64 > > > > > > CCing Simo to advise. > > > > Sounds like lasso-python is missing indeed. > > > > Simo. > > > > > > %global with_java 0 %global with_php 0 %global with_perl 0 %global with_python 1 %global with_wsf 0 %if %{with_php} %{!?__pecl: %{expand: %%global __pecl %{_bindir}/pecl}} %endif Summary: Liberty Alliance Single Sign On Name: lasso Version: 2.4.0 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Libraries Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz %if %{with_wsf} BuildRequires: cyrus-sasl-devel %endif BuildRequires: gtk-doc, libtool-ltdl-devel BuildRequires: glib2-devel, swig BuildRequires: libxml2-devel, xmlsec1-devel, openssl-devel, xmlsec1-openssl-devel Url: http://lasso.entrouvert.org/ %description Lasso is a library that implements the Liberty Alliance Single Sign On standards, including the SAML and SAML2 specifications. It allows to handle the whole life-cycle of SAML based Federations, and provides bindings for multiple languages. %package devel Summary: Lasso development headers and documentation Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} %description devel This package contains the header files, static libraries and development documentation for Lasso. %if %{with_perl} %package perl Summary: Liberty Alliance Single Sign On (lasso) Perl bindings Group: Development/Libraries BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Test::More) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: %{name}%{?_isa} = %{version}-%{release} %description perl Perl language bindings for the lasso (Liberty Alliance Single Sign On) library. %endif %if %{with_java} %package java Summary: Liberty Alliance Single Sign On (lasso) Java bindings Group: Development/Libraries BuildRequires: java-devel BuildRequires: jpackage-utils Requires: java-headless Requires: jpackage-utils Requires: %{name}%{?_isa} = %{version}-%{release} %description java Java language bindings for the lasso (Liberty Alliance Single Sign On) library. %endif %if %{with_php} %package php Summary: Liberty Alliance Single Sign On (lasso) PHP bindings Group: Development/Libraries BuildRequires: php-devel, expat-devel BuildRequires: python2 Requires: %{name}%{?_isa} = %{version}-%{release} Requires(post): %{__pecl} Requires(postun): %{__pecl} Requires: php(zend-abi) = %{php_zend_api} Requires: php(api) = %{php_core_api} %description php PHP language bindings for the lasso (Liberty Alliance Single Sign On) library. %endif %if %{with_python} %package python Summary: Liberty Alliance Single Sign On (lasso) Python bindings Group: Development/Libraries BuildRequires: p
Re: [Freeipa-users] Replica Cert failed to renew ...
(Adding back the users list as this may be interesting for everyone) Ok, the steps suggested below should help. If the DS does not want to start at all because of the expired certificate, you can also edit /etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv service is stopped). Martin On 07/31/2014 09:53 AM, Matt Bryant wrote: > Martin, > > Correct in that the replica does not have a CA and the version being run is > > $ rpm -qa ipa-server > ipa-server-3.0.0-25.el6.x86_64 > > restarted the services and get > > Starting dirsrv: > SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of > family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - > Peer's Certificate has expired.) > > so I think it is just dealing with an expired cert ... so will try the other > steps suggested .. > > rgds > > Matt Bryant > > On 31/07/14 17:33, Martin Kosek wrote: >> On 07/31/2014 07:49 AM, Matt Bryant wrote: >>> All, >>> >>> Got an issue with an IPA replica in that the certs in /etc/httpd/alias & >>> /etc/dirsrv/slapd-IPA-REALM have expired. >> I assume that this replica does not have a CA and we are only dealing with >> service HTTPD and DIRSRV service certificates. >> >>> Have tried setting date back before expiry on the replica and doing an >>> 'ipa-getcert resubmit -i ' but that hasn't worked it looks like the CA >>> master is actually rejecting it since the havent set the date back on that >>> server. >>> >>> Error am getting on replica is ... >>> >>> Request ID '20120719044839': >>> status: CA_UNREACHABLE >>> ca-error: Server failed request, will retry: -504 (libcurl failed to >>> execute the HTTP POST transaction. Peer certificate cannot be authenticated >>> with known CA certificates). >> Isn't this rather a problem that the replica does not trust the master server >> HTTPD certificate because it's certificates are not valid from replica POV? >> >>> is there any way of forcing a re-newel or manual process for updating these >>> certs .. ??? >> If this is just a replica without PKI, I would suggest synchronizing the time >> back with the master CA server and restarting all the services. >> >> If the HTTPD service does not want to start, follow chapter "25.2.2. >> Starting >> IdM with Expired Certificates" in >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html >> >> and then try to resubmit the certificates so that they can be renewed on the >> master. Do not forget to revert the above configuration changes when you are >> done. >> >> Also, what version of FreeIPA are you running? >> >> HTH, >> Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Without this package for your platform, you cannot move further. So you would either need to switch to some platform that has this package available (RHEL, CentOS, Fedora) or take the source bits and build it for your platform yourselves. Maybe you would get lucky with rebuilding the source RPM from Fedora 20 (http://koji.fedoraproject.org/koji/buildinfo?buildID=489924), but there might be some build dependencies that are not available on Scientific Linux... HTH, Martin On 07/31/2014 09:53 AM, Luca Tartarini wrote: > Hi, > > Thanks for the reply, unfortunately I can not find the package on > Scientific Linux, is there a workaround? > > Thanks. > > Luca Tartarini > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > >> On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: >>> On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the >> configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File "/usr/bin/ipsilon-client-install", line 20, in from ipsilon.tools.saml2metadata import Metadata File >> "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", line 22, in import lasso File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I >> forgot something about ipsilon-client? Thanks in advance. Luca Tartarini >>> >>> Not sure, _lasso.so should be provided by lasso-python package: >>> >>> # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so >>> lasso-python-2.4.0-4.el6.x86_64 >>> >>> CCing Simo to advise. >> >> Sounds like lasso-python is missing indeed. >> >> Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce : > On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > > Hi everyone, > > > > > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > > > configuration is the following: Service Provider (host with Scientific > > > Linux 6) with ipsilon-client and Identity Provider (another host with > > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the > configuration > > > feasible and/or correct? > > > If it is, then I am stuck in the installation of ipsilon-client because > > > after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, > > > when I finally run: > > > > > > ipsilon-client-install --saml-idp-metadata > > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > > > I get this error about lasso: > > > > > > Traceback (most recent call last): > > > File "/usr/bin/ipsilon-client-install", line 20, in > > > from ipsilon.tools.saml2metadata import Metadata > > > File > "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > > line 22, in > > > import lasso > > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > > import _lasso > > > ImportError: No module named _lasso > > > > > > Does anyone know if it's a problem about lasso's configuration or I > forgot > > > something about ipsilon-client? > > > > > > Thanks in advance. > > > > > > Luca Tartarini > > > > Not sure, _lasso.so should be provided by lasso-python package: > > > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > > lasso-python-2.4.0-4.el6.x86_64 > > > > CCing Simo to advise. > > Sounds like lasso-python is missing indeed. > > Simo. > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Cert failed to renew ...
On 07/31/2014 07:49 AM, Matt Bryant wrote: > All, > > Got an issue with an IPA replica in that the certs in /etc/httpd/alias & > /etc/dirsrv/slapd-IPA-REALM have expired. I assume that this replica does not have a CA and we are only dealing with service HTTPD and DIRSRV service certificates. > Have tried setting date back before expiry on the replica and doing an > 'ipa-getcert resubmit -i ' but that hasn't worked it looks like the CA > master is actually rejecting it since the havent set the date back on that > server. > > Error am getting on replica is ... > > Request ID '20120719044839': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed to > execute the HTTP POST transaction. Peer certificate cannot be authenticated > with known CA certificates). Isn't this rather a problem that the replica does not trust the master server HTTPD certificate because it's certificates are not valid from replica POV? > is there any way of forcing a re-newel or manual process for updating these > certs .. ??? If this is just a replica without PKI, I would suggest synchronizing the time back with the master CA server and restarting all the services. If the HTTPD service does not want to start, follow chapter "25.2.2. Starting IdM with Expired Certificates" in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html and then try to resubmit the certificates so that they can be renewed on the master. Do not forget to revert the above configuration changes when you are done. Also, what version of FreeIPA are you running? HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting a webui login error
On 07/30/2014 07:16 PM, Robert Walker wrote: > Hi, > > I've got 2 IPA servers running in a relationship. One is ok as far as > logging into the webui and the other will only let me kinit admin on the > console of the server. When I try to login into the webui Your session has > expired. Please re-login. and > > Please re-enter your username or password The password or username you > entered is incorrect. Please try again (make sure your caps lock is off). If > the problem persists, contact your administrator. > > The server still seems to authenticate users by remote LDAP requests ok. > > Any pointers much appreciated. > > Thanks Hello, Could you please check the advice in http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? I would suspect that ipa_memcached service is not running for some reason. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project