Re: [Freeipa-users] 389-ds memory usage
On Wed, June 6, 2012 00:54, JR Aquino wrote: > On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: > > >> On 06/06/2012 12:26 AM, JR Aquino wrote: >> >>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: >>> >>> On 06/05/2012 11:44 PM, JR Aquino wrote: > On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: > > >> On 06/05/2012 10:42 PM, Steven Jones wrote: >> >>> Hi >>> >>> >>> This has bug has pretty much destroyed my IPA deployment...I had a >>> pretty bad >>> memory leak had to reboot every 36 hours...made worse by trying later >>> 6.3? rpms didnt >>> fix the leak and it went split brain2 months and no fixboy >>> did that open >>> up a can of worms. >>> >>> :/ >>> >>> >>> In my case I cant see how its churn as I have so few entries (<50) and >>> Im adding no >>> more items at presentunless a part of ipa is "replicating and >>> diffing" in the >>> background to check consistency? >>> >>> I also have only one way replication now at most, master to replica >>> and no memory >>> leak shows in Munin at present. >>> >>> but I seem to be faced with a rebuild from scratch... >> Did you do the "max entry cache size" tuning? If you did, what did you >> set it to? >> >> >> Did you do any other tuning from the 389-ds tuning guide? >> >> >> >> >> Rgds, >> Siggi >> > When I had similar problems using Feodra (Not Redhat or CentOS) my > underlying issues > were: managed entries firing off any time an object was updated (every > time someone > successfully authenticates, kerberos updates the user object, which in > turn would touch > the mepmanaged entry for the user's private group) Similar things > happened when > hostgroups were modified... > > This was further complicated by inefficiencies in the way that slapi-nis > was processing > the compat pieces for the sudo rules and the netgroups (which are > automatically create > from every hostgroup) > > Thus, when memberof fired off, slapi-nis recomputed a great deal of its > chunk... > > > After getting those issues resolved, I tuned the max entry cache size. > But it took all > the fixes to finally resolve the memory creep problem. > > It is not at all clear to me whether or not the bug fixes for my problem > have made it up > into Redhat / CentOS though... The slapi-nis versions definitely don't > line up between > fedora and redhat/centos... > > Perhaps Nalin Or Rich can speak to some of that. > > > The bug itself was easiest to replicate with _big_ changes like deleting > a group that had > a great number of members for example, but the symptoms were similar for > me were similar > for day to date operation resulting in consumption that never freed. > > https://bugzilla.redhat.com/show_bug.cgi?id=771493 > > > Are either of you currently utilizing sudo? > > I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi >>> Ya it is true that I do have a large environment, but some of the hurdles >>> that I had to jump >>> appeared to be ones that weren't related so much to the number of hosts I >>> had, but rather >>> their amount of activity. I.e. automated single-sign on scripts, people >>> authenticating, >>> general binds taking place all over... >>> >>> I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA >>> 2.2 >>> >>> >>> My measurements... ;) >>> >>> >>> dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: monitor >>> database: ldbm database >>> readonly: 0 >>> entrycachehits: 904077 >>> entrycachetries: 923802 >>> entrycachehitratio: 97 >>> currententrycachesize: 79607895 >>> maxentrycachesize: 104857600 >>> currententrycachecount: 10301 >>> maxentrycachecount: -1 >>> dncachehits: 3 >>> dncachetries: 10302 >>> dncachehitratio: 0 >>> currentdncachesize: 1861653 >>> maxdncachesize: 10485760 >>> currentdncachecount: 10301 >>> maxdncachecount: -1 >>> >>> >>> >> Ok, we have a fair amount of
Re: [Freeipa-users] token/swipe pass deployments with IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/06/12 23:50, Dmitri Pal wrote: > On 06/01/2012 03:14 AM, Dale Macartney wrote: > > >> >> >> On 31/05/12 23:54, Dmitri Pal wrote: >> > On 05/31/2012 03:03 PM, Dale >> Macartney wrote: >> >> > > >> >> >> Evening all >> >> >> >> >> >> http://www.youtube.com/watch?v=uvfkj8V6ylM >> >> >> >> >> >> This video was floating around Google plus a few days ago >> which is >> >> >> brilliant to show off RHEV's VDI technologies. I was >> wondering if anyone >> >> >> has some a similar business case of vdi deployments with >> swipe passes or >> >> >> token, but using IPA as the backing authentication store? >> >> >> >> > I am not quite sure what is used as an authentication source >> in this case. >> >> > I can ask. >> >> >> I was just thinking as I seem to be doing alot lately, "can it be done with ipa?" >> >> is token support on the road map? If some are not already supported. >> > > Define token? > You mean smart cards or 2FA using tokens like SecurID? > All on the roadmap. > I was thniking anything along the lines of a physical medium which an end user can use to authenticate themselves with. This can be single auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys, RSA keyfobs, Citrix CAG tokens etc. If its on the road map thats fine. I'll keep an eager eye open for the integration in the future ;-) >> >> >> >> >> Has anyone done something similar themselves? >> >> >> >> >> >> Dale >> >> >> >> >> >> >> > ___ >> >> > Freeipa-users mailing list >> >> > Freeipa-users@redhat.com >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> > -- >> >> > Thank you, >> >> > Dmitri Pal >> >> >> >> > Sr. Engineering Manager IPA project, >> >> > Red Hat Inc. >> >> >> >> >> >> > --- >> >> > Looking to carve out IT costs? >> >> > www.redhat.com/carveoutcosts/ >> >> >> >> >> >> >> >> >> >> >> >> > ___ >> >> > Freeipa-users mailing list >> >> > Freeipa-users@redhat.com >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzxnqAAoJEAJsWS61tB+qMdcQAMXTuOy8hljyIMS/U1vIZKHT WgkRGrm3gspyVcJQqWLIFcOBp/EL0NzVEBJ1CjwmkDA5IYL2Ezzj24YMnqjOYQqV rrj94K8beXmvAC+HTJ73P/AC24L3fd0ZzhCcojKdtlbSKeKH0DTsHlCLKUX3uL3L c0YjfY+J+6aIYdtMB78DOGGWhgCXmJM/BGvVcTbmWYH3HulYVDypjYKe/9c8Usqn QU6Cm7zFoIC1jlZuvWorC4c0kpmR0bSmP6lVFjWjAYw/BETpjxOYKxAtZKZHZiAu D0MviZSiZHCtH0RuU4sm/+BqBa2XjERbSsTKS89kAvTT4CB4KvX5i1SoEMMyu1j8 pqPCaIiBhLmpKLuMAdqMg61/mRSqMFUAKvRpdhStFRN2uzYLLnt6he6WxC1zta5e 9VS3yj+rjG46Xy/uwcv+IJdV/6bW3OOoIiUZxboc+6NcHtRQZKDxKfKVxQWO8fbb +9wrOEcDe1s1efCl5mJ83xot5YMa15plmkqdnGxOhDkCrqehXVJ42xRygi3dE6o2 7wHeWk8soduty18wLioPLwNs9sbE699fAQa+wYG3sBsolhGyqh7HO1mz4ypLuv4P EaQV3T5xa/Xxswfx1HZCtKysdSLolirzapPOXXnQNvFzdthuBpKMljFye9Yl/Kk3 H1VzUGfUgp42D807MN47 =e3T0 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Provision user accounts & groups from external IM
Hi Alexander, I did some experimenting with the example at http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and am now able to create a user using the following as input to curl (-d @user_add.json) : { "method":"user_add", "params":[ [], { "uid":"test", "givenname":"test", "sn":"test", "userpassword":"test" } ] } I'm left with two questions : - Is it possible to use a hashed password (as stored in the 'meta-IM') as a value for userpassword? And if so, will this propagate to the created Kerberos principal? - After creation, I'm forced to change the password when running `kinit test`. Is it possible to reset prevent the forced password change? As a test, I tried to set the '-needchange' attribute using kadmin but that returned "... Insufficient access while modifying..." I grepped the mailing list archives / API.txt / source code / etc. for clues but without success... Regards, Willem. On Tue, Jun 5, 2012 at 12:51 PM, Alexander Bokovoy wrote: > On Tue, 05 Jun 2012, Willem Bos wrote: > >> Hi Alexander, >> >> Thanks for your quick response. >> >> Yes, the server on which the external IM environment is hosted does not >> have the ipa utils available. As a matter of fact, the server might even >> be >> hosted off-site. We're just beginning to explore IM solutions for our >> environment and the most likely architecture is a 'meta-IM' service that >> provisions platform specific IM's like AD, Oracle's Internet Directory and >> IPA. It will probably be a requirement that the meta-IM is to provision >> IPA >> directly (instead of Meta-IM -> AD -> IPA). >> >> The JASON interface looks promising, I will certainly try the example >> provided. Would user_add be the suitable command to use? It's the obvious >> candidate, but I just want to make sure... >> > Yes, user_add is the command. > > -- > / Alexander Bokovoy > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Tue, 2012-06-05 at 22:23 +, Steven Jones wrote: > I started with 2gb but went to 4 gb to try and last overnight and the > weekend...might have to go to 8gb to last the weekend > > I also have a frequent failure to start IPA when I do a "service ipa restart" > that means I cant cron an over-night restart > > And the KDC on the master IPA server seems to die for no reason Please install abrtd and provide back info in a bug next time it 'dies', If the KDC is failing in your specific case we want to know asap so we can fix it. We haven't experienced any KDC failure in ages here. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Provision user accounts & groups from external IM
On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: > Hi Alexander, > > > I did some experimenting with the example at > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > and am now able to create a user using the following as input to curl (-d > @user_add.json) : > > > { > "method":"user_add", > "params":[ > [], > { > "uid":"test", > "givenname":"test", > "sn":"test", > "userpassword":"test" > } > ] > } > > > I'm left with two questions : > - Is it possible to use a hashed password (as stored in the 'meta-IM') > as a value for userpassword? And if so, will this propagate to the > created Kerberos principal? Nope, we need the clear text in order to generate the krb5 keys. > - After creation, I'm forced to change the password when running > `kinit test`. Is it possible to reset prevent the forced password > change? Yes, see: http://www.freeipa.org/page/PasswordSynchronization > As a test, I tried to set the '-needchange' attribute using kadmin but > that returned "... Insufficient access while modifying..." This is not controlled by kadmin. > > I grepped the mailing list archives / API.txt / source code / etc. for > clues but without success... See above, it is really easy to create an agent with the right permissions. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Jun 6, 2012, at 12:30 AM, "Sigbjorn Lie" wrote: > On Wed, June 6, 2012 00:54, JR Aquino wrote: >> On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: >> >> >>> On 06/06/2012 12:26 AM, JR Aquino wrote: >>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: > On 06/05/2012 11:44 PM, JR Aquino wrote: > >> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >> >> >>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>> Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at presentunless a part of ipa is "replicating and diffing" in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... >>> Did you do the "max entry cache size" tuning? If you did, what did you >>> set it to? >>> >>> >>> Did you do any other tuning from the 389-ds tuning guide? >>> >>> >>> >>> >>> Rgds, >>> Siggi >>> >> When I had similar problems using Feodra (Not Redhat or CentOS) my >> underlying issues >> were: managed entries firing off any time an object was updated (every >> time someone >> successfully authenticates, kerberos updates the user object, which in >> turn would touch >> the mepmanaged entry for the user's private group) Similar things >> happened when >> hostgroups were modified... >> >> This was further complicated by inefficiencies in the way that slapi-nis >> was processing >> the compat pieces for the sudo rules and the netgroups (which are >> automatically create >> from every hostgroup) >> >> Thus, when memberof fired off, slapi-nis recomputed a great deal of its >> chunk... >> >> >> After getting those issues resolved, I tuned the max entry cache size. >> But it took all >> the fixes to finally resolve the memory creep problem. >> >> It is not at all clear to me whether or not the bug fixes for my problem >> have made it up >> into Redhat / CentOS though... The slapi-nis versions definitely don't >> line up between >> fedora and redhat/centos... >> >> Perhaps Nalin Or Rich can speak to some of that. >> >> >> The bug itself was easiest to replicate with _big_ changes like deleting >> a group that had >> a great number of members for example, but the symptoms were similar for >> me were similar >> for day to date operation resulting in consumption that never freed. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >> >> >> Are either of you currently utilizing sudo? >> >> > I read your bug report a while back, and made sure that slapi-nis was > disabled. > > > I have tuned my cache size to 256MB. I believe that should be OK as my > cache hit ratio sits > at 97-99% ? > > I understand you have a farily large deployment, what cache size are you > using? Are you > using Fedora or Red Hat / CentOS as your production environment? > > I do not use sudo with IPA yet, I am planning for doing that later. Is > there any issues I > should be aware of with sudo integration? > > Rich/Nalin, > Was there a bug in managed entries that's been fixed in the current > 389-ds versions > available in Red Hat / CentOS 6? > > > Regards, > Siggi > > Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 1030
Re: [Freeipa-users] 389-ds memory usage
On Wed, June 6, 2012 15:15, JR Aquino wrote: > On Jun 6, 2012, at 12:30 AM, "Sigbjorn Lie" wrote: > > >> On Wed, June 6, 2012 00:54, JR Aquino wrote: >> >>> On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: >>> >>> >>> On 06/06/2012 12:26 AM, JR Aquino wrote: > On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: > > > >> On 06/05/2012 11:44 PM, JR Aquino wrote: >> >> >>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >>> >>> >>> On 06/05/2012 10:42 PM, Steven Jones wrote: > Hi > > > > This has bug has pretty much destroyed my IPA deployment...I had > a pretty bad > memory leak had to reboot every 36 hours...made worse by trying > later 6.3? rpms > didnt fix the leak and it went split brain2 months and no > fixboy did > that open up a can of worms. > > :/ > > > > In my case I cant see how its churn as I have so few entries (<50) > and Im adding > no more items at presentunless a part of ipa is "replicating and > diffing" in > the background to check consistency? > > I also have only one way replication now at most, master to replica > and no > memory leak shows in Munin at present. > > but I seem to be faced with a rebuild from scratch... Did you do the "max entry cache size" tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi >>> When I had similar problems using Feodra (Not Redhat or CentOS) my >>> underlying issues >>> were: managed entries firing off any time an object was updated (every >>> time someone >>> successfully authenticates, kerberos updates the user object, which in >>> turn would >>> touch the mepmanaged entry for the user's private group) Similar >>> things happened when >>> hostgroups were modified... >>> >>> This was further complicated by inefficiencies in the way that >>> slapi-nis was >>> processing the compat pieces for the sudo rules and the netgroups >>> (which are >>> automatically create from every hostgroup) >>> >>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its >>> chunk... >>> >>> >>> >>> After getting those issues resolved, I tuned the max entry cache size. >>> But it took >>> all the fixes to finally resolve the memory creep problem. >>> >>> It is not at all clear to me whether or not the bug fixes for my >>> problem have made it >>> up into Redhat / CentOS though... The slapi-nis versions definitely >>> don't line up >>> between fedora and redhat/centos... >>> >>> Perhaps Nalin Or Rich can speak to some of that. >>> >>> >>> >>> The bug itself was easiest to replicate with _big_ changes like >>> deleting a group that >>> had a great number of members for example, but the symptoms were >>> similar for me were >>> similar for day to date operation resulting in consumption that never >>> freed. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >>> >>> >>> >>> Are either of you currently utilizing sudo? >>> >>> >>> >> I read your bug report a while back, and made sure that slapi-nis was >> disabled. >> >> >> >> I have tuned my cache size to 256MB. I believe that should be OK as my >> cache hit ratio >> sits at 97-99% ? >> >> I understand you have a farily large deployment, what cache size are you >> using? Are you >> using Fedora or Red Hat / CentOS as your production environment? >> >> I do not use sudo with IPA yet, I am planning for doing that later. Is >> there any issues >> I >> should be aware of with sudo integration? >> >> Rich/Nalin, >> Was there a bug in managed entries that's been fixed in the current >> 389-ds versions >> available in Red Hat / CentOS 6? >> >> >> Regards, >> Siggi >> >> >> > Ya it is true that I do have a large environment, but some of the hurdles > that I had to > jump appeared to be ones that weren't related so much to the number of > hosts I had, but > rather their amount of activity. I.e. automated single-sign on scripts, > people > authenticating, general binds taking place all over... > > I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and > IPA 2.2 > > > > My measurements... ;) > > > > dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>>
[Freeipa-users] Administration question: root user
Hi Folks: I am a newbie so I apologize in advance if this is a silly set of questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy with it but I have a couple of questions about root access. When I setup my systems, I configured root manually on each of them. Does it make sense to define the root user in FreeIPA? Is it desirable from a security and administration perspective? If it does make sense, is it as simple as adding the "root" user in "ipa user-add"? Thank you, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Administration question: root user
On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: > Hi Folks: > > > > I am a newbie so I apologize in advance if this is a silly set of > questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy > with it but I have a couple of questions about root access. When I > setup my systems, I configured root manually on each of them. > > > > Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. > > > > Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. > > > > If it does make sense, is it as simple as adding the “root” user in > “ipa user-add”? Please don't :) signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Administration question: root user
Thank you. I really appreciate your help and for taking the time to answer so quickly. I will NOT manage root through FreeIPA. Regards, Joe -Original Message- From: Stephen Gallagher [mailto:sgall...@redhat.com] Sent: Wednesday, June 06, 2012 7:15 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Administration question: root user On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: > Hi Folks: > > > > I am a newbie so I apologize in advance if this is a silly set of > questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy > with it but I have a couple of questions about root access. When I > setup my systems, I configured root manually on each of them. > > > > Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. > > > > Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. > > > > If it does make sense, is it as simple as adding the “root” user in > “ipa user-add”? Please don't :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Provision user accounts & groups from external IM
Hi Simo, I totally missed http://www.freeipa.org/page/PasswordSynchronization (and chapter 8.5.3 of the IPA guide :-) Thanks for pointing it out! Regards, Willem. On Wed, Jun 6, 2012 at 2:46 PM, Simo Sorce wrote: > On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: > > Hi Alexander, > > > > > > I did some experimenting with the example at > > > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and > am now able to create a user using the following as input to curl (-d > @user_add.json) : > > > > > > { > > "method":"user_add", > > "params":[ > > [], > > { > > "uid":"test", > > "givenname":"test", > > "sn":"test", > > "userpassword":"test" > > } > > ] > > } > > > > > > I'm left with two questions : > > - Is it possible to use a hashed password (as stored in the 'meta-IM') > > as a value for userpassword? And if so, will this propagate to the > > created Kerberos principal? > > Nope, we need the clear text in order to generate the krb5 keys. > > > - After creation, I'm forced to change the password when running > > `kinit test`. Is it possible to reset prevent the forced password > > change? > > Yes, see: http://www.freeipa.org/page/PasswordSynchronization > > > As a test, I tried to set the '-needchange' attribute using kadmin but > > that returned "... Insufficient access while modifying..." > > This is not controlled by kadmin. > > > > I grepped the mailing list archives / API.txt / source code / etc. for > > clues but without success... > > See above, it is really easy to create an agent with the right > permissions. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo clients
Hi Folks: I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd The command "/bin/pwd" is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html # # Update /etc/nsswitch.conf # cat >/etc/nsswitch.conf /etc/nslcd.conf
Re: [Freeipa-users] Setting up sudo clients
On 06/06/2012 01:59 PM, Joe Linoff wrote: > > Hi Folks: > > > > I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS > 6.2 but it I am running into a problem that I do not know how to > debug. I used the instructions provided here: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html. > > > > > The server installation went fine and I even did a sudo client > installation on the server which worked well. Unfortunately, when I > did the same client setup on another host in the network I got the > message: not in sudoers files when I tried to execute a command. > > > > Here is the output from /var/log/secure on the client. I didn't see > anything strange on the server. The user name is bigbob. > > > > Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user > (bigbob) > > Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls > > Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user > (bigbob) > > Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd > > > Looks like sudo utility is not going over the ldap and tries to find user in the local file. Can you bind to the ldap server? Is firewall port open? > The command "/bin/pwd" is in the sudo commands and in the sudo command > group. > > > > Any help would be greatly appreciated. > > > > Here are the setup steps that I performed on the client. The domain is > foo.example.com. > > > > # CITATION: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html > > > > > # > > # Update /etc/nsswitch.conf > > # > > cat>/etc/nsswitch.conf < > > > # > > # FreeIPA sudo support > > # > > sudoers: files ldap > > sudoers_debug: 1 > > EOF > > > > # > > # Insert this just after the ipa_server line and restart sssd: > > # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com > > # > > cat/etc/sssd/sssd.conf | \ > > awk'{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base = > cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}'>/tmp/x > > cp/tmp/x/etc/sssd/sssd.conf > > rm-f /tmp/x > > service sssd restart > > > > # > > # Create the /etc/nslcd.conf file > > # > > ls/etc/nslcd.conf > > cat>/etc/nslcd.conf < > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com > > bindpw pwd/sudo > > > > ssl start_tls > > tls_cacertfile /etc/ipa/ca.crt > > tls_checkpeer yes > > > > bind_timelimit 5 > > timelimit 15 > > > > uri ldap://cuthbert.foo.example.com > > sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com > > EOF > > > > # > > # Set the NIS domain name (even though NIS is not used) > > # > > nisdomainname foo.example.com > > > > Thank you, > > > > Joe > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] token/swipe pass deployments with IPA
On 06/06/2012 04:50 AM, Dale Macartney wrote: > I was thniking anything along the lines of a physical medium which an > end user can use to authenticate themselves with. This can be single > auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys, > RSA keyfobs, Citrix CAG tokens etc. > > If its on the road map thats fine. I'll keep an eager eye open for the > integration in the future ;-) It is. Via AuthHub but any help to make it more usable will be appreciated. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
Should be installedwill take a look. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Thursday, 7 June 2012 12:39 a.m. To: Steven Jones Cc: Sigbjorn Lie; freeipa-users@redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage On Tue, 2012-06-05 at 22:23 +, Steven Jones wrote: > I started with 2gb but went to 4 gb to try and last overnight and the > weekend...might have to go to 8gb to last the weekend > > I also have a frequent failure to start IPA when I do a "service ipa restart" > that means I cant cron an over-night restart > > And the KDC on the master IPA server seems to die for no reason Please install abrtd and provide back info in a bug next time it 'dies', If the KDC is failing in your specific case we want to know asap so we can fix it. We haven't experienced any KDC failure in ages here. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users