[Freeipa-users] Re: FreeIPA/IdM versions on RHEL8

2019-12-06 Thread Christophe TREFOIS via FreeIPA-users 
There is difference between ipa-client and ipa-server.

> On 6 Dec 2019, at 18:32, Vinícius Ferrão via FreeIPA-users 
>  wrote:
> 
> Hi Christian
> 
>> On 6 Dec 2019, at 14:04, Christian Heimes via FreeIPA-users 
>> > > wrote:
>> 
>> On 06/12/2019 17.48, Vinícius Ferrão via FreeIPA-users wrote:
>>> Hello, this is probably a comercial question and not a technical one,
>>> but I’m curious about it.
>>> 
>>> As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8
>>> with some interesting features.
>> RHEL 8.0 has 4.7.1. RHEL 8.1 already ships with IPA 4.8.0.
> 
> Yes, I’m was an amateur:
> Installing group/module packages:
> ipa-client   x86_64   
> 4.8.0-11.module+el8.1.0+4247+9f3fd721  
> rhel-8-for-x86_64-appstream-rpms   266 k
> 
> So FreeIPA will not have separation on AppStreams. It will always be updated 
> to the last version during minor releases of RHEL8.
> 
>> Spoiler alert: You may find additional information if you search for
>> "rebase ipa" on the Red Hat Bugzilla.
> 
> Thanks for this! :)
> 
> But there’s no oficial roadmap from Red Hat, right? I should always get it on 
> Bugzilla.
> 
>> Christian
>> 
>> -- 
>> Christian Heimes
>> Principal Software Engineer, Identity Management and Platform Security
>> 
>> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>> Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill,
>> Thomas Savage
>> 
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>  
> 
> 
> ---
> 
> This e-mail can not be trusted due to SPF/DKIM validation failed.
> 
> ---



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA/IdM versions on RHEL8

2019-12-06 Thread Vinícius Ferrão via FreeIPA-users 
Hi Christian

> On 6 Dec 2019, at 14:04, Christian Heimes via FreeIPA-users 
>  wrote:
> 
> On 06/12/2019 17.48, Vinícius Ferrão via FreeIPA-users wrote:
>> Hello, this is probably a comercial question and not a technical one,
>> but I’m curious about it.
>> 
>> As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8
>> with some interesting features.
> RHEL 8.0 has 4.7.1. RHEL 8.1 already ships with IPA 4.8.0.

Yes, I’m was an amateur:
Installing group/module packages:
ipa-client   x86_64   
4.8.0-11.module+el8.1.0+4247+9f3fd721  
rhel-8-for-x86_64-appstream-rpms   266 k

So FreeIPA will not have separation on AppStreams. It will always be updated to 
the last version during minor releases of RHEL8.

> Spoiler alert: You may find additional information if you search for
> "rebase ipa" on the Red Hat Bugzilla.

Thanks for this! :)

But there’s no oficial roadmap from Red Hat, right? I should always get it on 
Bugzilla.

> Christian
> 
> -- 
> Christian Heimes
> Principal Software Engineer, Identity Management and Platform Security
> 
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill,
> Thomas Savage
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA/IdM versions on RHEL8

2019-12-06 Thread Christian Heimes via FreeIPA-users 
On 06/12/2019 17.48, Vinícius Ferrão via FreeIPA-users wrote:
> Hello, this is probably a comercial question and not a technical one,
> but I’m curious about it.
> 
> As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8
> with some interesting features.
RHEL 8.0 has 4.7.1. RHEL 8.1 already ships with IPA 4.8.0.

Spoiler alert: You may find additional information if you search for
"rebase ipa" on the Red Hat Bugzilla.

Christian

-- 
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill,
Thomas Savage



signature.asc
Description: OpenPGP digital signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA/IdM versions on RHEL8

2019-12-06 Thread Vinícius Ferrão via FreeIPA-users 
Hello, this is probably a comercial question and not a technical one, but I’m 
curious about it.

As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8 with 
some interesting features.

Since RHEL8 is still fresh, there’s any rebase to a higher version on the map?

I see that IdM is now on AppStream: 
https://access.redhat.com/support/policy/updates/rhel8-app-streams-life-cycle 
so I’m guessing that 4.8 will hit AppStream sooner or later. The point is: is 
this real or just speculation?

I wasn’t able to find a roadmap on this specific issue. Is there anyone 
available that I can consult?

Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: No Login on GUI

2019-12-06 Thread Christophe TREFOIS via FreeIPA-users 
Have you checked certificates ?

https://www.freeipa.org/page/Certmonger#Get_a_list_of_currently_tracked_certificates
 


Have you check Kerberos logs, Dirsv logs, Tomcat logs?

https://www.freeipa.org/page/Troubleshooting/Administration_and_Web_UI 

 
> On 6 Dec 2019, at 17:29, Christian Reiss via FreeIPA-users 
>  wrote:
> 
> Hey Angus,
> 
> thanks for replying. Allow me to reply inline:
> 
> On 06/12/2019 16:00, Angus Clarke wrote:
>> Have you checked your times are in sync within 5 minutes?
> 
> Yes. And it's monitored.
> 
>> Have you checked DNS is working for all node entries between all nodes?
> 
> Yes. And it's monitored. Even PTR <-> A check.
> 
>> Have you used ipactl [status|restart|stop]?
> 
> Yes.
> 
> [root@auth1:~] # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
> [root@auth2:~] # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
> auth3 is down.
> 
>>  -> Do you see certain services fail and have you checked their logs?
> 
> Well thats the wild thing. ipa cli (host remove, host add etc) all work from 
> auth1 (which the webui does not allow access). And all changes are propagated 
> to auth2. Same for the other way around.
> 
> It's just the login to auth1.
> 
>> I'm hoping your remaining IPA server is the renewal master:
>> On remaining good server:
>> kinit admin
>> ipa config-show | grep "IPA CA renewal master"
> 
> auth1 and auth2 agree on auth1 being the IPA CA renewal master.
> 
>> If it is then the following rebuild instructions should be ok.
>> If it is not, then you prolly need some other advice (I haven't faced that 
>> situation yet ...)
> > [...]
> 
> The following items seem to mix my two problems.
> 
> a) auth1 web login broken,
> b) auth3 needs re-setup.
> 
> Any clue on how to debug the web login (or lack thereof) issue?
> Chedked httpd logs, nothing to see there in the error logs
> 
> Cheers,
> Chris.
> 
> -- 
> Christian Reiss - em...@christian-reiss.de /"\  ASCII Ribbon
>   supp...@alpha-labs.net   \ /Campaign
> X   against HTML
> WEB alpha-labs.net / \   in eMails
> 
> GPG Retrieval https://gpg.christian-reiss.de
> GPG ID ABCD43C5, 0x44E29126ABCD43C5
> GPG fingerprint = 9549 F537 2596 86BA 733C  A4ED 44E2 9126 ABCD 43C5
> 
> "It's better to reign in hell than to serve in heaven.",
>  John Milton, Paradise lost.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ---
> 
> This e-mail can not be trusted due to SPF/DKIM validation failed.
> 
> ---
> 



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: No Login on GUI

2019-12-06 Thread Christian Reiss via FreeIPA-users 

Hey Angus,

thanks for replying. Allow me to reply inline:

On 06/12/2019 16:00, Angus Clarke wrote:

Have you checked your times are in sync within 5 minutes?


Yes. And it's monitored.


Have you checked DNS is working for all node entries between all nodes?


Yes. And it's monitored. Even PTR <-> A check.


Have you used ipactl [status|restart|stop]?


Yes.

[root@auth1:~] # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@auth2:~] # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

auth3 is down.


  -> Do you see certain services fail and have you checked their logs?


Well thats the wild thing. ipa cli (host remove, host add etc) all work 
from auth1 (which the webui does not allow access). And all changes are 
propagated to auth2. Same for the other way around.


It's just the login to auth1.


I'm hoping your remaining IPA server is the renewal master:

On remaining good server:
kinit admin
ipa config-show | grep "IPA CA renewal master"


auth1 and auth2 agree on auth1 being the IPA CA renewal master.


If it is then the following rebuild instructions should be ok.
If it is not, then you prolly need some other advice (I haven't faced 
that situation yet ...)

> [...]

The following items seem to mix my two problems.

a) auth1 web login broken,
b) auth3 needs re-setup.

Any clue on how to debug the web login (or lack thereof) issue?
Chedked httpd logs, nothing to see there in the error logs

Cheers,
Chris.

--
 Christian Reiss - em...@christian-reiss.de /"\  ASCII Ribbon
   supp...@alpha-labs.net   \ /Campaign
 X   against HTML
 WEB alpha-labs.net / \   in eMails

 GPG Retrieval https://gpg.christian-reiss.de
 GPG ID ABCD43C5, 0x44E29126ABCD43C5
 GPG fingerprint = 9549 F537 2596 86BA 733C  A4ED 44E2 9126 ABCD 43C5

 "It's better to reign in hell than to serve in heaven.",
  John Milton, Paradise lost.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA / SSSD and IPV6

2019-12-06 Thread TomK via FreeIPA-users 

On 12/6/2019 10:51 AM, TomK wrote:

On 12/4/2019 11:16 AM, Alexander Bokovoy via FreeIPA-users wrote:

On ke, 04 joulu 2019, Stephen John Smoogen via FreeIPA-users wrote:

On Tue, 3 Dec 2019 at 21:43, TomK via FreeIPA-users
 wrote:


Hey All,

Does FreeIPA fully support IPV6 or are there corner cases and
limitations that could make it a show stopper?



Can you define 'fully support' IPV6? I say this from seeing various IT
groups still having to deal with major network hardware vendors saying
they 'fully support IPV6' but still needing weekly firmware updates
because of switch crashes due to IPv6 options. And the problem seems
to be that the IPV6 spec is complex and spread out over multiple
documents with parts implemented from draft documents that never got
out of committee. At times I doubt anything fully supports IPv6 so it
is better to come up with what you mean by what you need IPv6 support
to do and work from there.


Yep. On the other hand, FreeIPA does have few open IPv6-related problems
at the moment. It is known to work in the most IPv6 environments we have
seen so far but there are management issues in DNS handling, for
example.

https://pagure.io/freeipa/issue/5658
https://pagure.io/freeipa/issue/4674

Whether these issues prevent you to deploy FreeIPA in IPv6-only
environment is up to you.



Thanks everyone.  What I mean by 'fully supported' is just as the 
subject says, the FreeIPA piece.


To clarify a bit further I'll break this down into two parts:

1) FreeIPA Core Project: Let's assume for the sake of this discussion 
that the OS, Hardware and what not fully supports IPv6.  So in other 
words, anything outside the realm of what you control or code within the 
FreeIPA project is out of scope of this question.


2) Integration: FreeIPA / SSSD will integrate with a host of 
technologies including SSSD, 389 Directory Server etc.  If any of those 
components aren't ready and impact FreeIPA components, I would be 
interested to know.





+ Subject change to include SSSD folks.  Remembered just now meant to 
ask the SSSD community as well.  So therefore a third question as well:


3) SSSD Core Project: Same as question 1 above but for SSSD.

--
Thx,
TK.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and IPV6

2019-12-06 Thread TomK via FreeIPA-users 

On 12/4/2019 11:16 AM, Alexander Bokovoy via FreeIPA-users wrote:

On ke, 04 joulu 2019, Stephen John Smoogen via FreeIPA-users wrote:

On Tue, 3 Dec 2019 at 21:43, TomK via FreeIPA-users
 wrote:


Hey All,

Does FreeIPA fully support IPV6 or are there corner cases and
limitations that could make it a show stopper?



Can you define 'fully support' IPV6? I say this from seeing various IT
groups still having to deal with major network hardware vendors saying
they 'fully support IPV6' but still needing weekly firmware updates
because of switch crashes due to IPv6 options. And the problem seems
to be that the IPV6 spec is complex and spread out over multiple
documents with parts implemented from draft documents that never got
out of committee. At times I doubt anything fully supports IPv6 so it
is better to come up with what you mean by what you need IPv6 support
to do and work from there.


Yep. On the other hand, FreeIPA does have few open IPv6-related problems
at the moment. It is known to work in the most IPv6 environments we have
seen so far but there are management issues in DNS handling, for
example.

https://pagure.io/freeipa/issue/5658
https://pagure.io/freeipa/issue/4674

Whether these issues prevent you to deploy FreeIPA in IPv6-only
environment is up to you.



Thanks everyone.  What I mean by 'fully supported' is just as the 
subject says, the FreeIPA piece.


To clarify a bit further I'll break this down into two parts:

1) FreeIPA Core Project: Let's assume for the sake of this discussion 
that the OS, Hardware and what not fully supports IPv6.  So in other 
words, anything outside the realm of what you control or code within the 
FreeIPA project is out of scope of this question.


2) Integration: FreeIPA / SSSD will integrate with a host of 
technologies including SSSD, 389 Directory Server etc.  If any of those 
components aren't ready and impact FreeIPA components, I would be 
interested to know.



--
Thx,
TK.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

2019-12-06 Thread White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users 
I agree with your response:

user search base="cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"
group search base = " cn=nnmi_access,cn=groups,cn=accounts, 
dc=PROJECT,dc=EXAMPLE,dc=ORG"

AND change the roleBase from member to  memberOf

This is based on the results of tinkering with ldapsearch queries, trying the 
various base strings and field names.
Sadly, I cannot try this new info until Monday as the guy in charge of that 
server is out today and I promised not to tinker without permission/approval ☹

Anyway, many thanks for your responses, Rob.
I think I am close to The Answer ! (42, right ?)
__

Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Rob Crittenden 
Date: Friday, December 6, 2019 at 10:07
To: Daniel White , FreeIPA users list 

Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and 
MicroFocus Network Automation ?

White, Daniel E. (GSFC-770.0)[NICS] wrote:
We set roleContextDN to cn=nnmi-access

And it still barfs, but I found stuff in the access log file: (redacted
a bit)

[06/Dec/2019:12:49:18.055641820 +] conn=2805 fd=110 slot=110
connection from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.055983514 +] conn=2805 op=0 BIND dn=""
method=128 version=3
[06/Dec/2019:12:49:18.056068589 +] conn=2805 op=0 RESULT err=0
tag=97 nentries=0 etime=0.264910 dn=""
[06/Dec/2019:12:49:18.060407586 +] conn=2805 op=1 SRCH
base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2
filter="(uid=USER)" attrs="distinguishedName"
[06/Dec/2019:12:49:18.060803785 +] conn=2805 op=1 RESULT err=0
tag=101 nentries=1 etime=0.453635

Right so the user is found, that's good. You should change the user
search base from cn=compat to cn=accounts.

Looks like it is doing an anonymous bind which is going to provide
limited information. I'm pretty sure there is a way to configure a bind
user for this but the how baffles me.

[06/Dec/2019:12:49:18.067812476 +] conn=2807 fd=128 slot=128
connection from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.068098286 +] conn=2807 op=0 BIND dn=""
method=128 version=3
[06/Dec/2019:12:49:18.068165707 +] conn=2807 op=0 RESULT err=0
tag=97 nentries=0 etime=0.161713 dn=""
[06/Dec/2019:12:49:18.071528890 +] conn=2807 op=1 SRCH
base="cn=nnmi_access" scope=2
filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
attrs="1.1"
[06/Dec/2019:12:49:18.071562192 +] conn=2807 op=1 RESULT err=32
tag=101 nentries=0 etime=0.074662

The search base is cn=nnmi_access which doesn't exist but this shows us
that whereever you configured this value should be
cn=groups,cn=accounts,... so that's something. It will need to bind as a
real user to get memberof though so that will need to be addressed too.

This is what popped up in the access log this command was run on the
NNMi server:
   nnmldap.ovpl -diagnose USER

So yeah it's nice that you have a tool to easily verify things. By
poking at the config and using this tool and watching the logs you may
be able to bang on it enough to get things to work.

So basically you've gotten the user configuration mostly right you just
need to get the group base configuration done and figure out how to
specify a user to bind as.

rob


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

2019-12-06 Thread Rob Crittenden via FreeIPA-users 
White, Daniel E. (GSFC-770.0)[NICS] wrote:
> We set roleContextDN to cn=nnmi-access
> 
>  
> 
> And it still barfs, but I found stuff in the access log file: (redacted
> a bit)
> 
>  
> 
> [06/Dec/2019:12:49:18.055641820 +] conn=2805 fd=110 slot=110
> connection from NNMi-Server to IdM-Server
> [06/Dec/2019:12:49:18.055983514 +] conn=2805 op=0 BIND dn=""
> method=128 version=3
> [06/Dec/2019:12:49:18.056068589 +] conn=2805 op=0 RESULT err=0
> tag=97 nentries=0 etime=0.264910 dn=""
> [06/Dec/2019:12:49:18.060407586 +] conn=2805 op=1 SRCH
> base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2
> filter="(uid=USER)" attrs="distinguishedName"
> [06/Dec/2019:12:49:18.060803785 +] conn=2805 op=1 RESULT err=0
> tag=101 nentries=1 etime=0.453635

Right so the user is found, that's good. You should change the user
search base from cn=compat to cn=accounts.

Looks like it is doing an anonymous bind which is going to provide
limited information. I'm pretty sure there is a way to configure a bind
user for this but the how baffles me.

> [06/Dec/2019:12:49:18.067812476 +] conn=2807 fd=128 slot=128
> connection from NNMi-Server to IdM-Server
> [06/Dec/2019:12:49:18.068098286 +] conn=2807 op=0 BIND dn=""
> method=128 version=3
> [06/Dec/2019:12:49:18.068165707 +] conn=2807 op=0 RESULT err=0
> tag=97 nentries=0 etime=0.161713 dn=""
> [06/Dec/2019:12:49:18.071528890 +] conn=2807 op=1 SRCH
> base="cn=nnmi_access" scope=2
> filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
> attrs="1.1"
> [06/Dec/2019:12:49:18.071562192 +] conn=2807 op=1 RESULT err=32
> tag=101 nentries=0 etime=0.074662

The search base is cn=nnmi_access which doesn't exist but this shows us
that whereever you configured this value should be
cn=groups,cn=accounts,... so that's something. It will need to bind as a
real user to get memberof though so that will need to be addressed too.
  
> 
> This is what popped up in the access log this command was run on the
> NNMi server:
> 
>    nnmldap.ovpl -diagnose USER

So yeah it's nice that you have a tool to easily verify things. By
poking at the config and using this tool and watching the logs you may
be able to bang on it enough to get things to work.

So basically you've gotten the user configuration mostly right you just
need to get the group base configuration done and figure out how to
specify a user to bind as.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

2019-12-06 Thread White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users 
We set roleContextDN to cn=nnmi-access

And it still barfs, but I found stuff in the access log file: (redacted a bit)

[06/Dec/2019:12:49:18.055641820 +] conn=2805 fd=110 slot=110 connection 
from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.055983514 +] conn=2805 op=0 BIND dn="" method=128 
version=3
[06/Dec/2019:12:49:18.056068589 +] conn=2805 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.264910 dn=""
[06/Dec/2019:12:49:18.060407586 +] conn=2805 op=1 SRCH 
base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 
filter="(uid=USER)" attrs="distinguishedName"
[06/Dec/2019:12:49:18.060803785 +] conn=2805 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.453635
[06/Dec/2019:12:49:18.061436537 +] conn=2806 fd=125 slot=125 connection 
from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.061707766 +] conn=2806 op=0 BIND dn="" method=128 
version=3
[06/Dec/2019:12:49:18.061784637 +] conn=2806 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.187246 dn=""
[06/Dec/2019:12:49:18.066780892 +] conn=2806 op=1 SRCH 
base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 
filter="(uid=USER)" attrs="distinguishedName"
[06/Dec/2019:12:49:18.067161659 +] conn=2806 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.428881
[06/Dec/2019:12:49:18.067812476 +] conn=2807 fd=128 slot=128 connection 
from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.068098286 +] conn=2807 op=0 BIND dn="" method=128 
version=3
[06/Dec/2019:12:49:18.068165707 +] conn=2807 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.161713 dn=""
[06/Dec/2019:12:49:18.071528890 +] conn=2807 op=1 SRCH 
base="cn=nnmi_access" scope=2 
filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
 attrs="1.1"
[06/Dec/2019:12:49:18.071562192 +] conn=2807 op=1 RESULT err=32 tag=101 
nentries=0 etime=0.074662
[06/Dec/2019:12:49:18.072926385 +] conn=2807 op=2 SRCH 
base="cn=nnmi_access" scope=2 
filter="(groupmember=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
 attrs="1.1"
[06/Dec/2019:12:49:18.072953042 +] conn=2807 op=2 RESULT err=32 tag=101 
nentries=0 etime=0.067911
[06/Dec/2019:12:49:18.074036480 +] conn=2807 op=3 UNBIND
[06/Dec/2019:12:49:18.074048223 +] conn=2807 op=3 fd=128 closed - U1

This is what popped up in the access log this command was run on the NNMi 
server:

   nnmldap.ovpl -diagnose USER

The output from the command is:

=
= Configuration
=
Diagnosing LDAP connectivity for user USER
Using LDAP configuration file 

=
= Found User Distinguished Name: 
"uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"
=

 NOTE !!!
!  No LDAP groups found for this User Distinguished Name.
!


 NOTE !!!
!  LDAP Appears to be Misconfigured. See above for more information.
!

Also, in nms-auth-config.xml,

Container element to include all user configuration details.
  
Container element to include the configuration information for searching users.
   
   
For example:
 SAMAccountName={0} .
 uid={0} 



For Active Directory, specify the portion of the directory service domain that 
stores user records. For example:
For Active Directory
CN=user,OU=Users,OU=Accounts,DC=mycompany,DC=com
For other LDAP technologies
ou=People,o=example.com
  


base is set to "uid=(0)"
and baseContextDN is set to 
"cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"

A simple ldapsearch for "uid=USER" returns a boatload of info with many 
"memberOf" lines including

memberOf: 
cn=nnmi_access,cn=groups,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG

Does this shed any light on the dilemma ?
__

Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Rob Crittenden 
Date: Thursday, December 5, 2019 at 14:31
To: Daniel White , FreeIPA users list 

Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and 
MicroFocus Network Automation ?

White, Daniel E. (GSFC-770.0)[NICS] wrote:
Thanks, Rob.

I will give it a try.

I made a posix group to use for application access - call it "nnmi_access"

I can ldapsearch using

(&(objectclass=groupofnames)(cn=nnmi_access)) member

and get back the members of the group like this:
member:  uid=foobar,cn=users,cn=accounts,dc=…

So then the roleBase is "member". but what should the

[Freeipa-users] Re: In-place upgrade from RHEL 7 to RHEL 8

2019-12-06 Thread Rob Crittenden via FreeIPA-users 
Ronald Wimmer via FreeIPA-users wrote:
> 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
> states that the CA-Master should be replaced.
> 
> How would you proceed if there were multiple servers that needed an
> upgrade to 8? Do I need to stop the CA service and disable CRL
> generation on three of my four CA servers and migrate the remaining
> server from 7 to 8?
> 
> Or could I
> 
> 1) stop ipa servers 2 to 8
> 2) migrate ipa1 to RHEL8
> 3) deploy 7 RHEL8 machines
> 4) setup replicas on these machines

Only one master should generate the CRL.

You don't have to do the migration all in one fell swoop at the same
time. But you don't want to drag it out forever either (life is a balance).

What I'd do is create a new master in RHEL 8 with a CA. Set that as the
CRL generator and CA Renewal Master. If you have physical machines then
it's fine to remove one of the existing servers and re-create it with
RHEL 8.

Once things are working then create another RHEL 8 master, drop another
RHEL 7. Rinse and repeat. Eventually you'll run out of RHEL 7 machines
to migrate. This can happen over as long a period as you're comfortable
with you just don't want to drag it out for months if you can avoid it.

Watch the replication topology for both IPA and the CA. Remember to keep
at least 2 CA masters and trust controller/agent (which you seem to have
in good order now).
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org