[Freeipa-users] Re: Command to export sub-ca certificate

[Fraser Tweedale via FreeIPA-users]

On Wed, Feb 05, 2020 at 06:19:16PM -, Jakob Ackermann via
FreeIPA-users wrote:
> this is exactly what I tried before and the puppet agent complaint
> that it could not find the CA his certificate was signed with.
> This is a limitation in puppet.
> 
OK, thanks for clarifying.

> Rob's answer worked for me around the puppet limitation. Any
> reason why I would not want add the sub-ca certificate into the
> manage certs?
> 

If the sub-CA cert gets renewed it will not automatically be updated
in the trust store.  If you revoke the sub-CA cert but clients
explicitly trust it, the clients may not check revocation status of
the sub-CA.

Other than those points, there is no harm in doing it since the
trust is transitive anyway.

Cheers,
Fraser

> Thanks so much.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [EXTERNAL] Re: VMware vCenter Single Sign-On

[White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users]

I believe you have stated the issue very precisely, Alexander.

Pretty much all LDAP-integrated applications have ability to specify attribute 
names and objectclass names in their configuration to be able to adopt to 
various LDAP schemas.

I am pushing this idea at VMware Support.
Ability to remap names of attributes requested by vCenter would have helped to 
solve this difference.

Many thanks.
__

Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Alexander Bokovoy via FreeIPA-users 
Reply-To: FreeIPA users list 
Date: Wednesday, February 5, 2020 at 14:45
To: FreeIPA users list 
Cc: Alexander Bokovoy 
Subject: [EXTERNAL] [Freeipa-users] Re: VMware vCenter Single Sign-On

Ability to remap names of attributes requested by vCenter would have helped to 
solve this difference.

Pretty much all LDAP-integrated applications have ability to specify attribute 
names and objectclass names in their configuration to be able to adopt to 
various LDAP schemas.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: VMware vCenter Single Sign-On

[Alexander Bokovoy via FreeIPA-users]

On ti, 04 helmi 2020, Christopher Young via FreeIPA-users wrote:

I gotta say, the unwillingness of large organizations like RedHat to
even consider this functionality is pretty amazing to see since there
was a bug filed 12 years ago to add properly support for RFC 4530
entryUUID.  At some point, it should be a matter of pride for the
directory services to add functionality that clearly there is a demand
for.  I understand a lack of resources, but this looks more like a
lack of overall desire when you look at the completely lack of
attention this type of stuff gets in Bugzilla.


I don't think you can claim vCenter interoperability failure on
entryUUID support. That one is simply a non-issue. The real issue is
inability to reconfigure set of attribute names vCenter uses to query.

FreeIPA has ipaUniqueID attribute which is pretty much an equivalent to
entryUUID. However, FreeIPA doesn't support uniqueMember schema because
it ensures all IPA groups have unique membership already and
memberOf/member schema has much wider use and acceptance.

We looked at the possibility to emulate uniqueMember-based LDAP requests
with a number of different approaches and decided not to go this way.
You can see all the approaches and their performance characteristics in the
FreeIPA wiki page referenced by Daniel below. A general performance
degradation just to be able to present the same information in a view
required by vCenter while conforming with LDAP protocol client
expectations is not worth adding it.

Ability to remap names of attributes requested by vCenter would have
helped to solve this difference. Pretty much all LDAP-integrated
applications have ability to specify attribute names and objectclass
names in their configuration to be able to adopt to various LDAP
schemas.



Having said that, it is pretty strange for vCenter to have LDAP
requirements and lack of instructions/testing with hardly any
third-party LDAP solutions.  That kinda defeats the purpose of
supporting an open standard.

In any case, at least there is a solid answer.  This would be one
worth just putting in the FAQ or on pages referencing vCenter that is
basically unsupported and will not be worked.

-- Chris

On Tue, Feb 4, 2020 at 3:49 PM White, Daniel E. (GSFC-770.0)[NICS] via
FreeIPA-users  wrote:


Reference Links:

12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - 
[RFE] support for RFC 4530 entryUUID attribute [NEEDINFO]

Product:   Red Hat Enterprise Linux 8

Reported:2006-12-19 19:40 UTC by Victoriano Giralt

Modified:2020-01-17 05:47 UTC (History)



01/04/2012 https://pagure.io/389-ds-base/issue/137  #137 No support for RFC 
4530 entryUUID attribute

Last Modified 10/18/2017



04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/

01/30/2019 
https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_freeipa_and_vsphere/

04/04/2016 
https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-with-vcsa-vcenter-server-for-user-authentications.html

06/20/2017 https://kb.vmware.com/s/article/2064977  VMware Knowledge Base: 
OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977)

11/22/2018 https://www.freeipa.org/page/V4/Data_transformation



I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat 
Identity Manager (FreeIPA v4.6.5)

Group permissions from LDAP do not work in vSphere.  Period.  It tells me, " "Unable 
to login because you do not have permission on any vCenter server systems connected to this 
client"



I can associate an LDAP user to a vSphere role at the global level, but that 
won’t scale very far.



QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB 
description ?

I do not believe that such a critter exists unless it is a home-grown, custom 
cobbled together monstrosity that would be a nightmare to maintain.

This was my point to VMware support.

They support Active Directory.

They should support FreeIPA because their "OpenLDAP" setup probably does not 
exist.



I am looking for any recent information anyone may have about getting this to 
work.

I am also looking for more detail to support my claim to VMware that they need 
to support FreeIPA.

__



Daniel E. White
daniel.e.wh...@nasa.gov

NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771

Office: (301) 286-6919

Mobile: (240) 513-5290

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

[Freeipa-users] Re: Command to export sub-ca certificate

[Jakob Ackermann via FreeIPA-users]

this is exactly what I tried before and the puppet agent complaint that it 
could not find the CA his certificate was signed with. This is a limitation in 
puppet.

Rob's answer worked for me around the puppet limitation. Any reason why I would 
not want add the sub-ca certificate into the manage certs?

Thanks so much.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore and the issues

[Rob Crittenden via FreeIPA-users]

Please keep responses on the list.

Ian Kumlien wrote:
> ipa find-user admin
> ipa: ERROR: No valid Negotiate header in server response
> 
> And a lot of krb issues according to the http logs

I think we need to see the logs to diagnose.

> 
> I wasn't expecting this - since all keys should be the same as the one
> installed - which is why i asked about any changes to the ldap data

It could happen, for example, if you had gotten a new keytab for one or
more service and restored old data. Unlikely, but possible.

Comparing the klist output with kvno for all the keytabs and principals
will tell you.

rob

> If there is something more specific you want me to look at, just let me know
> 
> On Wed, Feb 5, 2020 at 4:54 PM Rob Crittenden  wrote:
>>
>> Ian Kumlien via FreeIPA-users wrote:
>>> Hi,
>>>
>>> Due to issues, I'm trying to do a partial restore of all the "important 
>>> bits"
>>>
>>> But if I do ipa-restore --online --data --backend=userRoot $BACKUP
>>>
>>> I end up in a semiworking environment - the webui doen't work - kinit 
>>> does...
>>>
>>> ipa doesn't etc..
>>>
>>
>> It doesn't work how? What have you done to troubleshoot? What do the
>> logs say?
>>
>> rob
>>
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore and the issues

[Rob Crittenden via FreeIPA-users]

Ian Kumlien via FreeIPA-users wrote:
> Hi,
> 
> Due to issues, I'm trying to do a partial restore of all the "important bits"
> 
> But if I do ipa-restore --online --data --backend=userRoot $BACKUP
> 
> I end up in a semiworking environment - the webui doen't work - kinit does...
> 
> ipa doesn't etc..
> 

It doesn't work how? What have you done to troubleshoot? What do the
logs say?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [EXTERNAL] Re: VMware vCenter Single Sign-On

[White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users]

I am working on the issue from the VMware end,
Let's see if I can get them to understand that their current OpenLDAP solution 
is unusable and needs to be updated.
__

Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Christopher Young 
Date: Tuesday, February 4, 2020 at 21:12
To: FreeIPA users list 
Cc: Daniel White 
Subject: [EXTERNAL] Re: [Freeipa-users] VMware vCenter Single Sign-On

I gotta say, the unwillingness of large organizations like RedHat to
even consider this functionality is pretty amazing to see since there
was a bug filed 12 years ago to add properly support for RFC 4530
entryUUID.  At some point, it should be a matter of pride for the
directory services to add functionality that clearly there is a demand
for.  I understand a lack of resources, but this looks more like a
lack of overall desire when you look at the completely lack of
attention this type of stuff gets in Bugzilla.

Having said that, it is pretty strange for vCenter to have LDAP
requirements and lack of instructions/testing with hardly any
third-party LDAP solutions.  That kinda defeats the purpose of
supporting an open standard.

In any case, at least there is a solid answer.  This would be one
worth just putting in the FAQ or on pages referencing vCenter that is
basically unsupported and will not be worked.

-- Chris
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30)fails to start

[Florence Blanc-Renaud via FreeIPA-users]

On 2/5/20 1:35 PM, Jochen Demmer via FreeIPA-users wrote:
Yeah I actually modified the PEM outputs because I wasn't sure if it was 
sensible.

The second attribute userCertificate has the serial 21.
What about the ra-agent.key? When I put the certificate from the LDAP to 
the file named ra-agent.pem, does the .key file need to be updated, too?


If the cert was renewed, the key didn't change. You can actually check 
that a given key matches a cert with

# openssl rsa -noout -modulus -in  /var/lib/ipa/ra-agent.key | openssl md5
# openssl x509 -noout -modulus -in  /var/lib/ipa/ra-agent.pem | openssl md5

Both outputs should be identical.

HTH,
flo

Thank you so much. I'm looking forward to a working upgrade, soon ;-)

Jochen

Am Dienstag, 4. Februar 2020 17:47:05 CET schrieb Florence Blanc-Renaud:

On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote:

Hi,

unfortunately currently there's is no other node, which is why I'm 
trying to update to Fedora 31. I used to replicate between two 
machines but on got lost.
I installed a new machine which is supposed to work as my new replica 
but this is being virtualized in bhyve / FreeNAS and this doesn't 
allow Fedora 30 to be installed so I'm stuck with Fedora 31.
In the docs it's said that versions between replicas need to be 
consistent so I'm trying to update the only running FreeIPA node 
(srv107) to Fedora 31 first.



Ok, so in this case we need to work on this single node...


Jochen

On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via 
FreeIPA-users  wrote: ...
We can see that there is an inconsistency between the 
/var/lib/ipa/ra-agent.pem file and the LDAP content. You need to 
choose which one to pick as the source of truth and update the other one.


If the cert in /var/lib/ipa/ra-agent.pem is still valid, you can use 
this one. To check the validity:

$ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem

Look for the lines:
    Validity
    Not Before: 
    Not After : 

If the cert is valid, use this one as source of truth and update the 
ldap entry with ldapmodify (the description attribute and the 
usercertificate attribute).


If the cert is not valid, you need to find which one in the ldap entry 
corresponds to the serial 21. I did not manage to read the content of 
the usercertificate attribute, did you cut the ldapsearch output?

I tried with
$ openssl x509 -noout -text
-BEGIN CERTIFICATE-
MII...
-END CERTIFICATE-

but the 2 certs in the usercertificate attribute failed with "unable 
to load certificate".


flo


...

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: 
https://fedoraproject.org/wiki/Mailing_list_guidelines ...





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ipa-restore and the issues

[Ian Kumlien via FreeIPA-users]

Hi,

Due to issues, I'm trying to do a partial restore of all the "important bits"

But if I do ipa-restore --online --data --backend=userRoot $BACKUP

I end up in a semiworking environment - the webui doen't work - kinit does...

ipa doesn't etc..

What fields in LDAP would i have to save and replace to get this working?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30)fails to start

[Jochen Demmer via FreeIPA-users]

Yeah I actually modified the PEM outputs because I wasn't sure if it was 
sensible.

The second attribute userCertificate has the serial 21.
What about the ra-agent.key? When I put the certificate from the LDAP to 
the file named ra-agent.pem, does the .key file need to be updated, too?


Thank you so much. I'm looking forward to a working upgrade, soon ;-)

Jochen

Am Dienstag, 4. Februar 2020 17:47:05 CET schrieb Florence Blanc-Renaud:

On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote:

Hi,

unfortunately currently there's is no other node, which is why 
I'm trying to update to Fedora 31. I used to replicate between 
two machines but on got lost.
I installed a new machine which is supposed to work as my new 
replica but this is being virtualized in bhyve / FreeNAS and 
this doesn't allow Fedora 30 to be installed so I'm stuck with 
Fedora 31.
In the docs it's said that versions between replicas need to 
be consistent so I'm trying to update the only running FreeIPA 
node (srv107) to Fedora 31 first.



Ok, so in this case we need to work on this single node...


Jochen

On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud 
via FreeIPA-users  wrote: 
...
We can see that there is an inconsistency between the 
/var/lib/ipa/ra-agent.pem file and the LDAP content. You need to 
choose which one to pick as the source of truth and update the 
other one.


If the cert in /var/lib/ipa/ra-agent.pem is still valid, you 
can use this one. To check the validity:

$ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem

Look for the lines:
Validity
Not Before: 
Not After : 

If the cert is valid, use this one as source of truth and 
update the ldap entry with ldapmodify (the description attribute 
and the usercertificate attribute).


If the cert is not valid, you need to find which one in the 
ldap entry corresponds to the serial 21. I did not manage to 
read the content of the usercertificate attribute, did you cut 
the ldapsearch output?

I tried with
$ openssl x509 -noout -text
-BEGIN CERTIFICATE-
MII...
-END CERTIFICATE-

but the 2 certs in the usercertificate attribute failed with 
"unable to load certificate".


flo


...

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: 
https://fedoraproject.org/wiki/Mailing_list_guidelines ...





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org