[Freeipa-users] Re: AD trust external group in the foreman
On Wed, Mar 25, 2020 at 9:53 PM Alexander Bokovoy wrote: > On ke, 25 maalis 2020, Natxo Asenjo via FreeIPA-users wrote: > >hi, > > > >the foreman can not authenticate using external authentication using the > >api endpoints, apparently, which is a bit of a bummer. > > > >It can do ldap, though, so the question is: > > > >can I authenticate AD users using the compat tree in Idm? (rhel 7.7 by the > >way). > > Yes, if two conditions hold: > - the entry in compat tree is first looked up > - that entry DN is used for a bind DN > thanks for your answer. Looks like we'll have to talk directly to the AD ldap servers then :-) -- Groeten, natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: AD trust external group in the foreman
On ke, 25 maalis 2020, Natxo Asenjo via FreeIPA-users wrote: hi, the foreman can not authenticate using external authentication using the api endpoints, apparently, which is a bit of a bummer. It can do ldap, though, so the question is: can I authenticate AD users using the compat tree in Idm? (rhel 7.7 by the way). Yes, if two conditions hold: - the entry in compat tree is first looked up - that entry DN is used for a bind DN -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] AD trust external group in the foreman
hi, the foreman can not authenticate using external authentication using the api endpoints, apparently, which is a bit of a bummer. It can do ldap, though, so the question is: can I authenticate AD users using the compat tree in Idm? (rhel 7.7 by the way). -- -- Groeten, natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Script deletion of a host?
--force-join Sounds like it may be just what I'm looking for. I'll give that a try. Thank you! On Wed, Mar 25, 2020 at 12:56 PM Alexander Bokovoy wrote: > On ke, 25 maalis 2020, None via FreeIPA-users wrote: > >This may be a bit of a strange scenario. > > > >Environment is a compute cluster (running xCAT 2.15) > > > >FreeIPA server is running on the cluster master node. > > > >FreeIPA clients are installed on all other nodes. Compute nodes, login > >nodes, storage nodes, GPU nodes, etc. > > > >I created a script that installs the client packages and joins the realm > >after provisioning the OS. That all works great on new hosts. > > > >My issue is that compute nodes are reinstalled on occasion. Normally, > that > >is a simple process. Tell the cluster master to mark that host for > >install. During the next PXE boot, that happens. Problem is, if the > node > >has already been part of the realm, it can't join, so that command fails. > >If I manually go into FreeIPA server and remove the node while it's > >reinstalling the OS, then the client script runs fine when that is > complete. > > > >Is there a way to have a client execute a command to remove it's previous > >information before joining? > > You can pass --force-join to ipa-client-install to force through the > already existing host. > > Otherwise, you can run 'ipa-client-install --uninstall', that will > clear everthing. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Script deletion of a host?
On ke, 25 maalis 2020, None via FreeIPA-users wrote: This may be a bit of a strange scenario. Environment is a compute cluster (running xCAT 2.15) FreeIPA server is running on the cluster master node. FreeIPA clients are installed on all other nodes. Compute nodes, login nodes, storage nodes, GPU nodes, etc. I created a script that installs the client packages and joins the realm after provisioning the OS. That all works great on new hosts. My issue is that compute nodes are reinstalled on occasion. Normally, that is a simple process. Tell the cluster master to mark that host for install. During the next PXE boot, that happens. Problem is, if the node has already been part of the realm, it can't join, so that command fails. If I manually go into FreeIPA server and remove the node while it's reinstalling the OS, then the client script runs fine when that is complete. Is there a way to have a client execute a command to remove it's previous information before joining? You can pass --force-join to ipa-client-install to force through the already existing host. Otherwise, you can run 'ipa-client-install --uninstall', that will clear everthing. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Script deletion of a host?
This may be a bit of a strange scenario. Environment is a compute cluster (running xCAT 2.15) FreeIPA server is running on the cluster master node. FreeIPA clients are installed on all other nodes. Compute nodes, login nodes, storage nodes, GPU nodes, etc. I created a script that installs the client packages and joins the realm after provisioning the OS. That all works great on new hosts. My issue is that compute nodes are reinstalled on occasion. Normally, that is a simple process. Tell the cluster master to mark that host for install. During the next PXE boot, that happens. Problem is, if the node has already been part of the realm, it can't join, so that command fails. If I manually go into FreeIPA server and remove the node while it's reinstalling the OS, then the client script runs fine when that is complete. Is there a way to have a client execute a command to remove it's previous information before joining? Thanks in advance. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you CP -- Christopher Paul chris.p...@rexconsulting.net 831-419-5671 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add new Identity Settings for users Freeipa
On 3/24/20 11:24 AM, dmitriys via FreeIPA-users wrote: Good day! I setup integration Freeipa with Jamf. I mapped default user attributes from Identity Settings like: Job Title First name Last name Email In Jamf i have more user attributes (Department, Building). My question is How i can mapping user attributes form Employee Information to attributes in Jamf or maybe i need create new field in Identity Settings Hi, LDAP schema already defines a lot of attributes that can be re-used. The difficulty is to find one that suits your needs and is allowed by the schema. You need first to check which objectclasses represent your user entries (by default IPA uses person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser). This can be found with $ ipa config-show --all | grep "Default user objectclass" Then you can have a look at the LDAP schema and find the attribute types included in each of these objectclasses. This will give you a list of potential attributes. For instance $ ldapsearch -x -LLL -o ldif-wrap=no -b cn=schema -s base objectclasses | grep -i inetorgperson objectclasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500UniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) X-ORIGIN 'RFC 2798' ) The inetorgperson defines departmentNumber which may be of interest. You need to check what type of content is allowed in this attribute: $ ldapsearch -x -LLL -o ldif-wrap=no -b cn=schema -s base attributetypes | grep -i departmentnumber attributetypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'identifies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2798' ) The SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 means it's a DirectoryString. If you intend to store the "department" info as a string you may use this specific attribute. If you are familiar with ApacheDirectoryStudio, you can use the LDAP browser and schema browser to help you find all this information. HTH, flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org