[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote: The password can be stored in Ansible Vault, prompted for, or whatever preferred Ansible secret management strategy you employ. I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing on the loopback wouldn’t see it (although a privileged user would have a hundred other ways to potentially gain access). It may be easier to use ipa-ldap-updater as root. The command uses LDAP over Unix sockets for secure communication and authentication. You don't have to pass any additional options like shost, port, or password. The update syntax is based on LDIF, but shorter and IMO easier to read. Create a file "rootdse.update" with content: dn: cn=config only: nsslapd-allow-anonymous-access: rootdse then run "ipa-ldap-updater rootdse.update" on every IPA server. Changes to cn=config are not replicated. Christian -- Christian Heimes Principal Software Engineer, Identity Management and Platform Security Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
Finn Fysj via FreeIPA-users wrote: >> Finn Fysj via FreeIPA-users wrote: >> >> If you migrate the Kerberos keys and principals they will be for the >> original realm and will not work. >> >> LDAP passwords are migrated by allowing password migration in >> ipa-config. When this mode is enabled, if an LDAP bind occurs and there >> are no Kerberos keys then they are generated automatically if they don't >> already exist. >> >> >> Because it sounds like you aren't using Kerberos at all. >> >> >> RHEL and Fedora have used private user groups for decades now. The >> definition being that when a user is created they get a group with the >> same id and no members. >> >> An IPA user-private group is similar in nature in that it has the same >> uid/gid. It also lacks the objectclasses to allow members. >> >> A migrated group will retain the same GID but is a regular group. >> >> This is most noticeable when you have a lot of users, so therefore a lot >> of private groups. Private groups are filtered out by default when >> looking at the list of groups. That will not happen after migration. >> >> I'm really not sure what your use-case is here. Do you have an existing >> broken IPA server? I have the impression you are starting out new. >> >> rob > > FIrstly thank you for taking your time, Rob. > > We have an existing IPA server running on RHEL7 and our goal is to create two > new IPA server on RHEL9 (master & replica). > We therefore want to migrate USERS & GROUPS only from the existing IPA server > using ipa migrate-ds. > The end goal look something like: Only to use the IPA servers as LDAP server > and load balance the these two. It basically gives us LDAP servers w/ GUI. > Replacing FreeIPA is not an option. > > I'm therefore curious what the risks may be if we're leaving out migrating > UPGs, and secondly your thoughts on this approach. > UPGs cannot be migrated at all. There is no risk. Some find it annoying to see a bunch of single-user groups in the interface, that's all. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA Upgrade failure during CA phase
Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > After running yum update on a EL7.9 system FreeIPA was unable to start asking > for manual upgrade. > > So I performed the required command, without success: > > [root@headnode pki]# ipa-server-upgrade > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/9]: saving configuration > [2/9]: disabling listeners > [3/9]: enabling DS global lock > [4/9]: disabling Schema Compat > [5/9]: starting directory server > [6/9]: updating schema > [7/9]: upgrading server > [8/9]: stopping directory server > [9/9]: restoring configuration > Done. > Update complete > Upgrading IPA services > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > CA did not start in 300.0s > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > information > > > Tha /var/log/ipaupgrade.log file is 75k lines long, but looking at it after > some hours I think the relevant data is the following: > > 2023-09-26T22:22:23Z DEBUG stdout=ERROR: No kra subsystem in instance > pki-tomcat. > 2023-09-26T22:22:35Z DEBUG stderr= > 2023-09-26T22:22:35Z DEBUG Starting pki-tomcatd@pki-tomcat. > 2023-09-26T22:22:35Z DEBUG Starting external process > 2023-09-26T22:22:35Z DEBUG args=/bin/systemctl start > pki-tomcatd@pki-tomcat.service > 2023-09-26T22:22:36Z DEBUG Process finished, return code=0 > 2023-09-26T22:22:36Z DEBUG stdout= > 2023-09-26T22:22:36Z DEBUG stderr= > 2023-09-26T22:22:36Z DEBUG Starting external process > 2023-09-26T22:22:36Z DEBUG args=/bin/systemctl is-active > pki-tomcatd@pki-tomcat.service > 2023-09-26T22:22:36Z DEBUG Process finished, return code=0 > 2023-09-26T22:22:36Z DEBUG stdout=active > 2023-09-26T22:22:36Z DEBUG stderr= > 2023-09-26T22:22:36Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2023-09-26T22:22:36Z DEBUG waiting for port: 8080 > 2023-09-26T22:22:36Z DEBUG Failed to connect to port 8080 tcp on ::1 > 2023-09-26T22:22:36Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1 > 2023-09-26T22:22:38Z DEBUG SUCCESS: port: 8080 > 2023-09-26T22:22:38Z DEBUG waiting for port: 8443 > 2023-09-26T22:22:38Z DEBUG SUCCESS: port: 8443 > 2023-09-26T22:22:38Z DEBUG Start of pki-tomcatd@pki-tomcat.service complete > 2023-09-26T22:22:38Z DEBUG Waiting until the CA is running > 2023-09-26T22:22:38Z DEBUG request POST > http://DOMAIN:8080/ca/admin/ca/getStatus > 2023-09-26T22:22:38Z DEBUG request body '' > 2023-09-26T22:22:42Z DEBUG response status 500 > 2023-09-26T22:22:42Z DEBUG response headers Server: Apache-Coyote/1.1 > 2023-09-26T22:22:42Z DEBUG response body 'Apache > Tomcat/7.0.76 - Error report > HTTP Status 500 - Subsystem unavailable noshade="noshade">type Exception reportmessage > Subsystem unavailabledescription The server > encountered an internal error that prevented it from fulfilling this > request.exception > javax.ws.rs.ServiceUnavailableException: Subsystem > unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\nnote > The full stack trace of the root cause is available in the Apache > Tomcat/7.0.76 logs.Apache > Tomcat/7.0.76' > 2023-09-26T22:22:42Z DEBUG The CA status is: check
[Freeipa-users] Re: Keytab issues after upgrade to Fedora 38
Djerk Geurts via FreeIPA-users wrote: > Today was my second attempt to lift FreeIPA servers to Fedora 38 from 37. > Again it failed. > > Sync and healthchecks were fine, but an (admin) user can't log into the WebUI > and can't do sudo. Login works because I do key based authentication. > > Kinit admin works, but kinit alone doesn't. > > I have a hunch that a keytab gets corrupted somewhere, but I'm baffled as to > why this wouldn't present as different errors. > > Has anyone experienced similar issues? I've rolled the servers back, so don't > have much in the way of logs at the moment. Without logs its hard to speculate. My only guess is to ensure all your users have a SID assigned. You can try running: ipa config-mod --add-sids --enable-sid Check the 389-ds errors log. It will stop processing if it finds any users who are not in an IPA idrange. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Thanks Andrew. I will dig into me Ansible options. Many thanks _M ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
The password can be stored in Ansible Vault, prompted for, or whatever preferred Ansible secret management strategy you employ. I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing on the loopback wouldn’t see it (although a privileged user would have a hundred other ways to potentially gain access). > On Sep 27, 2023, at 3:20 PM, Marcelo Carvalho via FreeIPA-users > wrote: > > Thank you so much Andrew. > > Question: Does "freeipa_directory_manager_password" go in the clear? > > _M > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Thank you Rob. It worked perfectly. All done. Many thanks Marcelo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Thank you so much Andrew. Question: Does "freeipa_directory_manager_password" go in the clear? _M ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
And if you want to have Ansible do it (setting either ‘off’ or ‘rootdse’ as the
value) I’ve used this
- name: Disable FreeIPA anonymous LDAP access
community.general.ldap_attrs:
dn: cn=config
attributes:
nsslapd-allow-anonymous-access: 'off'
server_uri: ldaps://localhost
validate_certs: false
bind_dn: cn=Directory Manager
bind_pw: '{{ freeipa_directory_manager_password }}'
> On Sep 27, 2023, at 11:21 AM, Rob Crittenden via FreeIPA-users
> wrote:
>
> Marcelo Carvalho via FreeIPA-users wrote:
>> Hi Florence
>>
>> Thank you so much.
>>
>> Questions:
>>
>> 1) How do we "type a carriage return at the end?"
>> 2) Will just a "\n" suffice, or do we need a "control character?"
>> 3) If "control character" is needed how do e embed it on our copy-n-paste?
>> Hitting return for that new line does not work.
>>
>
> You just need an empty line to tell ldapmodify that the current mod
> request is complete. You can alternatively put this into a file and pass
> it in that way. EOF is treated as the end as well.
>
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Marcelo Carvalho via FreeIPA-users wrote: > Hi Florence > > Thank you so much. > > Questions: > > 1) How do we "type a carriage return at the end?" > 2) Will just a "\n" suffice, or do we need a "control character?" > 3) If "control character" is needed how do e embed it on our copy-n-paste? > Hitting return for that new line does not work. > You just need an empty line to tell ldapmodify that the current mod request is complete. You can alternatively put this into a file and pass it in that way. EOF is treated as the end as well. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Hi Florence Thank you so much. Questions: 1) How do we "type a carriage return at the end?" 2) Will just a "\n" suffice, or do we need a "control character?" 3) If "control character" is needed how do e embed it on our copy-n-paste? Hitting return for that new line does not work. Please advise. Many thanks. Marcelo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9
The issue is now filled https://pagure.io/freeipa/issue/9456 FYI: I was digging a little more and it seems that there could be some issue with GSSAPI authentication in kerberos. Michal On 27. 09. 23 12:45, Alexander Bokovoy wrote: On Срд, 27 вер 2023, Michal Konecny wrote: Hi, the VM I'm using is completely new, it could be something in our ansible playbook that I'm using to deploy it. The playbook is here: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipa.yml, but it is created for RHEL-8, so it fails on setting up KRA. Where should I fill the issue? Please use https://pagure.io/freeipa/issues Michal On 27. 09. 23 10:24, Alexander Bokovoy wrote: On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: Hi everyone, I'm currently trying to update Fedora IPA installation on staging from RHEL 8 to RHEL 9. I'm using this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 for it. I'm currently stuck on error "RuntimeError: Failed to start replication" and I don't see anything strange in the logs. Here is the log from `ipa-replica-install` run: https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know what seems to be the problem. The only odd thing I can see is a bit of discrepancy between handling of JSON structure in check_repl_init() and check_repl_update(). We fail due to the former not expecting 'Error (0) No replication sessions started since server startup' status message. I think the replication actually succeeded in one of previous DS restarts, that's why we've got here. Please create an issue and attach this pastebin content there. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIpa LDAP authentication
Update: I followed this tutorial and it seems to be working now https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/disabling-anon-binds [root@-freeipa /]# ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// 10.0.0.9:389 Enter LDAP Password: dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: rootdse modifying entry "cn=config" [root@-freeipa /]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@-freeipa /]# ldapsearch -x -b "dc=example,dc=com" -H ldap:// 10.0.0.9:389 "(objectClass=*)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectClass=*) # requesting: ALL # # search result search: 2 result: 48 Inappropriate authentication text: Anonymous access is not allowed. On Wed, Sep 27, 2023 at 1:30 PM Duarte Petiz wrote: > Hey everyone! > I have been using freeipa since 2 months ago. > Now i asked for an internal pentest and the pentesters found this: > Without authentication they can obtain information about our freeipa (that > uses ldap as backend as you know). > > ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389 > "(objectClass=*)" > > There is any way to protect it? How can I achieve that? > > > > > -- > *Kind Regards* > > *Duarte Petiz* > *DevOps Team Lead *| jscrambler.com > > > > -- *Kind Regards* *Duarte Petiz* *DevOps Team Lead *| jscrambler.com ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> On Срд, 27 вер 2023, Finn Fysj via FreeIPA-users wrote: > > I would question rather why you want migration of IPA deployment instead > of just adding those two RHEL 9 servers into existing deployment and > then retiring the old (RHEL 7) server. > > Sure, this is not possible directly, only through a temporary RHEL 8 > replica first, but that would keep all your data intact. > > Please see > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > and > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... The short answer is: We consider the old IPA to be unstable and we don't want the new server to be based on some existing mess or misconfiguration. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIpa LDAP authentication
Hey everyone! I have been using freeipa since 2 months ago. Now i asked for an internal pentest and the pentesters found this: Without authentication they can obtain information about our freeipa (that uses ldap as backend as you know). ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389 "(objectClass=*)" There is any way to protect it? How can I achieve that? -- *Kind Regards* *Duarte Petiz* *DevOps Team Lead *| jscrambler.com ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9
On Срд, 27 вер 2023, Michal Konecny wrote: Hi, the VM I'm using is completely new, it could be something in our ansible playbook that I'm using to deploy it. The playbook is here: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipa.yml, but it is created for RHEL-8, so it fails on setting up KRA. Where should I fill the issue? Please use https://pagure.io/freeipa/issues Michal On 27. 09. 23 10:24, Alexander Bokovoy wrote: On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: Hi everyone, I'm currently trying to update Fedora IPA installation on staging from RHEL 8 to RHEL 9. I'm using this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 for it. I'm currently stuck on error "RuntimeError: Failed to start replication" and I don't see anything strange in the logs. Here is the log from `ipa-replica-install` run: https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know what seems to be the problem. The only odd thing I can see is a bit of discrepancy between handling of JSON structure in check_repl_init() and check_repl_update(). We fail due to the former not expecting 'Error (0) No replication sessions started since server startup' status message. I think the replication actually succeeded in one of previous DS restarts, that's why we've got here. Please create an issue and attach this pastebin content there. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9
Hi, the VM I'm using is completely new, it could be something in our ansible playbook that I'm using to deploy it. The playbook is here: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipa.yml, but it is created for RHEL-8, so it fails on setting up KRA. Where should I fill the issue? Michal On 27. 09. 23 10:24, Alexander Bokovoy wrote: On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: Hi everyone, I'm currently trying to update Fedora IPA installation on staging from RHEL 8 to RHEL 9. I'm using this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 for it. I'm currently stuck on error "RuntimeError: Failed to start replication" and I don't see anything strange in the logs. Here is the log from `ipa-replica-install` run: https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know what seems to be the problem. The only odd thing I can see is a bit of discrepancy between handling of JSON structure in check_repl_init() and check_repl_update(). We fail due to the former not expecting 'Error (0) No replication sessions started since server startup' status message. I think the replication actually succeeded in one of previous DS restarts, that's why we've got here. Please create an issue and attach this pastebin content there. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9
Hi, I can try to run it without the parameter. We had this in our ansible playbook, so I just tried to run the same. Michal On 27. 09. 23 11:41, Florence Blanc-Renaud wrote: Hi, On Wed, Sep 27, 2023 at 10:26 AM Alexander Bokovoy via FreeIPA-users wrote: On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: >Hi everyone, > >I'm currently trying to update Fedora IPA installation on staging from >RHEL 8 to RHEL 9. I'm using this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 >for it. > >I'm currently stuck on error "RuntimeError: Failed to start >replication" and I don't see anything strange in the logs. Here is the >log from `ipa-replica-install` run: >https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know >what seems to be the problem. I noticed that ipa-replica-install is run with the --skip-conncheck option. Was there any issue reported without the option? The connection checks often reveal DNS issues or firewall preventing communication on required ports. flo The only odd thing I can see is a bit of discrepancy between handling of JSON structure in check_repl_init() and check_repl_update(). We fail due to the former not expecting 'Error (0) No replication sessions started since server startup' status message. I think the replication actually succeeded in one of previous DS restarts, that's why we've got here. Please create an issue and attach this pastebin content there. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9
Hi, On Wed, Sep 27, 2023 at 10:26 AM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: > >Hi everyone, > > > >I'm currently trying to update Fedora IPA installation on staging from > >RHEL 8 to RHEL 9. I'm using this guide > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 > >for it. > > > >I'm currently stuck on error "RuntimeError: Failed to start > >replication" and I don't see anything strange in the logs. Here is the > >log from `ipa-replica-install` run: > >https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know > >what seems to be the problem. > I noticed that ipa-replica-install is run with the --skip-conncheck option. Was there any issue reported without the option? The connection checks often reveal DNS issues or firewall preventing communication on required ports. flo > The only odd thing I can see is a bit of discrepancy between handling of > JSON structure in check_repl_init() and check_repl_update(). We fail due > to the former not expecting 'Error (0) No replication sessions started > since server startup' status message. > > I think the replication actually succeeded in one of previous DS > restarts, that's why we've got here. > > Please create an issue and attach this pastebin content there. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9
On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: Hi everyone, I'm currently trying to update Fedora IPA installation on staging from RHEL 8 to RHEL 9. I'm using this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 for it. I'm currently stuck on error "RuntimeError: Failed to start replication" and I don't see anything strange in the logs. Here is the log from `ipa-replica-install` run: https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know what seems to be the problem. The only odd thing I can see is a bit of discrepancy between handling of JSON structure in check_repl_init() and check_repl_update(). We fail due to the former not expecting 'Error (0) No replication sessions started since server startup' status message. I think the replication actually succeeded in one of previous DS restarts, that's why we've got here. Please create an issue and attach this pastebin content there. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Hi, On Wed, Sep 27, 2023 at 2:10 AM Marcelo Carvalho via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi everyone > > I am trying on a development host to Disabling Anonymous Binds. > > I have ran the following command but it hangs and does not return a prompt. > > $ ldapmodify -x -D "cn=Directory Manager" -W -h 127.0.0.1 -p 389 -ZZ > Enter LDAP Password: > dn: cn=config > changetype: modify > replace: nsslapd-allow-anonymous-access > nsslapd-allow-anonymous-access: rootdse > > ldapmodify waits for an empty line before it actually sends the operation to the LDAP server. You need to type a carriage return at the end of the line containing "rootdse", then another carriage return, and you should see the command result. Then you can type CTRL-D to exit the ldapmodify command. HTH, flo Following instructions from: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/disabling-anon-binds > > ipa --version: VERSION: 4.10.1, API_VERSION: 2.251 > Red Hat Enterprise Linux" VERSION="9.2 > > Please, any advice? > > Many thanks > > Marcelo > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Error during ipa-replica-install on RHEL 9
Hi everyone, I'm currently trying to update Fedora IPA installation on staging from RHEL 8 to RHEL 9. I'm using this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9 for it. I'm currently stuck on error "RuntimeError: Failed to start replication" and I don't see anything strange in the logs. Here is the log from `ipa-replica-install` run: https://paste.centos.org/view/a0e2c2b9 . Maybe somebody here will know what seems to be the problem. For those interested the ticket for this work is here https://pagure.io/fedora-infrastructure/issue/10358 Michal ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
On Срд, 27 вер 2023, Finn Fysj via FreeIPA-users wrote: Finn Fysj via FreeIPA-users wrote: If you migrate the Kerberos keys and principals they will be for the original realm and will not work. LDAP passwords are migrated by allowing password migration in ipa-config. When this mode is enabled, if an LDAP bind occurs and there are no Kerberos keys then they are generated automatically if they don't already exist. Because it sounds like you aren't using Kerberos at all. RHEL and Fedora have used private user groups for decades now. The definition being that when a user is created they get a group with the same id and no members. An IPA user-private group is similar in nature in that it has the same uid/gid. It also lacks the objectclasses to allow members. A migrated group will retain the same GID but is a regular group. This is most noticeable when you have a lot of users, so therefore a lot of private groups. Private groups are filtered out by default when looking at the list of groups. That will not happen after migration. I'm really not sure what your use-case is here. Do you have an existing broken IPA server? I have the impression you are starting out new. rob FIrstly thank you for taking your time, Rob. We have an existing IPA server running on RHEL7 and our goal is to create two new IPA server on RHEL9 (master & replica). We therefore want to migrate USERS & GROUPS only from the existing IPA server using ipa migrate-ds. The end goal look something like: Only to use the IPA servers as LDAP server and load balance the these two. It basically gives us LDAP servers w/ GUI. Replacing FreeIPA is not an option. I'm therefore curious what the risks may be if we're leaving out migrating UPGs, and secondly your thoughts on this approach. I would question rather why you want migration of IPA deployment instead of just adding those two RHEL 9 servers into existing deployment and then retiring the old (RHEL 7) server. Sure, this is not possible directly, only through a temporary RHEL 8 replica first, but that would keep all your data intact. Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8 and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9 -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote:
>
> It's not possible to say without seeing the whole command you used.
>
> rob
Works without problems. Does not migrate UPGs nor ignore kerberos data:
ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts'
--group-container='cn=groups,cn=accounts' ldap://ipa.example.com
Migrates UPGs and other groups, but no users because of "mepOriginEntry":
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts \
--group-objectclass=posixgroup \
--user-ignore-objectclass=mepOriginEntry \
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
\
--with-compat \
ldaps://ipa.example.com
Could we experience any inconsistency by not ignoring kerberos data?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote: > > If you migrate the Kerberos keys and principals they will be for the > original realm and will not work. > > LDAP passwords are migrated by allowing password migration in > ipa-config. When this mode is enabled, if an LDAP bind occurs and there > are no Kerberos keys then they are generated automatically if they don't > already exist. > > > Because it sounds like you aren't using Kerberos at all. > > > RHEL and Fedora have used private user groups for decades now. The > definition being that when a user is created they get a group with the > same id and no members. > > An IPA user-private group is similar in nature in that it has the same > uid/gid. It also lacks the objectclasses to allow members. > > A migrated group will retain the same GID but is a regular group. > > This is most noticeable when you have a lot of users, so therefore a lot > of private groups. Private groups are filtered out by default when > looking at the list of groups. That will not happen after migration. > > I'm really not sure what your use-case is here. Do you have an existing > broken IPA server? I have the impression you are starting out new. > > rob FIrstly thank you for taking your time, Rob. We have an existing IPA server running on RHEL7 and our goal is to create two new IPA server on RHEL9 (master & replica). We therefore want to migrate USERS & GROUPS only from the existing IPA server using ipa migrate-ds. The end goal look something like: Only to use the IPA servers as LDAP server and load balance the these two. It basically gives us LDAP servers w/ GUI. Replacing FreeIPA is not an option. I'm therefore curious what the risks may be if we're leaving out migrating UPGs, and secondly your thoughts on this approach. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
