[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA

[Finn Fysj via FreeIPA-users]

> Finn Fysj via FreeIPA-users wrote:
> 
> UPGs cannot be migrated at all. There is no risk. Some find it annoying
> to see a bunch of single-user groups in the interface, that's all.
> 
> rob

Thank you, Rob.

I've seen that the UPGs that get migrated have received following attributes:

ipaNTSecurityIdentifier
ipantgroupattrs
groupofnames
nestedgroup
ipausergroup

If I really want to keep UPGs I can use ipa group-mod --delattr=...

I'll do some more checking, but you're correct: I don't think we'll have the 
need for Kerberos unless on the IPA servers themselves, but if it's considered 
good practice too ignore krb attributes I'll do.

I'll try to do some more testing. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt

[Alexander Bokovoy via FreeIPA-users]

On Чцв, 28 вер 2023, Christian Heimes via FreeIPA-users wrote:

On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:

The password can be stored in Ansible Vault, prompted for, or whatever 
preferred Ansible secret management strategy you employ.

I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then 
done via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged 
used sniffing on the loopback wouldn’t see it (although a privileged user would 
have a hundred other ways to potentially gain access).


It may be easier to use ipa-ldap-updater as root. The command uses 
LDAP over Unix sockets for secure communication and authentication. 
You don't have to pass any additional options like shost, port, or 
password. The update syntax is based on LDIF, but shorter and IMO 
easier to read.



Create a file "rootdse.update" with content:

dn: cn=config
only: nsslapd-allow-anonymous-access: rootdse

then run "ipa-ldap-updater rootdse.update" on every IPA server. 
Changes to cn=config are not replicated.


You don't even need that. Just use 'dsconf' utility provided by 389-ds,
as root.

[root@id ~]# dsconf IPA-TEST config get nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on
[root@id ~]# dsconf IPA-TEST config replace nsslapd-allow-anonymous-access=off
Successfully replaced "nsslapd-allow-anonymous-access"
[root@id ~]# dsconf IPA-TEST config get nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue