Re: [Freeipa-users] Solaris 10 as IPA Client?
Steven Jones wrote: 8--- Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. So you need to enable compat tree on ipa side and point your Solaris nss_ldap to the compat tree. 8-- We have a Sun solar storage SAN.uses Solaris I cant get it to workmaybe that's what I need to do to get them to talkhow to I enable compat tree? Also would other hardware vendors be similar? Im trying to get a bluecoat proxy server to talk to IPA and it cant compat is enabled by default, to double check run: ipa-compat-manage status For authentication typically all you need is the basedn of users (cn=users,cn=accounts,dc=example,dc=com). For SSL you can get a copy of the CA cert from http://ipa.example.com/ipa/config/ca.crt. The 389-ds access logs can be found in /var/log/dirsrv/slapd-YOURINSTANCE/access. These are buffered for up to 30 seconds. The error log by default tends to only log catastrophic problems. You can enable server debugging, details are in the FAQ in the 389-ds wiki. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, If I wanted a specific internet access group where the IPA group is internet-users What would the baseDN be? I have been using dc=unix,dc=vuw,dc=ac,dc=nz but I have tried a few combos, none workedalso I need to bind to the IPA? or will anonymous work? I cant search the tree as anonymous inside the bluecoat gui so I cant pick the group I wantwhich would make life easy. This goes back to my request to see the dc= stuff inside the gui.the gui speaks one way and everything else speaks differently, a translation is needed. So really you have succeeded in making the gui very easy to use, sure but not with other products. If I have to bind with a user so I can pick the group I want in the bluecoat gui I assume I need to create a user for that? with limited permissions? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 6 December 2011 3:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? Steven Jones wrote: 8--- Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. So you need to enable compat tree on ipa side and point your Solaris nss_ldap to the compat tree. 8-- We have a Sun solar storage SAN.uses Solaris I cant get it to workmaybe that's what I need to do to get them to talkhow to I enable compat tree? Also would other hardware vendors be similar? Im trying to get a bluecoat proxy server to talk to IPA and it cant compat is enabled by default, to double check run: ipa-compat-manage status For authentication typically all you need is the basedn of users (cn=users,cn=accounts,dc=example,dc=com). For SSL you can get a copy of the CA cert from http://ipa.example.com/ipa/config/ca.crt. The 389-ds access logs can be found in /var/log/dirsrv/slapd-YOURINSTANCE/access. These are buffered for up to 30 seconds. The error log by default tends to only log catastrophic problems. You can enable server debugging, details are in the FAQ in the 389-ds wiki. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: manual client join
On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden rcrit...@redhat.com wrote: The only part assuming that is ipa-join itself. IPA does not support the direct use of kadmin or kadmin.local. On a supported platform you'd run: # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p host/remote.example.com Then ship /tmp/remote.keytab to the machine and either use ktutil to combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and permissions, and potentially SELinux context). OK, got it. I can use the FreeIPA system itself to grab these for host and services and then new remote machine will have all principals it requires to work within FreeIPA realm. certmonger gets its IPA configuration from /etc/ipa/default.conf. If you don't want or have certmonger then you can skip the CA bit altogether. Otherwise you'll need to copy in a working config. OK, this requires certmonger. If I still want FreeIPA-signed cert (say I need to talk SSL to FreeIPA directory for mail server config purposes e.g. check existence of email address) without certmonger, I can use certmonger on FreeIPA server or UI to sign csr generated using nss on remote system and then transport cert to remote system and manually install for apache, ldap client, etc., right? I'm not trying to supplant FreeIPA here. Obviously the best (and almost effortless) solution is to have freeipa-client and certmonger on system, however, if I'm stuck with an older version of Redhat or some other OS that just doesn't conveniently support FreeIPA, I just want to be able to get a cert and necessary principals to be able to easily work within FreeIPA realm. I also sort of like to know how everything works in more detail just in case something breaks and I have to make manual adjustments. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
Stephen Ingram wrote: On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittendenrcrit...@redhat.com wrote: The only part assuming that is ipa-join itself. IPA does not support the direct use of kadmin or kadmin.local. On a supported platform you'd run: # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p host/remote.example.com Then ship /tmp/remote.keytab to the machine and either use ktutil to combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and permissions, and potentially SELinux context). OK, got it. I can use the FreeIPA system itself to grab these for host and services and then new remote machine will have all principals it requires to work within FreeIPA realm. Yup. certmonger gets its IPA configuration from /etc/ipa/default.conf. If you don't want or have certmonger then you can skip the CA bit altogether. Otherwise you'll need to copy in a working config. OK, this requires certmonger. If I still want FreeIPA-signed cert (say I need to talk SSL to FreeIPA directory for mail server config purposes e.g. check existence of email address) without certmonger, I can use certmonger on FreeIPA server or UI to sign csr generated using nss on remote system and then transport cert to remote system and manually install for apache, ldap client, etc., right? You don't need certmonger to have SSL certs, it just makes it easier to request and manage them (because of the auto-renewal features). To do it manually just do something like this to get a cert for a web server. IPA server here is really any machine with admintools package installed. remote system: generate CSR using openssl or certutil, save as PEM file, ship to IPA host. With NSS I do: certutil -R -s CN=remote.example.com,O=EXAMPLE.COM -d /path/to/database/dir -a example.csr Be sure that the CN value is the FQDN of your server. IPA server: # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com Your cert will be in /tmp/service.crt and PEM formatted for easy use. The output of cert-request is just a base64 blob. I'm not trying to supplant FreeIPA here. Obviously the best (and almost effortless) solution is to have freeipa-client and certmonger on system, however, if I'm stuck with an older version of Redhat or some other OS that just doesn't conveniently support FreeIPA, I just want to be able to get a cert and necessary principals to be able to easily work within FreeIPA realm. I also sort of like to know how everything works in more detail just in case something breaks and I have to make manual adjustments. This may be handy to augment the IPA documentation too if you want to donate back your findings :-) cheers rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi 8 What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. 8--- Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. Like I keep saying its a translation process so you can start to understand it.Im having huge problems with it... which is a worry because if I have problems the other admins are probably going to fail. I have tried to self-educate myself but Im not getting far at it. Vendors in NZ just import in a box, its a function of our small population, few have any depth of knowledgea few have happily admitted to me that if we buy the hardware they will get some traininguntil then they are as clueless as we are. 8--- BTW, for a proxy appliance I believe you want Kerberos authentication to provide single sign on, and use LDAP merely to do the authorization. 8-- I suspected that but, no where in Bluecoat can I see anything to do kerberos to a kerberos server, so i suspect it wont work as single sign on, so I maybe wasting my time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On Mon, 2011-12-05 at 21:05 +, Steven Jones wrote: Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. That is our goal, but we can only do so much when 3rd parties are involved. Your best bet is to see our instructions for non-ipa clients. Those instruction may not apply 1:1 to whatever configuration methods all 3rd parties may have, but should set you in the right direction. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, Oh I know you can only do so much... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Tuesday, 6 December 2011 10:14 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? On Mon, 2011-12-05 at 21:05 +, Steven Jones wrote: Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. That is our goal, but we can only do so much when 3rd parties are involved. Your best bet is to see our instructions for non-ipa clients. Those instruction may not apply 1:1 to whatever configuration methods all 3rd parties may have, but should set you in the right direction. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On Mon, Dec 5, 2011 at 10:05 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi 8 What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. 8--- Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. Like I keep saying its a translation process so you can start to understand it.Im having huge problems with it... which is a worry because if I have problems the other admins are probably going to fail. I have tried to self-educate myself but Im not getting far at it. I disagree with you here. Understanding ldap is quite essential stuff for deploying a directory based identity management system. I mean, if you just want to provision users and authenticate them to computer systems in an IPA realm, that's it, you need nothing more than the tools ipa give you. However, life is usually more complicated and people want to use other applications to do stuff. And those applications have ldap bindings, so you need to know how to use them. This is by the way no different as to how to do it with AD. I routinely configure applications to query our AD for user info/authentication/authorization, so I need to specify ldap bases, common names (cn) to bind, etc, .., as well. No difference here as to what you are experiencing. In my experience most vendors have technical info on how to configure and ldap connection to their applications/appliances. You name Bluecoat, and if I google 'bluecoat ldap' the first hit I get is a nice pdf with exactly the info you need (provided this is about the bluecoat.com company). I strongly suggest that you get a good grasp on ldap if you need to manage any directory based service, be it AD, IPA or whatever. Vendors in NZ just import in a box, its a function of our small population, few have any depth of knowledgea few have happily admitted to me that if we buy the hardware they will get some traininguntil then they are as clueless as we are. Wow. Are you talking to technical staff or to sales people there? -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On 12/05/2011 10:05 PM, Steven Jones wrote: What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. 8--- Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. Like I keep saying its a translation process so you can start to understand it.Im having huge problems with it... which is a worry because if I have problems the other admins are probably going to fail. I have tried to self-educate myself but Im not getting far at it. And IPA still does make it easier, for the management of the server side. As far as client side goes, 3rd party vendors has had many years to adopt an Active Directory LDAP profile, containing a certain configuration of objectclasses and attributes to look for. In some years, perhaps 3rd party vendors will be making an IPA LDAP profile or 1:1 instructions for configuring their LDAP clients to more easily work with IPA LDAP. Vendors in NZ just import in a box, its a function of our small population, few have any depth of knowledgea few have happily admitted to me that if we buy the hardware they will get some traininguntil then they are as clueless as we are. The vendor will most likely have knowledge doc portal and central support outside NZ to help you? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users