Re: [Freeipa-users] self service password reset
On 07/11/2012 08:59 PM, KodaK wrote: Has anyone rolled out a self-service password reset utility for IPA? If so did you use something off the shelf that speaks LDAP or roll your own? I'm looking at this: http://code.google.com/p/pwm/ But I'm just starting down this path. Thanks, --Jason With FreeIPA 3.0 beta 1 it's really easy to write own page for password reset because of new API for that [1]. You don't have to though. Beta 1 already contains a stand-alone reset page (it was added along with password reset in forms-based auth)[2]. It looks like this: http://pvoborni.fedorapeople.org/ui/reset_password.html Custom page could you code like this, or just plain html form. data = { user: username, old_password: old_password, new_password: new_password }; request = { url: '/ipa/session/change_password', data: data, contentType: 'application/x-www-form-urlencoded', processData: true, dataType: 'html', async: false, type: 'POST', success: success_handler, error: error_handler }; $.ajax(request); [1] https://fedorahosted.org/freeipa/ticket/2276 [2] https://fedorahosted.org/freeipa/ticket/2755 -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 5:46 PM, Dmitri Pal wrote: On 07/11/2012 04:01 PM, Qing Chang wrote: On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating afs/DOMAIN@REALM Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt: = kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. kadmin.local: getprinc afs/openafs.sri.utoronto.ca Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca Expiration date: [never] Last password change: Thu Jul 12 15:08:16 EDT 2012 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/ad...@sri.utoronto.ca) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 20, des-cbc-crc, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] = I also tried :normal and :afs3, no salts added for any types. Is the IPA code not doing it, or I am missing something? Thanks, Qing Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote: On 11/07/2012 5:46 PM, Dmitri Pal wrote: On 07/11/2012 04:01 PM, Qing Chang wrote: On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating afs/DOMAIN@REALM Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt: = kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. kadmin.local: getprinc afs/openafs.sri.utoronto.ca Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca Expiration date: [never] Last password change: Thu Jul 12 15:08:16 EDT 2012 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/ad...@sri.utoronto.ca) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 20, des-cbc-crc, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] = I also tried :normal and :afs3, no salts added for any types. Is the IPA code not doing it, or I am missing something? v4 means 'no salt' afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] 2.20 dirsrv memory usage
I was previously using 2.1.4 and know that there was a substantial memory leak in the directory server. After upgrading to 2.20, I notice that although overall memory usage seems higher, the creep upwards is not as quick. Although memory still tends to trend upward leaving me to worry that dirsrv will crash when it runs out of memory. I've checked the entrycachehitratio and it is 99. I also then checked the size of id2entry.db4 and found it to be 1024000. So I then checked nssldap-cachesize and found it to be 10485760. According to what I've read on the list, this seems about right. Is there anything else I can check? This is a pretty small directory, but gets quite a bit of activity from serving mail configuration in addition to authentication. However, I can't imagine that it would consume 1.5GB and keep climbing in memory usage. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2.20 dirsrv memory usage
On 07/12/2012 06:55 PM, Stephen Ingram wrote: On Thu, Jul 12, 2012 at 3:41 PM, Dmitri Pal d...@redhat.com wrote: On 07/12/2012 06:19 PM, Stephen Ingram wrote: On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram sbing...@gmail.com wrote: On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I had huge memory issues pre 6.3, now its low and flatSounds like you have an issue somewhere. My normal cpu use is a few hundred mhzbut when something goes wrong such as replication failing that climbs...ditto memory use Yes, I saw your conversation with Rich on this list about that. And, yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still having issues. It was an upgrade from 2.1.3, but the upgrade seemed to complete without issue. I'm also not even doing replication yet so I'm not sure why memory is so high. Web interface is much slower too so perhaps something else is wrong. Oops, I meant Rob, not Rich. Do you use any things exposed via compat tree? Do you have a lot of modifications that affect the data that is exposed via this tree? I suspect that the leak is somewhere there. Try turning off the things that you do not use if there are any. I only query cn=users,cn=accounts,dc=example,dc=com and cn=groups,cn=accounts,dc=example,dc=com containers for mail info and use for Kerberos auth. There are only very infrequent mods to those trees previously mentioned via the Web UI. Almost all activity is reads, but lots of them for the mail servers (validating users, etc.). I plan to use replication and DNS, but not using now. From this, I don't think I'm using the compat tree. Would turning it off help anyway? Steve Please use documented tools to disable it. Do not do it manually via LDAP. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users