Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Wed, 2012-10-31 at 11:34 +1000, Peter Brown wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. A loong time ago I sue the excellent support in postfix to route mail based on data in ldap, however I have no idea how's dovecot support for that. FreeIPA will create a single domain for you atm, but you can indeed associate any email address to a user, however sssd does not have any facility to resolve a user by email address, so unless you just care about the default domain (in which case you can lookup users via sssd just like you would against /etc/passwd) I think you'll have to configure your daemons to lookup data directly via ldap. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User's choice: automount or autocreate?
Has anyone set things up so that individual users have the option to automount a homedir or have one autocreated on each system they use for them? I have some users who prefer one way and others who prefer the other. Both have valid reasons and I'd rather not make an authoritarian decision for one over the other. 1. How could this be handled as a user option, set as the account is created or modified and open to adjustment later? 2. How might this be handled as a login option, allowing the user to select their automounted homedir or a local homedir? Anyone already set this up and have it working well? I'd hate to spend time re-inventing a wheel if there's already an excellent example in the wild Thanks! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User's choice: automount or autocreate?
On Wed 31 Oct 2012 08:56:14 AM EDT, Bret Wortman wrote: Has anyone set things up so that individual users have the option to automount a homedir or have one autocreated on each system they use for them? I have some users who prefer one way and others who prefer the other. Both have valid reasons and I'd rather not make an authoritarian decision for one over the other. 1. How could this be handled as a user option, set as the account is created or modified and open to adjustment later? A feature could be added to SSSD to allow users to override the home directory location on individual clients. This feature would have to be subject to administrator approval in some way (to restrict where users could set their home directories and which users have this privilege). That requires some thought. Feel free to file an RFE at https://fedorahosted.org/sssd 2. How might this be handled as a login option, allowing the user to select their automounted homedir or a local homedir? This just isn't going to happen. Period. The location of the user's home directory is an integral part of the user's identity on the system. It cannot vary at login time. All sessions of the logged-in user (as well as any application that calls getpwnam()) need to agree on this value or you will have problems. Anyone already set this up and have it working well? I'd hate to spend time re-inventing a wheel if there's already an excellent example in the wild As a general rule, it's usually better to just make the decision on a per-system basis than a per-user basis. I.e. everyone who logs on to certain infrastructure systems will always use the automount home directory, but on personal systems they can be configured to not use automount. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User's choice: automount or autocreate?
That's what I needed to know. We'll set a system-wide policy and be done with it. Thanks! On Wed, Oct 31, 2012 at 9:43 AM, Stephen Gallagher sgall...@redhat.comwrote: On Wed 31 Oct 2012 08:56:14 AM EDT, Bret Wortman wrote: Has anyone set things up so that individual users have the option to automount a homedir or have one autocreated on each system they use for them? I have some users who prefer one way and others who prefer the other. Both have valid reasons and I'd rather not make an authoritarian decision for one over the other. 1. How could this be handled as a user option, set as the account is created or modified and open to adjustment later? A feature could be added to SSSD to allow users to override the home directory location on individual clients. This feature would have to be subject to administrator approval in some way (to restrict where users could set their home directories and which users have this privilege). That requires some thought. Feel free to file an RFE at https://fedorahosted.org/sssd 2. How might this be handled as a login option, allowing the user to select their automounted homedir or a local homedir? This just isn't going to happen. Period. The location of the user's home directory is an integral part of the user's identity on the system. It cannot vary at login time. All sessions of the logged-in user (as well as any application that calls getpwnam()) need to agree on this value or you will have problems. Anyone already set this up and have it working well? I'd hate to spend time re-inventing a wheel if there's already an excellent example in the wild As a general rule, it's usually better to just make the decision on a per-system basis than a per-user basis. I.e. everyone who logs on to certain infrastructure systems will always use the automount home directory, but on personal systems they can be configured to not use automount. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo not working
I'm pretty certain there's a painfully simple solution to this that I'm not seeing, but my current configuration isn't picking up the freeipa sudoer rule that I've set. /etc/nsswitch.conf specifies: sudoers:files ldap /etc/nslcd.conf contains: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me bindpw password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://fs1.wedgeofli.me sudoers_base ou=SUDOers,dc=wedgeofli,dc=me The sssd_DOMAIN.log file contains this when I try to sudo: (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [sysdb_search_users] (0x0400): Search users with filter: ((objectclass=user)((!(dataExpireTimestamp=0))(dataExpireTimestamp=1351698653)(!(lastLogin=* (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [sysdb_search_users] (0x0400): No such entry (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [sysdb_search_groups] (0x0400): Search groups with filter: ((objectclass=group)((!(dataExpireTimestamp=0))(dataExpireTimestamp=1351698653))) (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [cleanup_groups] (0x0100): Found 3 expired group entries! (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [sysdb_search_users] (0x0400): Search users with filter: ((objectclass=user)(|(memberOf=name=nonexpiring,cn=groups,cn=wedgeofli.me ,cn=sysdb)(gidNumber=501))) (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [sysdb_search_users] (0x0400): Search users with filter: ((objectclass=user)(|(memberOf=name=jtbays,cn=groups,cn=wedgeofli.me ,cn=sysdb)(gidNumber=1002))) (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [sysdb_search_users] (0x0400): Search users with filter: ((objectclass=user)(|(memberOf=name=xmmgr,cn=groups,cn=wedgeofli.me ,cn=sysdb)(gidNumber=1015))) (Wed Oct 31 11:50:53 2012) [sssd[be[wedgeofli.me]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1351702253.2528 (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bretw] (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' fs1.wedgeofli.me' in files (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [set_server_common_status] (0x0100): Marking server 'fs1.wedgeofli.me' as 'resolving name' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [set_server_common_status] (0x0100): Marking server 'fs1.wedgeofli.me' as 'name resolved' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [be_resolve_server_done] (0x0200): Found address for server fs1.wedgeofli.me: [192.168.2.129] TTL 7200 (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://fs1.wedgeofli.me' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/fs1.wedgeofli.me, WEDGEOFLI.ME, 86400) (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [be_resolve_server_done] (0x0200): Found address for server fs1.wedgeofli.me: [192.168.2.129] TTL 7200 (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WEDGEOFLI.ME], expired on [1351785056] (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/fs1.wedgeofli.me (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [child_sig_handler] (0x0100): child [17655] finished successfully. (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'fs1.wedgeofli.me' as 'working' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [set_server_common_status] (0x0100): Marking server 'fs1.wedgeofli.me' as 'working' (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=wedgeofli,dc=me] (Wed Oct 31 11:50:56 2012) [sssd[be[wedgeofli.me]]] [sdap_get_generic_ext_step] (0x0400):
Re: [Freeipa-users] Sudo not working
Bret Wortman wrote: I had enabled debugging of sudo but am not clear on where that debugging is going. It's not stdout, and I'm not seeing anything in /var/log/messages. I'll try switching to SSS and see what that gets me. What distro is this? If it is RHEL 6.3 then put the configuration into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are incorrect (we are working on getting them fixed). rob On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher sgall...@redhat.com mailto:sgall...@redhat.com wrote: On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote: I'm pretty certain there's a painfully simple solution to this that I'm not seeing, but my current configuration isn't picking up the freeipa sudoer rule that I've set. /etc/nsswitch.conf specifies: sudoers:files ldap /etc/nslcd.conf contains: binddn uid=sudo,cn=sysaccounts,cn=__etc,dc=wedgeofli,dc=me bindpw password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me sudoers_base ou=SUDOers,dc=wedgeofli,dc=me The sssd_DOMAIN.log file contains this when I try to sudo: snip The SSSD logs aren't showing anything wrong because they have nothing to do with the execution of the SUDO rules in this situation. All the SSSD is doing is verifying the authentication (when sudo prompts you for your password). The problem with the rule is most likely happening inside SUDO itself. When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling SUDO to use its own internal LDAP driver to look up the rules. So you need to check sudo logs to see what's happening (probably you will need to enable debug logging in /etc/sudo.conf). Recent versions of SUDO (1.8.6 and later) have support for setting 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and later) for lookups (and caching) of sudo rules. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo not working
F17. On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: I had enabled debugging of sudo but am not clear on where that debugging is going. It's not stdout, and I'm not seeing anything in /var/log/messages. I'll try switching to SSS and see what that gets me. What distro is this? If it is RHEL 6.3 then put the configuration into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are incorrect (we are working on getting them fixed). rob On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher sgall...@redhat.com mailto:sgall...@redhat.com wrote: On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote: I'm pretty certain there's a painfully simple solution to this that I'm not seeing, but my current configuration isn't picking up the freeipa sudoer rule that I've set. /etc/nsswitch.conf specifies: sudoers:files ldap /etc/nslcd.conf contains: binddn uid=sudo,cn=sysaccounts,cn=__**etc,dc=wedgeofli,dc=me bindpw password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me sudoers_base ou=SUDOers,dc=wedgeofli,dc=me The sssd_DOMAIN.log file contains this when I try to sudo: snip The SSSD logs aren't showing anything wrong because they have nothing to do with the execution of the SUDO rules in this situation. All the SSSD is doing is verifying the authentication (when sudo prompts you for your password). The problem with the rule is most likely happening inside SUDO itself. When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling SUDO to use its own internal LDAP driver to look up the rules. So you need to check sudo logs to see what's happening (probably you will need to enable debug logging in /etc/sudo.conf). Recent versions of SUDO (1.8.6 and later) have support for setting 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and later) for lookups (and caching) of sudo rules. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo not working
[root@fs1 etc]# more /etc/ldap.conf sudoers_debug: 1 [root@fs1 etc]# ls -l /etc/ldap.conf -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf Where should I see the extra output? I've had this set since last Friday and I'm not seeing any difference. On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: F17. I think you want /etc/ldap.conf then. The easiest way to be sure the right file is being used is to add sudoers_debug 1 to the file. This will present a lot of extra output so you'll know the file is being read. rob On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: I had enabled debugging of sudo but am not clear on where that debugging is going. It's not stdout, and I'm not seeing anything in /var/log/messages. I'll try switching to SSS and see what that gets me. What distro is this? If it is RHEL 6.3 then put the configuration into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are incorrect (we are working on getting them fixed). rob On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com wrote: On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote: I'm pretty certain there's a painfully simple solution to this that I'm not seeing, but my current configuration isn't picking up the freeipa sudoer rule that I've set. /etc/nsswitch.conf specifies: sudoers:files ldap /etc/nslcd.conf contains: binddn uid=sudo,cn=sysaccounts,cn=___**_etc,dc=wedgeofli,dc=me bindpw password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me sudoers_base ou=SUDOers,dc=wedgeofli,dc=me The sssd_DOMAIN.log file contains this when I try to sudo: snip The SSSD logs aren't showing anything wrong because they have nothing to do with the execution of the SUDO rules in this situation. All the SSSD is doing is verifying the authentication (when sudo prompts you for your password). The problem with the rule is most likely happening inside SUDO itself. When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling SUDO to use its own internal LDAP driver to look up the rules. So you need to check sudo logs to see what's happening (probably you will need to enable debug logging in /etc/sudo.conf). Recent versions of SUDO (1.8.6 and later) have support for setting 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and later) for lookups (and caching) of sudo rules. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman __**___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.**comFreeipa-users@redhat.com https://www.redhat.com/__**mailman/listinfo/freeipa-usershttps://www.redhat.com/__mailman/listinfo/freeipa-users https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ** -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo not working
Bret Wortman wrote: [root@fs1 etc]# more /etc/ldap.conf sudoers_debug: 1 [root@fs1 etc]# ls -l /etc/ldap.conf -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf Where should I see the extra output? I've had this set since last Friday and I'm not seeing any difference. Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers in /etc/nsswitch.conf. rob On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: F17. I think you want /etc/ldap.conf then. The easiest way to be sure the right file is being used is to add sudoers_debug 1 to the file. This will present a lot of extra output so you'll know the file is being read. rob On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: I had enabled debugging of sudo but am not clear on where that debugging is going. It's not stdout, and I'm not seeing anything in /var/log/messages. I'll try switching to SSS and see what that gets me. What distro is this? If it is RHEL 6.3 then put the configuration into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are incorrect (we are working on getting them fixed). rob On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com mailto:sgall...@redhat.com wrote: On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote: I'm pretty certain there's a painfully simple solution to this that I'm not seeing, but my current configuration isn't picking up the freeipa sudoer rule that I've set. /etc/nsswitch.conf specifies: sudoers:files ldap /etc/nslcd.conf contains: binddn uid=sudo,cn=sysaccounts,cn=__etc,dc=wedgeofli,dc=me bindpw password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me sudoers_base ou=SUDOers,dc=wedgeofli,dc=me The sssd_DOMAIN.log file contains this when I try to sudo: snip The SSSD logs aren't showing anything wrong because they have nothing to do with the execution of the SUDO rules in this situation. All the SSSD is doing is verifying the authentication (when sudo prompts you for your password). The problem with the rule is most likely happening inside SUDO itself. When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling SUDO to use its own internal LDAP driver to look up the rules. So you need to check sudo logs to see what's happening (probably you will need to enable debug logging in /etc/sudo.conf). Recent versions of SUDO (1.8.6 and later) have support for setting 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and later) for lookups (and caching) of sudo rules. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com mailto:Freeipa-users@redhat.__com mailto:Freeipa-users@redhat.com
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On 10/30/2012 09:34 PM, Peter Brown wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. Thanks in advance. Pete. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I am not sure if anything on those pages is relevant to what you are trying to accomplish but they talk about FreeIPA and dovecot integration: http://www.freeipa.org/page/Dovecot_Integration http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On If not the author of the pages - Dale might have more experience with the similar environment and might have tried what you are looking for. HTH -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. I have dovecot authing against freeipa (via pam)and I setup a sasl auth instance in dovecot and have postfix authing against that. I figured why setup another sasl auth daemon when dovecot can do it for me so they effectively use the same authentication source. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. I have most of that worked out but getting delivery addresses for domains that aren't the base is proving tricky. It's looking like I will need to add some extra schemas to the ds so i can add the delivery domain to each user and somehow use that to construct the delivery address. I am not sure I can do that though. I didn't really have to add anything except for one extra attribute. You can group your users into user groups representing the domains they belong to such that Postfix can query whether or not to accept for a domain or not. I added mailAlternateAddress for aliases rather than user multi-value attribute mail so I can have a master email address for each user. It was easy to do with the existing schema (mailRecipient objectclass). BTW if you haven't already figured it out, postmap -q is your friend when setting up your LDAP config in Postfix. Just keep adjusting everything until you get the answer you (and Postfix) expect. I am half tempted to add the extra components of 389-ds and see it that will let me do what I need. On a side note the freeipa lads seem to be working out how to add multitenancy support so it will be capable of serving multiple separate Kerberos principals. That would help a lot but I need to cobble something together now. Yes, if you want unique uid's within each domain you'll have to wait for that. I gave up on that notion and simply require unique uids for every user regardless of domain and deliver to single domain style mail store setup. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On 1 November 2012 15:07, Stephen Ingram sbing...@gmail.com wrote: On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. I have dovecot authing against freeipa (via pam)and I setup a sasl auth instance in dovecot and have postfix authing against that. I figured why setup another sasl auth daemon when dovecot can do it for me so they effectively use the same authentication source. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. I have most of that worked out but getting delivery addresses for domains that aren't the base is proving tricky. It's looking like I will need to add some extra schemas to the ds so i can add the delivery domain to each user and somehow use that to construct the delivery address. I am not sure I can do that though. I didn't really have to add anything except for one extra attribute. You can group your users into user groups representing the domains they belong to such that Postfix can query whether or not to accept for a domain or not. I added mailAlternateAddress for aliases rather than user multi-value attribute mail so I can have a master email address for each user. It was easy to do with the existing schema (mailRecipient objectclass). BTW if you haven't already figured it out, postmap -q is your friend when setting up your LDAP config in Postfix. Just keep adjusting everything until you get the answer you (and Postfix) expect. I discovered that attribute when I was digging around in the ldif files and I was just wondering why they didn't use that for setting aliases. It would certainly make my ldap queries for postfix a lot simpler. I added the mailRecipient class to the defaults for users and tried to use the ipa user-mod --setattr=mailAlternateAddress= and it is telling me ipa: ERROR: attribute mailAlternateAddress not allowed I have also trying to set a few other non standard attributes that seem to be in the default schemas already and they all give me the same error. Am I missing something? I am half tempted to add the extra components of 389-ds and see it that will let me do what I need. On a side note the freeipa lads seem to be working out how to add multitenancy support so it will be capable of serving multiple separate Kerberos principals. That would help a lot but I need to cobble something together now. Yes, if you want unique uid's within each domain you'll have to wait for that. I gave up on that notion and simply require unique uids for every user regardless of domain and deliver to single domain style mail store setup. yeah that's tempting but I need to have separate domains. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users