[Freeipa-users] Connect OpenDirectory to FreeIPA

[bwellsnc]

I have a project that requires that I try to connect Apple OpenDirectory to
FreeIPA.  We have several macs on site and it would be easier to control
access to theses using OpenDirectory vs FreeIPA.  I want to use FreeIPA for
all other systems, like Windows and Linux.  Is there a way to connect
OpenDirectory to FreeIPA or is there some schema changes to IPA to make it
easier to manage Mac OSX.  We are also currently using Jamf Casper to
control packages and there are several ldap features that it needs.  Any
help would be appreciated.  Thanks!

Brent
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Lock account

[cbul...@gmail.com]

Thanks Rob your prompt reply and info!



On 09/27/2013 03:53 PM, Rob Crittenden wrote:
> cbul...@gmail.com wrote:
>> Hi All,
>>
>> I would like to know if it is possible lock an user account after an
>> inactive period of time.
> Not automatically, no. You'd need a cron job and an ldap query to find 
> inactive users (across all IPA masters), then lock those you find.
>
> rob
>

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Lock account

[Rob Crittenden]

cbul...@gmail.com wrote:

Hi All,

I would like to know if it is possible lock an user account after an
inactive period of time.


Not automatically, no. You'd need a cron job and an ldap query to find 
inactive users (across all IPA masters), then lock those you find.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Lock account

[cbul...@gmail.com]

Hi All,

I would like to know if it is possible lock an user account after an
inactive period of time.

Thanks!




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Accessing IPA servers on no-standard port

[Chandan Kumar]

Ticket created : Ticket #3955




--
http://about.me/chandank


On Fri, Sep 27, 2013 at 12:40 AM, Petr Spacek  wrote:

> On 27.9.2013 07:23, Chandan Kumar wrote:
>
>> Hi Rob,
>>
>> Thanks for the info. Sure I will create the ticket and will certainly try
>> to pick the low-hanging fruit :-)
>>
>>
>> --
>> http://about.me/chandank
>>
>>
>> On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden 
>> wrote:
>>
>>  Chandan Kumar wrote:
>>>
>>>  Hello,

 I have basic configuration question, my apologies if it has already been
 discussed.

 I have ipa-server-3 server installed with default parameters with
 replication.

 We have Linux machines across different geo location and I would like to
 integrate them into IPA server, however, I don't want external clients
 to connect the server on standard port.

 For example, during ipa-client registration it requires all IPA services
 to be running on default port.

 Such as : trying https://ipa01.my.net/ipa/xml

 kdc = ipa01.my.net:88 
 master_kdc = ipa01.my.net:88 
 admin_server = ipa01.my.net:749 


 Is there any way in ipa-client-install or sssd file to instruct IPA
 client to connect to IPA server on no-standard ports such as

 trying 
 https://ipa01.my.net:8080/ipa/xml
 
 >


 This way I don't have to allocate a separate IP or additional web server
 to redirect the requests a simple NAT at firewall will do such as
 external 8080 -> internal 443


>>> Currently there is no way to do this. I'd have sworn we had a ticket to
>>> add this but a quick search didn't turn it up. If you'd like this
>>> supported
>>> feel free to open a ticket at https://fedorahosted.org/
>>> freeipa/newticket <
>>> https://**fedorahosted.org/freeipa/**newticket
>>> >
>>>
>>>
>>> I don't think this would be tremendously difficult to do, the trick would
>>> be communicating the port to clients somehow while they are trying to
>>> enroll. A command-line option would probably be the shortest path.
>>>
>>> This may be decent low-hanging fruit if you're interested in being a
>>> contributor to IPA.
>>>
>>
> Speaking specifically about Kerberos, LDAP and NTP - it should be possible
> to change port number in SRV records in DNS and that is it. I'm not sure if
> client libraries really support this, but you can try it.
>
> HTTP and HTTPS will be more problematic because there there are no SRV
> records for them.
>
> --
> Petr^2 Spacek
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA Master Slave Setup Client Configuration

[Martin Kosek]

On 09/27/2013 03:08 PM, Mohan Cheema wrote:

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Friday, September 27, 2013 9:22 AM
To: Mohan Cheema
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA Master Slave Setup Client
Configuration

On 09/27/2013 06:45 AM, Mohan Cheema wrote:

Hi,

We have setup FreeIPA within our environment the setup is master

slave. We want

to know how we can configure clients to look to slave incase master

server is

no available to authenticate the user.

Regards,

**

*Mohan Cheema*


FreeIPA replicas are master-master replicas by default. Can you please
elaborate how did you create the slave server?

About client configuration - can you use autodiscovery with DNS SRV
records?
(the same as IPA uses for autodiscovery). You would just need to create
DNS SRV
records for your slave server, with priority lower than the priority of
master
server. Client should then look at the slave only if the master is not
available.

HTH,
Martin



First installed the master server. Than we have used following command on
it.

ipa-replica-prepare kdc.domain.com

Transferred it to second server and ran following command

ipa-replica-install /var/lib/ipa/replica-info-kdc.domain.com


Ah, ok - this is standard master-master replication in FreeIPA. I.e. when you a 
modification in any of these servers, it is replicated to the other one too.




Haven't really checked if I update the second master is updated.


Is is.



About client configuration I cannot use the DNS server as the hosting is on
Amazon Web Service(AWS) and don't want to add another instance as we are
tight budget.
Cannot have DNS server on any of the server as this setup is for compliance.

Regards,


Ok. If you are not using DNS, you could use a fixed list of IPA servers FQDNs 
when you are installing client. At least SSSD should use the first one as the 
primary point of contact and connect to the second one only if the first one is 
down.


# ipa-client-install --server first.ipa.server --server second.ipa.server 
--domain ipa.server --fixed-primary


Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA Master Slave Setup Client Configuration

[Mohan Cheema]

> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Friday, September 27, 2013 9:22 AM
> To: Mohan Cheema
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA Master Slave Setup Client
> Configuration
> 
> On 09/27/2013 06:45 AM, Mohan Cheema wrote:
> > Hi,
> >
> > We have setup FreeIPA within our environment the setup is master
> slave. We want
> > to know how we can configure clients to look to slave incase master
> server is
> > no available to authenticate the user.
> >
> > Regards,
> >
> > **
> >
> > *Mohan Cheema*
> 
> FreeIPA replicas are master-master replicas by default. Can you please
> elaborate how did you create the slave server?
> 
> About client configuration - can you use autodiscovery with DNS SRV
> records?
> (the same as IPA uses for autodiscovery). You would just need to create
> DNS SRV
> records for your slave server, with priority lower than the priority of
> master
> server. Client should then look at the slave only if the master is not
> available.
> 
> HTH,
> Martin


First installed the master server. Than we have used following command on
it.

ipa-replica-prepare kdc.domain.com

Transferred it to second server and ran following command

ipa-replica-install /var/lib/ipa/replica-info-kdc.domain.com

Haven't really checked if I update the second master is updated.

About client configuration I cannot use the DNS server as the hosting is on
Amazon Web Service(AWS) and don't want to add another instance as we are
tight budget.
Cannot have DNS server on any of the server as this setup is for compliance.

Regards,


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Startup issue witrh dirsrv using slapi-nis

[Ade]

Hi

I have a dirsrv server using the slapi-nis plugin to provide 190+ nis
maps. It works well apart from one issue - boot up

If I do a reboot, the dirsrv starts up ok, but slapi-nis doesnt seem
to register to rpc - logging in and restarting dirsrv fixes it

I tried disabling dirsrv and putting a start into rc.local - exactly the same

I tried disabling dirsrv and putting a start into rc.local with a
sleep 120 first, and this works !!

So it seems like it needs something to startup and settle first - any
ideas?   I can see that rpcbind starts before dirsrv. I even wrote a
small script that waits for rpcinfo -p to return non zero before
continuing to start dirsrv - didnt work

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Innes, Duncan]

 

> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com] 
> Sent: 27 September 2013 10:17
> To: Innes, Duncan
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Force IPA to accept password?
> 
> On 09/27/2013 11:03 AM, Innes, Duncan wrote:
> >> From: Martin Kosek [mailto:mko...@redhat.com]
> >> Sent: 27 September 2013 09:28
> >> To: Innes, Duncan
> >> Cc: freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] Force IPA to accept password?
> >>
> >> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
> >>>
> >>>
>  From: freeipa-users-boun...@redhat.com 
>  [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
>  Sent: 26 September 2013 17:36
>  To: freeipa-users@redhat.com
>  Subject: Re: [Freeipa-users] Force IPA to accept password?
> >> ...
>  Which command did you use to change the password? 'passwd' or
'ipa 
>  passwd'?
> 
>  If you use 'passwd' the PAM stack on the client for the passwd 
>  command comes into play which typically has some modules like 
>  pam_pwquality.so listed which do checks including dictionary
checks.
> 
>  If you use 'ipa passwd' the password should be only validated 
>  against the server-side password policy Martin mentioned above.
> >>>
> >>> Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd'
in 
> >>> about 3 months time :-)
> >>
> >> Eh, ok :-) BTW, you could also standard kpasswd, it should also
avoid 
> >> modules like pam_pwquality.so and only use the server policy.
> >>
> >> Martin
> >>
> >
> > OK - this is opening my eyes somewhat.  I know about the password 
> > policy section of IPA, but there doesn't appear to be anywhere to 
> > control the quality of the password.  Is this done by PAM on the 
> > server?  If it's not, how do I enforce things like ensuring at least
> > 1 upper case, 1 lower case, 1 number and 1 special character?  I
> > don't see that in the docs.
> 
> This should help:
>
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/user-pw
dpolicy.html
> 
> You can control character classes - if you set that for 
> example to 3, password need to have at least:
> - one number, one lower-case char, one upper-case char OR
> - one number, one special char, one lower case char.
> 
> You can also set minimal length. These 2 options should 
> provide the settings you requested.
> 
> Note that the policy is not related to PAM, it is required by 
> an LDAP server plugin on FreeIPA server - so that it affect 
> all possible password changes - like "ldapasswd", "passwd", 
> "kpasswd" and others.
> 
> >
> > Would like to be able to ensure that the minimum password policy is
> > centralised
> > rather than perhaps having an erroneous strict policy on a 
> few machines.
> 
> +1. You can set that centrally on server, you can even set 
> different policies 
> for different groups. It can just happen that 
> pam_pwquality.so may interfere 
> (as we found out) and add it's own password quality 
> requirements on top of 
> FreeIPA centralized ones.
> 
> Martin
> 

Brilliant.  Thanks Martin. I either hadn't seen minclasses or had
completely overlooked it.  I'll just have to be careful about my local
password policies I guess.

Duncan

This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.



This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Discovery House, Whiting Road, 
Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at 
virginmoney.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Martin Kosek]

On 09/27/2013 11:14 AM, Sumit Bose wrote:

On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote:

On 09/27/2013 09:31 AM, Innes, Duncan wrote:




-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
Sent: 26 September 2013 17:36
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?

...

Which command did you use to change the password? 'passwd' or
'ipa passwd'?

If you use 'passwd' the PAM stack on the client for the
passwd command comes into play which typically has some
modules like pam_pwquality.so listed which do checks
including dictionary checks.

If you use 'ipa passwd' the password should be only validated
against the server-side password policy Martin mentioned above.


Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
about
3 months time :-)


Eh, ok :-) BTW, you could also standard kpasswd, it should also
avoid modules like pam_pwquality.so and only use the server policy.


Martin, pam_pwquality has an option called 'local_users_only'. According
to bz849072 it should be set by default since F18 but it looks like it
is not set in F19. Should we open a ticket to investigate it?

bye,
Sumit


Hmm, you are right. I found the original bug:
https://bugzilla.redhat.com/show_bug.cgi?id=849072

... and filed a new bug for Fedora 19 so that this can be fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=1012854

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Martin Kosek]

On 09/27/2013 11:03 AM, Innes, Duncan wrote:

From: Martin Kosek [mailto:mko...@redhat.com]
Sent: 27 September 2013 09:28
To: Innes, Duncan
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?

On 09/27/2013 09:31 AM, Innes, Duncan wrote:




From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
Sent: 26 September 2013 17:36
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?

...

Which command did you use to change the password? 'passwd' or 'ipa
passwd'?

If you use 'passwd' the PAM stack on the client for the passwd
command comes into play which typically has some modules like
pam_pwquality.so listed which do checks including dictionary

checks.


If you use 'ipa passwd' the password should be only validated
against the server-side password policy Martin mentioned above.


Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
about
3 months time :-)


Eh, ok :-) BTW, you could also standard kpasswd, it should
also avoid modules like pam_pwquality.so and only use the
server policy.

Martin



OK - this is opening my eyes somewhat.  I know about the password policy
section of IPA, but there doesn't appear to be anywhere to control the
quality of the password.  Is this done by PAM on the server?  If it's
not,
how do I enforce things like ensuring at least 1 upper case, 1 lower
case,
1 number and 1 special character?  I don't see that in the docs.


This should help:
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/user-pwdpolicy.html

You can control character classes - if you set that for example to 3, password 
need to have at least:

- one number, one lower-case char, one upper-case char
OR
- one number, one special char, one lower case char.

You can also set minimal length. These 2 options should provide the settings 
you requested.


Note that the policy is not related to PAM, it is required by an LDAP server 
plugin on FreeIPA server - so that it affect all possible password changes - 
like "ldapasswd", "passwd", "kpasswd" and others.




Would like to be able to ensure that the minimum password policy is
centralised
rather than perhaps having an erroneous strict policy on a few machines.


+1. You can set that centrally on server, you can even set different policies 
for different groups. It can just happen that pam_pwquality.so may interfere 
(as we found out) and add it's own password quality requirements on top of 
FreeIPA centralized ones.


Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Sumit Bose]

On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote:
> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
> >
> >
> >>-Original Message-
> >>From: freeipa-users-boun...@redhat.com
> >>[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
> >>Sent: 26 September 2013 17:36
> >>To: freeipa-users@redhat.com
> >>Subject: Re: [Freeipa-users] Force IPA to accept password?
> ...
> >>Which command did you use to change the password? 'passwd' or
> >>'ipa passwd'?
> >>
> >>If you use 'passwd' the PAM stack on the client for the
> >>passwd command comes into play which typically has some
> >>modules like pam_pwquality.so listed which do checks
> >>including dictionary checks.
> >>
> >>If you use 'ipa passwd' the password should be only validated
> >>against the server-side password policy Martin mentioned above.
> >
> >Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
> >about
> >3 months time :-)
> 
> Eh, ok :-) BTW, you could also standard kpasswd, it should also
> avoid modules like pam_pwquality.so and only use the server policy.

Martin, pam_pwquality has an option called 'local_users_only'. According
to bz849072 it should be set by default since F18 but it looks like it
is not set in F19. Should we open a ticket to investigate it?

bye,
Sumit
> 
> Martin
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Innes, Duncan]

> From: Martin Kosek [mailto:mko...@redhat.com] 
> Sent: 27 September 2013 09:28
> To: Innes, Duncan
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Force IPA to accept password?
> 
> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
> >
> >
> >> From: freeipa-users-boun...@redhat.com 
> >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
> >> Sent: 26 September 2013 17:36
> >> To: freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] Force IPA to accept password?
> ...
> >> Which command did you use to change the password? 'passwd' or 'ipa 
> >> passwd'?
> >>
> >> If you use 'passwd' the PAM stack on the client for the passwd 
> >> command comes into play which typically has some modules like 
> >> pam_pwquality.so listed which do checks including dictionary
checks.
> >>
> >> If you use 'ipa passwd' the password should be only validated
> >> against the server-side password policy Martin mentioned above.
> >
> > Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in 
> > about
> > 3 months time :-)
> 
> Eh, ok :-) BTW, you could also standard kpasswd, it should 
> also avoid modules like pam_pwquality.so and only use the 
> server policy.
> 
> Martin
> 

OK - this is opening my eyes somewhat.  I know about the password policy
section of IPA, but there doesn't appear to be anywhere to control the
quality of the password.  Is this done by PAM on the server?  If it's
not,
how do I enforce things like ensuring at least 1 upper case, 1 lower
case,
1 number and 1 special character?  I don't see that in the docs.

Would like to be able to ensure that the minimum password policy is
centralised
rather than perhaps having an erroneous strict policy on a few machines.

Thanks

Duncan

This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.



This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Discovery House, Whiting Road, 
Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at 
virginmoney.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Martin Kosek]

On 09/27/2013 09:31 AM, Innes, Duncan wrote:




-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
Sent: 26 September 2013 17:36
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?

...

Which command did you use to change the password? 'passwd' or
'ipa passwd'?

If you use 'passwd' the PAM stack on the client for the
passwd command comes into play which typically has some
modules like pam_pwquality.so listed which do checks
including dictionary checks.

If you use 'ipa passwd' the password should be only validated
against the server-side password policy Martin mentioned above.


Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
about
3 months time :-)


Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules 
like pam_pwquality.so and only use the server policy.


Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA Master Slave Setup Client Configuration

[Martin Kosek]

On 09/27/2013 06:45 AM, Mohan Cheema wrote:

Hi,

We have setup FreeIPA within our environment the setup is master slave. We want
to know how we can configure clients to look to slave incase master server is
no available to authenticate the user.

Regards,

**

*Mohan Cheema*


FreeIPA replicas are master-master replicas by default. Can you please 
elaborate how did you create the slave server?


About client configuration - can you use autodiscovery with DNS SRV records? 
(the same as IPA uses for autodiscovery). You would just need to create DNS SRV 
records for your slave server, with priority lower than the priority of master 
server. Client should then look at the slave only if the master is not available.


HTH,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Accessing IPA servers on no-standard port

[Petr Spacek]

On 27.9.2013 07:23, Chandan Kumar wrote:

Hi Rob,

Thanks for the info. Sure I will create the ticket and will certainly try
to pick the low-hanging fruit :-)


--
http://about.me/chandank


On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden  wrote:


Chandan Kumar wrote:


Hello,

I have basic configuration question, my apologies if it has already been
discussed.

I have ipa-server-3 server installed with default parameters with
replication.

We have Linux machines across different geo location and I would like to
integrate them into IPA server, however, I don't want external clients
to connect the server on standard port.

For example, during ipa-client registration it requires all IPA services
to be running on default port.

Such as : trying https://ipa01.my.net/ipa/xml

kdc = ipa01.my.net:88 
master_kdc = ipa01.my.net:88 
admin_server = ipa01.my.net:749 


Is there any way in ipa-client-install or sssd file to instruct IPA
client to connect to IPA server on no-standard ports such as

trying https://ipa01.my.net:8080/ipa/**xml

This way I don't have to allocate a separate IP or additional web server
to redirect the requests a simple NAT at firewall will do such as
external 8080 -> internal 443



Currently there is no way to do this. I'd have sworn we had a ticket to
add this but a quick search didn't turn it up. If you'd like this supported
feel free to open a ticket at 
https://fedorahosted.org/**freeipa/newticket

I don't think this would be tremendously difficult to do, the trick would
be communicating the port to clients somehow while they are trying to
enroll. A command-line option would probably be the shortest path.

This may be decent low-hanging fruit if you're interested in being a
contributor to IPA.


Speaking specifically about Kerberos, LDAP and NTP - it should be possible to 
change port number in SRV records in DNS and that is it. I'm not sure if 
client libraries really support this, but you can try it.


HTTP and HTTPS will be more problematic because there there are no SRV records 
for them.


--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Force IPA to accept password?

[Innes, Duncan]

 

> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
> Sent: 26 September 2013 17:36
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Force IPA to accept password?
> 
> On Thu, Sep 26, 2013 at 02:58:43PM +0100, Innes, Duncan wrote:
> > Sorry,
> > 
> > > -Original Message-
> > > From: Martin Kosek [mailto:mko...@redhat.com]
> > > Sent: 26 September 2013 14:29
> > > To: Innes, Duncan
> > > Cc: freeipa-users@redhat.com
> > > Subject: Re: [Freeipa-users] Force IPA to accept password?
> > > 
> > > On 09/26/2013 01:05 PM, Innes, Duncan wrote:
> > > > Hi,
> > > > 
> > > > Can I force IPA to accept a new password that I have chosen?
> > > 
> > > What password do you have in mind? A password of an IPA user?
> > > 
> > 
> > Yes - for my authentication when SSHing onto a Linux box.
> > 
> > > > 
> > > > Today I've had to change my password in 2x AD domains and other 
> > > > places according to policy.  I've done this.
> > > > 
> > > > But coming to IPA, I find that I've chosen a "BAD PASSWORD".  
> > > > Without getting into the merits of the AD password policy
> > > > and the security of the password I've chosen, can I force IPA 
> > > > to accept my new password at all?
> > > 
> > > Well, without getting into security of the approach, you could 
> > > change the global password policy or group password policy so
> > > that the new password is accepted:
> > > 
> > > $ ipa pwpolicy-mod --minlength=5
> > > 
> > > or
> > > 
> > > $ ipa pwpolicy-add usergroup --minlength=5
> > > 
> > > ... to "fix" whatever failing password policy attribute.
> > >
> > 
> > The error comes from a dictionary check I think.  AD does as well
> > as far as I know, but would appear to have a smaller dictionary or
> > looser rules.
> > 
> > Kind of what I expected/feared though.  I don't want to change the
> > IPA policy at all, just override it's objection.  For now, I went
> > the long route and changed my IPA password first, then changed the
> > other passwords To match what IPA was happy with.
> 
> Which command did you use to change the password? 'passwd' or 
> 'ipa passwd'?
> 
> If you use 'passwd' the PAM stack on the client for the 
> passwd command comes into play which typically has some 
> modules like pam_pwquality.so listed which do checks 
> including dictionary checks.
> 
> If you use 'ipa passwd' the password should be only validated 
> against the server-side password policy Martin mentioned above.

Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
about
3 months time :-)

Thanks

> 
> HTH
> 
> bye,
> Sumit
> > 
> > > HTH,
> > > Martin
> > > 
> > 
> > Cheers & thanks for your help
> > 
> > Duncan
> > 

This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.



This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Discovery House, Whiting Road, 
Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at 
virginmoney.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users