Re: [Freeipa-users] Deploying freeipa behind nginx
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Disabling anonymous binds breaks OS X (10.8.5 and 10.9.1) UI logins.
On 01/28/2014 03:33 PM, Guillermo Fuentes wrote: Hello, We are deploying FreeIPA (which it's a great project BTW) as our Identity Management System. As we don't want any info from the directory to be publically available, we tried disabling anonymous binds but it breaks UI logins on Macs (10.8.5 and 10.9.1) FreeIPA logs show that OS X retrieves attributes using anonymous bind and when it's disabled it logs: ... authzid=(null), anonymous search not allowed Has anyone been able to get this setup working properly? You need to look on the Mac side. It seems that in the configuration you used Mac tries to do a lookup after anonymous bind. It might be that you need to configure a special account on Mac to be able to work around this issue. Thanks in advance, Guillermo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
On 01/28/2014 05:29 PM, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread (https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com http://ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com http://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve To be able to help a small diagram would be really helpful. The error above indicates that there is an entity that tries to connect to the LDAP using Kerberos GSSAPI and can't because it either does not have kerberos identity or keys or it is misconfigured and can't get to them. The diagram of request flow would help to troubleshoot the issue. What version of FreeIPA you are using? What platform? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote: On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with that, sorry for the oversight. You could try updating to 3.0. If you do decide to try upgrading I think I'd go back in time when all the certs are valid first as some services will be restarted during the upgrade and we don't want the upgrade blowing up in the middle because of expired certs. rob I'll give the upgrade a go, say I go back to the older date and IPA starts fine. Won't the certs still have a hard expiry date on them, so I'll need to follow the http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure? It depends in part how far back in time you go. I'd go back a day or two before the oldest date (not all certs expire at the same time). The upgrade will configure automatic renewal. I think what I'd recommend is do the upgrade then restart the certmonger service on the machine. Run `getcert list` to check the status of the certs. After the restart they should all renew. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:15:50AM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with that, sorry for the oversight. You could try updating to 3.0. If you do decide to try upgrading I think I'd go back in time when all the certs are valid first as some services will be restarted during the upgrade and we don't want the upgrade blowing up in the middle because of expired certs. rob I'll give the upgrade a go, say I go back to the older date and IPA starts fine. Won't the certs still have a hard expiry date on them, so I'll need to follow the http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure? It depends in part how far back in time you go. I'd go back a day or two before the oldest date (not all certs expire at the same time). The upgrade will configure automatic renewal. I think what I'd recommend is do the upgrade then restart the certmonger service on the machine. Run `getcert list` to check the status of the certs. After the restart they should all renew. rob Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to tell them to update, or let the server roll over until it hits Jan 14? Server: Red Hat Enterprise Linux Server release 6.5 (Santiago) ipa-server-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 --- ~/Scriptsdate Sat Jan 11 19:29:02 EST 2014 --- ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 --- Ran script: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done --- auditSigningCert cert-pki-ca Not After : Thu Jul 10 07:45:42 2014 Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Fri Jan 01 07:44:43 2016 subsystemCert cert-pki-ca Not After : Fri Jan 01 07:44:44 2016 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 --- The apache cert did update which is good! ~/Scriptscertutil -L -d /etc/httpd/alias
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote: Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to tell them to update, or let the server roll over until it hits Jan 14? Server: Red Hat Enterprise Linux Server release 6.5 (Santiago) ipa-server-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 --- ~/Scriptsdate Sat Jan 11 19:29:02 EST 2014 --- ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 --- Ran script: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done --- auditSigningCert cert-pki-ca Not After : Thu Jul 10 07:45:42 2014 Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Fri Jan 01 07:44:43 2016 subsystemCert cert-pki-ca Not After : Fri Jan 01 07:44:44 2016 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 --- The apache cert did update which is good! ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 cya Craig For those not yet renewed I'd do a getcert list to find them and getcert resubmit -i id to force renewal. The CA won't start without a valid audit cert. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:22:35PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to tell them to update, or let the server roll over until it hits Jan 14? Server: Red Hat Enterprise Linux Server release 6.5 (Santiago) ipa-server-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 --- ~/Scriptsdate Sat Jan 11 19:29:02 EST 2014 --- ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 --- Ran script: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done --- auditSigningCert cert-pki-ca Not After : Thu Jul 10 07:45:42 2014 Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Fri Jan 01 07:44:43 2016 subsystemCert cert-pki-ca Not After : Fri Jan 01 07:44:44 2016 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 --- The apache cert did update which is good! ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 cya Craig For those not yet renewed I'd do a getcert list to find them and getcert resubmit -i id to force renewal. The CA won't start without a valid audit cert. rob Thanks for all the help, looks like all is fixed. I moved the dates back to normal and all the services are working :) I did notice the auditSigningCert cert-pki-ca has two certificates, one old one and a new one. The getcert list command is only showing the new one, so I figure all is well. auditSigningCert cert-pki-ca Certificate: Validity: Not Before: Sat Jan 11 07:45:42 2014 Not After : Thu Jul 10 07:45:42 2014 Data: Validity: Not Before: Wed Jan 25 06:45:05 2012 Not After : Tue Jan 14 06:45:05 2014 cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users