Re: [Freeipa-users] Deploying freeipa behind nginx
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Disabling anonymous binds breaks OS X (10.8.5 and 10.9.1) UI logins.
On 01/28/2014 03:33 PM, Guillermo Fuentes wrote: Hello, We are deploying FreeIPA (which it's a great project BTW) as our Identity Management System. As we don't want any info from the directory to be publically available, we tried disabling anonymous binds but it breaks UI logins on Macs (10.8.5 and 10.9.1) FreeIPA logs show that OS X retrieves attributes using anonymous bind and when it's disabled it logs: ... authzid=(null), anonymous search not allowed Has anyone been able to get this setup working properly? You need to look on the Mac side. It seems that in the configuration you used Mac tries to do a lookup after anonymous bind. It might be that you need to configure a special account on Mac to be able to work around this issue. Thanks in advance, Guillermo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
On 01/28/2014 05:29 PM, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread (https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com http://ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com http://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve To be able to help a small diagram would be really helpful. The error above indicates that there is an entity that tries to connect to the LDAP using Kerberos GSSAPI and can't because it either does not have kerberos identity or keys or it is misconfigured and can't get to them. The diagram of request flow would help to troubleshoot the issue. What version of FreeIPA you are using? What platform? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote:
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname}
-c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.
rob
I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
It depends in part how far back in time you go. I'd go back a day or two
before the oldest date (not all certs expire at the same time).
The upgrade will configure automatic renewal. I think what I'd recommend
is do the upgrade then restart the certmonger service on the machine.
Run `getcert list` to check the status of the certs. After the restart
they should all renew.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:15:50AM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert
cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert
cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n
${nickname} -c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.
rob
I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
It depends in part how far back in time you go. I'd go back a day or
two before the oldest date (not all certs expire at the same time).
The upgrade will configure automatic renewal. I think what I'd
recommend is do the upgrade then restart the certmonger service on
the machine.
Run `getcert list` to check the status of the certs. After the
restart they should all renew.
rob
Well progress :) just not quite fully fixed, seems three certificates have
updated just not the others yet. Do I need to tell them to update, or let the
server roll over until it hits Jan 14?
Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scriptsdate
Sat Jan 11 19:29:02 EST 2014
---
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
---
auditSigningCert cert-pki-ca
Not After : Thu Jul 10 07:45:42 2014
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
---
The apache cert did update which is good!
~/Scriptscertutil -L -d /etc/httpd/alias
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote:
Well progress :) just not quite fully fixed, seems three certificates have updated just
not the others yet. Do I need to tell them to update, or let the server roll
over until it hits Jan 14?
Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scriptsdate
Sat Jan 11 19:29:02 EST 2014
---
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
---
auditSigningCert cert-pki-ca
Not After : Thu Jul 10 07:45:42 2014
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
---
The apache cert did update which is good!
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
cya
Craig
For those not yet renewed I'd do a getcert list to find them and getcert
resubmit -i id to force renewal.
The CA won't start without a valid audit cert.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:22:35PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
Well progress :) just not quite fully fixed, seems three certificates have
updated just not the others yet. Do I need to tell them to update, or let
the server roll over until it hits Jan 14?
Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scriptsdate
Sat Jan 11 19:29:02 EST 2014
---
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
---
auditSigningCert cert-pki-ca
Not After : Thu Jul 10 07:45:42 2014
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
---
The apache cert did update which is good!
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
cya
Craig
For those not yet renewed I'd do a getcert list to find them and
getcert resubmit -i id to force renewal.
The CA won't start without a valid audit cert.
rob
Thanks for all the help, looks like all is fixed. I moved the dates back
to normal and all the services are working :)
I did notice the auditSigningCert cert-pki-ca has two certificates, one old
one and a new one. The getcert list command is only showing the new one, so I
figure all is well.
auditSigningCert cert-pki-ca
Certificate:
Validity:
Not Before: Sat Jan 11 07:45:42 2014
Not After : Thu Jul 10 07:45:42 2014
Data:
Validity:
Not Before: Wed Jan 25 06:45:05 2012
Not After : Tue Jan 14 06:45:05 2014
cya
Craig
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
