Re: [Freeipa-users] Root certificates

[Andrew Holway]

>> I would like to install the root certificate from my freeipa
>> installation into some browsers and other clients.
>>
>> If this statement makes sense; does anyone have a guide for this?
>>
>
> All you need to do is installing http://ipaserver/ipa/config/ca.crt .

Brilliant! Thanks.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] experience using IPA in a mixed environment

[Carl E. Ma]

Hi Rob/all,

The original freeipa-client 2.1.4 on ubuntu 12.04 doesn't have 
"ipa-client-automount" command. I manually configured the autofs as 
following:


===*/etc/autofs_ldap_autofs*===
root@ecs-94a55510:/etc# more autofs_ldap_auth.conf




===end of autofs_ldap_autofs===
===*/etc/default/autof**s*===
MASTER_MAP_NAME="automountmapname=auto.master,cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
LOGGING="debug"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
LDAP_URI="ldap://ecs-1a5d4287.ecs.ads.xxx.com";
SEARCH_BASE="cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
===end of /etc/default/autofs===
===*/etc/nsswitch.conf*===
passwd: compat sss
group:  compat sss
shadow: compat

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis sss
sudoers:files ldap
automount: files ldap
===end of /etc/nsswitch.conf===
===*/etc/default/nfs-common*===
NEED_STATD=
STATDOPTS=
NEED_IDMAP=yes
NEED_GSSD=yes
===end of nfs-common===
===here is*/etc/auto.master*===
#cat "+auto.master" >> /etc/auto.master
===end of auto.master===

On IPA server, I add the NFS service for that client as:
# ipa service-add nfs/ecs-94a55510.ecs.ads.xxx.com

But none ldap automount maps are shown in "automount -m" output. From 
below syslog error messages, client server can't directly connect to 
IPA(ldap server) for auto.master map.

*===*
root@ecs-94a55510:/etc# automount -m
find_server: trying server uri ldap://ecs-1a5d4287.ecs.ads.xxx.com
init_ldap_connection: lookup(ldap): TLS required but START_TLS failed: 
Connect error

lookup(ldap): couldn't connect to server ldap://ecs-1a5d4287.ecs.ads.xxx.com
do_reconnect: lookup(ldap): failed to find available server

autofs dump map information
===

global options: none configured
no master map entries found

In /var/log/syslog, here are the errors:
Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun): 
init gathered global options: (null)
Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup_nss_read_master: 
reading master ldap auto.master
Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun): 
init gathered global options: (null)
Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup(file): failed to 
read included master map auto.master

*===*

The same ubuntu 12.04 host, sudo also can't retrieve sudoers information 
from IPA server using ldap(sudo on ubuntu 12.04 doesn't support sssd), I 
double the problem is with ldap client function on this host.  If I 
missed anything obvious, please let me know.


thanks,

carl


On 14-04-07 08:28 AM, Rob Crittenden wrote:

Carl E. Ma wrote:

Hi,

My environment has Redhat5, 6, Centos 6.x and Ubuntu 12.04. Following 
Redhat identity management manual, I am able to configure user 
authentication, kerberos NFS, SSSD and autofs on most of my systems.


The only trouble is integrating ubuntu 12.04 with autofs.

1. automount in /etc/nsswitch.conf doesn't recognize sss as the name 
service, you need to put ldap instead.
2. automount on ubuntu 12.04 doesn't recognize the auto.master map 
from IPA server.


On our IPA server:
ipaserver# ipa automountlocation-tofiles default
/etc/auto.master:
/-  /etc/auto.direct
/home   /etc/auto.home
---
/etc/auto.direct:
---
/etc/auto.home:
*   -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
nfs:/opt/shares/home/&




From ubuntu 12.04 IPA client:
#automount -f -d <=shows it can't find the auto.master map, in 
/etc/default/autofs, I tried both ways to specify the auto.master map.

==
#cat /etc/default/autofs  | grep MASTER
#MASTER_MAP_NAME="automountmapname=auto.master,cn=default,cn=automount,dc=x,dc=x,dc=x,dc=com" 


MASTER_MAP_NAME="auto.master"
==

From the error messages, it seems automount on ubuntu doesn't lookup 
LDAP for auto.master information.


Apr  4 17:25:26 ecs-94a55510 automount[1032]: lookup(file): file map 
/etc/automountmapname=auto.master,cn=default,cn=automount,dc=x,dc=x,dc=x,dc=com 
missing or not readable


Although I am using pam to automount user home directory, i am 
curious  whether anyone else experienced the same problem, or maybe I 
missed something.


Can you provide more information on how you configured automount (e.g. 
can we see the config files)? Did you use the ipa-client-automount 
command or configure things by hand?


rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] External collaboration edits

[Nordgren, Bryce L -FS]

I've run out of time for today, but the external collaboration pages are slowly 
evolving.


http://www.freeipa.org/page/External_Users_in_IPA

Dimitri observed that my RFE page was too long. I observe it also has too much 
stuff unrelated to the actual meat of the RFE. So I factored out most of the 
Kerberos stuff into a different page. I also tried to focus the RFE to just 
creating entries in LDAP for external users so they can: a] participate in 
POSIX groups; and b] have locally-defined POSIX attributes.

http://www.freeipa.org/page/Collaboration_with_Kerberos

This is where all the Kerberos stuff went. I also added  in "Option A" from 
Petr's email. Option B will come along later, when I pick this up again. 
Mechanism three has more to do with Ipsilon than IPA, and basic functions 
required of the Ipsilon gateway server are articulated there (regardless of the 
particular authentication method.)

Send comments to the list. I really appreciate Option A! Send more stuff I 
didn't think of.

Bryce




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] External domain use case wiki page

[Nordgren, Bryce L -FS]

http://www.freeipa.org/page/External_Collaboration_Domains

This is mostly Dimitri's text, but I did butcher it some. Also has a figure.

Will update the external users RFE next.

Bryce




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding custom attributes in User Settings screen in FreeIPA UI

[Dmitri Pal]

On 04/18/2014 09:15 PM, Christopher Swingler wrote:
If I've extended the LDAP schema to add in some custom attributes, is 
it possible to have those show up under Identity > Users > [username] 
> Settings, perhaps under "MISC. INFORMATION"?


I've already added the custom class under IPA Server > Configuration > 
Default user objectclasses, but it would be great if I can edit this 
information within the FreeIPA UI without having to write something up 
elsewhere.


If this is possible, my google-fu isn't really getting me anywhere. :-)



It looks like you are looking for this: 
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf




Have a great weekend, all!

Christopher Swingler
/CTO/
South Side Hackerspace Chicago
2233 South Throop St | Unit 214 | Chicago, IL 60608



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Questions about Logs

[Dmitri Pal]

On 04/18/2014 09:38 AM, Chris Whittle wrote:
One of the big rocks I am trying to accomplish is the ability to audit 
access information and password resets.   I know the audit 
capabilities is on the road map for the future so I'm trying to make 
due with what I have.


1) is all the above information in the access log?
2) do you know of any 3rd party online tools to view those logs in a 
more readable format then the /var/log/dirsrv/slapd- access file?

3) Any idea on rough time period for the full audit capabilities?


Our plan is to start sending log into journald nd then use its 
capabilities to centralize the logs. You then would be able to point 
traditional log processing tools like Logstash, Splunk, Zabbix etc. to it.

Ticket is https://fedorahosted.org/freeipa/ticket/4296
It is currently pointing 4.2 which means that the earliest we will start 
looking into it in about 9-12 months.


Thanks
Dmitri




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] nothing sync'ed to AD

[Dmitri Pal]

On 04/17/2014 08:38 PM, Will Last wrote:
Many thanks, Bob, for letting me know that I missed the important 
point as designed, and for giving me the confidence that my setup is 
correct after scratching my head for two weeks:-D.


So, is there any solution for my case, i.e., *using an already setup 
freeipa as the primary service, and AD as the secondary (only for 
those dependent on AD)*,  in addition to Petr's suggestion to setup 
freeipa-AD trust? I prefer to maintain user info in freeipa and let AD 
sync from freeipa. But unfortunately, this is not designed to be so. 
Did anyone try the idea of export users from freeipa and then import 
into AD, since they both use LDAP? At least for the initial 
pseudo/manual sync. It would be great to share your experience with us.





We are aware of this use case. It is still quite a rare one so we have 
not addressed it as there are more pressing configurations that are more 
common.
Generally our recommendation in this case will be to rely on the 2-way 
trusts but it is not implemented yet.


The export import part will work except passwords. Password hashes are 
different in AD than in IPA (and standard Kerberos/LDAP) so you can sync 
users but not passwords.
The best option is for you to explore the 389 DS sync setup and try to 
apply it to IPA. But there will be dragons and it might require some 
development to make plugins work in the right way. IPA has a plugin to 
the base DS plugin so it might require some adjustment if you want to 
make two way sync work.

Here is the starting point.
http://port389.org/wiki/Howto:WindowsSync

Thanks
Dmitri


Thanks!


On Thu, Apr 17, 2014 at 10:16 PM, Rob Crittenden > wrote:


Will Last wrote:

Hi,

I have got a freeipa server (pa-server-3.0.0-37) running on
centos 6.5
and am trying to set up sync with/to AD on win 2008/R2, basically
following

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory.html.
The sync agreement is bi-directional by default. But only AD
users are
sync'ed to freeipa and none of the users on freeipa is sync'ed
to ad,
which is what I really cared for. Even a re-initialization
from AD won't
help (ipa-replica-manage re-initialize --from ad.example.com

 ). I have turned debugging on

(nsslapd-errorlog-level to 8192), but did not see any obvious
clue.

Thanks in advance for any help!


This is working as designed. IPA-only users are not synced to AD.
The bidirectional part is that changes to an AD user synced to IPA
on the IPA side will be synced back to AD.

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Root certificates

[Tamas Papp]

On 04/19/2014 03:12 PM, Andrew Holway wrote:
> Hello,
>
> I would like to install the root certificate from my freeipa
> installation into some browsers and other clients.
>
> If this statement makes sense; does anyone have a guide for this?
>

All you need to do is installing http://ipaserver/ipa/config/ca.crt .

tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Root certificates

[Andrew Holway]

Hello,

I would like to install the root certificate from my freeipa
installation into some browsers and other clients.

If this statement makes sense; does anyone have a guide for this?

Thanks,

Andrew

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users