Re: [Freeipa-users] Root certificates
I would like to install the root certificate from my freeipa installation into some browsers and other clients. If this statement makes sense; does anyone have a guide for this? All you need to do is installing http://ipaserver/ipa/config/ca.crt . Brilliant! Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setup key-based ssh using freeipa
I already ran that command to configure centos host as client. I used 'ipa-client-install --mkhomedir --no-ntp'. Now my IPA users are able to SSH to that box, using passwords set in IPA. Next I would like them to SSH using keys. When I looked through the document for more info, I found this line - 'After uploading the user keys, configure SSSD to use FreeIPA as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing user keys.' I was hoping someone can shed light on how to do that. Or if someone has configured their IPA clients to enable key-based SSH to clients, can they please share their experience. Thanks. On Thu, Apr 17, 2014 at 5:48 PM, Dmitri Pal d...@redhat.com wrote: On 04/17/2014 02:42 PM, quest monger wrote: I have setup freeipa server, and added a centos client that my ipa users can now ssh too by using the freeipa account credentials. Now, i would like my users to be able to ssh to this centos client using keys. I read this - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA _Guide/user-keys.html I generated the key-pair, and added the public key to user account in freeipa web console. Towards the end of that document, i found this - After uploading the user keys, configure SSSD to use FreeIPA as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing user keys. No instructions in the document on how to do this. Do i need to do anything on the centos client-side to make this work? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users yum install ipa-client then run ipa-client-install with arguments you need (see man pages or manual) which will configure your client. Depending on the version it will also be able to configure SSH integration. See man on ipa-client-install -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External collaboration edits
On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS wrote: I've run out of time for today, but the external collaboration pages are slowly evolving. http://www.freeipa.org/page/External_Users_in_IPA Dimitri observed that my RFE page was too long. I observe it also has too much stuff unrelated to the actual meat of the RFE. So I factored out most of the Kerberos stuff into a different page. I also tried to focus the RFE to just creating entries in LDAP for external users so they can: a] participate in POSIX groups; and b] have locally-defined POSIX attributes. http://www.freeipa.org/page/Collaboration_with_Kerberos This is where all the Kerberos stuff went. I also added in Option A from Petr's email. Option B will come along later, when I pick this up again. Mechanism three has more to do with Ipsilon than IPA, and basic functions required of the Ipsilon gateway server are articulated there (regardless of the particular authentication method.) Send comments to the list. I really appreciate Option A! Send more stuff I didn't think of. Last week was Red Hat summit. Things piled up. I will try to get to these pages by the end of the week. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users