Re: [Freeipa-users] Troubleshooting a webui login error
On 07/30/2014 07:16 PM, Robert Walker wrote: Hi, I've got 2 IPA servers running in a relationship. One is ok as far as logging into the webui and the other will only let me kinit admin on the console of the server. When I try to login into the webui Your session has expired. Please re-login. and Please re-enter your username or password The password or username you entered is incorrect. Please try again (make sure your caps lock is off). If the problem persists, contact your administrator. The server still seems to authenticate users by remote LDAP requests ok. Any pointers much appreciated. Thanks Hello, Could you please check the advice in http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? I would suspect that ipa_memcached service is not running for some reason. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Cert failed to renew ...
On 07/31/2014 07:49 AM, Matt Bryant wrote: All, Got an issue with an IPA replica in that the certs in /etc/httpd/alias /etc/dirsrv/slapd-IPA-REALM have expired. I assume that this replica does not have a CA and we are only dealing with service HTTPD and DIRSRV service certificates. Have tried setting date back before expiry on the replica and doing an 'ipa-getcert resubmit -i id' but that hasn't worked it looks like the CA master is actually rejecting it since the havent set the date back on that server. Error am getting on replica is ... Request ID '20120719044839': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). Isn't this rather a problem that the replica does not trust the master server HTTPD certificate because it's certificates are not valid from replica POV? is there any way of forcing a re-newel or manual process for updating these certs .. ??? If this is just a replica without PKI, I would suggest synchronizing the time back with the master CA server and restarting all the services. If the HTTPD service does not want to start, follow chapter 25.2.2. Starting IdM with Expired Certificates in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html and then try to resubmit the certificates so that they can be renewed on the master. Do not forget to revert the above configuration changes when you are done. Also, what version of FreeIPA are you running? HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com: On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini Not sure, _lasso.so should be provided by lasso-python package: # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so lasso-python-2.4.0-4.el6.x86_64 CCing Simo to advise. Sounds like lasso-python is missing indeed. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Without this package for your platform, you cannot move further. So you would either need to switch to some platform that has this package available (RHEL, CentOS, Fedora) or take the source bits and build it for your platform yourselves. Maybe you would get lucky with rebuilding the source RPM from Fedora 20 (http://koji.fedoraproject.org/koji/buildinfo?buildID=489924), but there might be some build dependencies that are not available on Scientific Linux... HTH, Martin On 07/31/2014 09:53 AM, Luca Tartarini wrote: Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com: On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini Not sure, _lasso.so should be provided by lasso-python package: # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so lasso-python-2.4.0-4.el6.x86_64 CCing Simo to advise. Sounds like lasso-python is missing indeed. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Cert failed to renew ...
(Adding back the users list as this may be interesting for everyone) Ok, the steps suggested below should help. If the DS does not want to start at all because of the expired certificate, you can also edit /etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv service is stopped). Martin On 07/31/2014 09:53 AM, Matt Bryant wrote: Martin, Correct in that the replica does not have a CA and the version being run is $ rpm -qa ipa-server ipa-server-3.0.0-25.el6.x86_64 restarted the services and get Starting dirsrv: SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) so I think it is just dealing with an expired cert ... so will try the other steps suggested .. rgds Matt Bryant On 31/07/14 17:33, Martin Kosek wrote: On 07/31/2014 07:49 AM, Matt Bryant wrote: All, Got an issue with an IPA replica in that the certs in /etc/httpd/alias /etc/dirsrv/slapd-IPA-REALM have expired. I assume that this replica does not have a CA and we are only dealing with service HTTPD and DIRSRV service certificates. Have tried setting date back before expiry on the replica and doing an 'ipa-getcert resubmit -i id' but that hasn't worked it looks like the CA master is actually rejecting it since the havent set the date back on that server. Error am getting on replica is ... Request ID '20120719044839': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). Isn't this rather a problem that the replica does not trust the master server HTTPD certificate because it's certificates are not valid from replica POV? is there any way of forcing a re-newel or manual process for updating these certs .. ??? If this is just a replica without PKI, I would suggest synchronizing the time back with the master CA server and restarting all the services. If the HTTPD service does not want to start, follow chapter 25.2.2. Starting IdM with Expired Certificates in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html and then try to resubmit the certificates so that they can be renewed on the master. Do not forget to revert the above configuration changes when you are done. Also, what version of FreeIPA are you running? HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote:
Hi,
Thanks for the reply, unfortunately I can not find the package on
Scientific Linux, is there a workaround?
I saw from the lasso mailing list that you built the lasso package
yourself, make sure you built the python bindings, they are part of the
same source tree.
Attached find a .spec file you can use top build lasso on EL6 platforms,
until it will become available officially.
This will build and install the python binding correctly.
Simo.
Thanks.
Luca Tartarini
2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com:
On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote:
On 07/29/2014 03:47 PM, Luca Tartarini wrote:
Hi everyone,
I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The
configuration is the following: Service Provider (host with Scientific
Linux 6) with ipsilon-client and Identity Provider (another host with
Scientific Linux 6) with FreeIPA and ipsilon-server, is the
configuration
feasible and/or correct?
If it is, then I am stuck in the installation of ipsilon-client because
after I installed lasso-2.3.6 and all the ipsilon-client prerequisites,
when I finally run:
ipsilon-client-install --saml-idp-metadata
https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki
I get this error about lasso:
Traceback (most recent call last):
File /usr/bin/ipsilon-client-install, line 20, in module
from ipsilon.tools.saml2metadata import Metadata
File
/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py,
line 22, in module
import lasso
File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module
import _lasso
ImportError: No module named _lasso
Does anyone know if it's a problem about lasso's configuration or I
forgot
something about ipsilon-client?
Thanks in advance.
Luca Tartarini
Not sure, _lasso.so should be provided by lasso-python package:
# rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so
lasso-python-2.4.0-4.el6.x86_64
CCing Simo to advise.
Sounds like lasso-python is missing indeed.
Simo.
%global with_java 0
%global with_php 0
%global with_perl 0
%global with_python 1
%global with_wsf 0
%if %{with_php}
%{!?__pecl: %{expand: %%global __pecl %{_bindir}/pecl}}
%endif
Summary: Liberty Alliance Single Sign On
Name: lasso
Version: 2.4.0
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Libraries
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
%if %{with_wsf}
BuildRequires: cyrus-sasl-devel
%endif
BuildRequires: gtk-doc, libtool-ltdl-devel
BuildRequires: glib2-devel, swig
BuildRequires: libxml2-devel, xmlsec1-devel, openssl-devel, xmlsec1-openssl-devel
Url: http://lasso.entrouvert.org/
%description
Lasso is a library that implements the Liberty Alliance Single Sign On
standards, including the SAML and SAML2 specifications. It allows to handle
the whole life-cycle of SAML based Federations, and provides bindings
for multiple languages.
%package devel
Summary: Lasso development headers and documentation
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
This package contains the header files, static libraries and development
documentation for Lasso.
%if %{with_perl}
%package perl
Summary: Liberty Alliance Single Sign On (lasso) Perl bindings
Group: Development/Libraries
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Test::More)
Requires: perl(:MODULE_COMPAT_%(eval `%{__perl} -V:version`; echo $version))
Requires: %{name}%{?_isa} = %{version}-%{release}
%description perl
Perl language bindings for the lasso (Liberty Alliance Single Sign On) library.
%endif
%if %{with_java}
%package java
Summary: Liberty Alliance Single Sign On (lasso) Java bindings
Group: Development/Libraries
BuildRequires: java-devel
BuildRequires: jpackage-utils
Requires: java-headless
Requires: jpackage-utils
Requires: %{name}%{?_isa} = %{version}-%{release}
%description java
Java language bindings for the lasso (Liberty Alliance Single Sign On) library.
%endif
%if %{with_php}
%package php
Summary: Liberty Alliance Single Sign On (lasso) PHP bindings
Group: Development/Libraries
BuildRequires: php-devel, expat-devel
BuildRequires: python2
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires(post): %{__pecl}
Requires(postun): %{__pecl}
Requires: php(zend-abi) = %{php_zend_api}
Requires: php(api) = %{php_core_api}
%description php
PHP language bindings for the lasso (Liberty Alliance Single Sign On) library.
%endif
%if %{with_python}
%package python
Summary: Liberty Alliance Single Sign On (lasso) Python bindings
Group: Development/Libraries
BuildRequires: python2-devel
BuildRequires: python-lxml
Requires: python
Requires: %{name}%{?_isa} = %{version}-%{release}
%description python
Python language bindings for
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/30/2014 02:31 PM, Ade Lee wrote:
On Tue, 2014-07-29 at 17:49 -0700, Erinn Looney-Triggs wrote:
Ok, well I tried deleting it using certutil it deletes both,
I tried using keytool to see if it would work any better, no
dice there. I'll try the rename, but at this point I am not
holding my breath on that, it seems all operation are a bit
too coarse. It seems the assumption was being made that there
would only be one of each nickname. Which frankly makes me
wonder how any of this kept running after the renewal.
For now I'll see what I can do on a copy of the db using
python.
It is a little strange that there are multiple 'caSigningCert
cert-pki-ca' as this is the CA itself. It should be good for
20 years and isn't something that the current renewal code
handles yet.
You probably won't have much luck with python-nss. It can
handle reading PKCS#12 files but I don't believe it can write
them (access to key material).
I'm not sure why certutil didn't do the trick. This should
work, if you want to give it another try. I'm assuming that
/root/cacert.p12 has the latest exported certs, adjust as
necessary:
# certutil -N -d /tmp/test # pk12util -i /root/cacert.p12 -d
/tmp/test # certutil -D -d /tmp/test -n 'nickname'
certutil should delete the oldest cert first, it always has
for me.
rob
Ok folks I managed to clean up the certificate DB so there is
only one valid certificate for each service. Installation
continued pass that step and then failed shortly thereafter on
configuring the ca. So here is my new error:
pkispawn: ERROR... Exception from Java Configuration
Servlet: Error while updating security domain:
java.io.IOException: 2 pkispawn: DEBUG... Error Type:
HTTPError pkispawn: DEBUG... Error Message: 500
Server Error: Internal Server Error pkispawn: DEBUG
... File /usr/sbin/pkispawn, line 374, in main rv =
instance.spawn() File
/usr/lib/python2.7/site-packages/pki/deployment/configuration.py,
line 128, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File
/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py,
line 2998, in configure_pki_data response =
client.configure(data) File
/usr/lib/python2.7/site-packages/pki/system.py, line 80, in
configure r = self.connection.post('/rest/installer/configure',
data, headers) File
/usr/lib/python2.7/site-packages/pki/client.py, line 64, in
post r.raise_for_status() File
/usr/lib/python2.7/site-packages/requests/models.py, line 638,
in raise_for_status raise http_error
2014-07-30T00:27:48Z CRITICAL failed to configure ca instance
Command '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqX9SGx' returned
non-zero exit status 1 2014-07-30T00:27:48Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 638, in run_script
return_value = main_function()
File /usr/sbin/ipa-replica-install, line 667, in main CA =
cainstance.install_replica_ca(config)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 1678, in install_replica_ca
subject_base=config.subject_base)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 478, in configure_instance
self.start_creation(runtime=210)
File
/usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 364, in start_creation method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 604, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2014-07-30T00:27:48Z DEBUG The ipa-replica-install command
failed, exception: RuntimeError: Configuration of CA failed
And from the pki-tomcat/ca debug log: isSDHostDomainMaster():
Getting domain.xml from CA...
[30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML start
[30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML:
status=0 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]:
getDomainXML: domainInfo=?xml version=1.0 encoding=UTF-8
standalone=no?DomainInfoNameIPA/NameCAListCAHostipa.example.com/HostSecurePort443/SecurePortSecureAgentPort443/SecureAgentPortSecureAdminPort443/SecureAdminPortSecureEEClientAuthPort443/SecureEEClientAuthPortUnSecurePort80/UnSecurePortCloneFALSE/CloneSubsystemNamepki-cad/SubsystemNameDomainManagerTRUE/DomainManager/CASubsystemCount1/SubsystemCount/CAListOCSPListSubsystemCount0/SubsystemCount/OCSPListKRAListSubsystemCount0/SubsystemCount/KRAListRAListSubsystemCount0/SubsystemCount/RAListTKSListSubsystemCount0/SubsystemCount/TKSListTPSListSubsystemCount0/SubsystemCount/TPSList/DomainInfo
[30/Jul/2014:00:27:48][http-bio-8443-exec-3]: Cloning a domain master
[30/Jul/2014:00:27:48][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa.example.com port=443
[30/Jul/2014:00:27:48][http-bio-8443-exec-3]:
updateSecurityDomain: failed to update security domain using
Re: [Freeipa-users] Local users/groups to IPA Transition
So if I understand this right, you're planning on two back to back user migrations? First is local-FreeIPA, then eventually FreeIPA-AD? Are your current local users coincidentally the same as your current AD users? Well - I will likely try to skip the Local - FreeIPA and just go directly to FreeIPA - AD. My main question though still remains - do I force the same local UID/GIDs to the IPA/AD users? I'm just looking for advice on local user to IPA migration strategies. Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
Baird, Josh wrote: So if I understand this right, you're planning on two back to back user migrations? First is local-FreeIPA, then eventually FreeIPA-AD? Are your current local users coincidentally the same as your current AD users? Well - I will likely try to skip the Local - FreeIPA and just go directly to FreeIPA - AD. My main question though still remains - do I force the same local UID/GIDs to the IPA/AD users? I'm just looking for advice on local user to IPA migration strategies. I wouldn't recommend duplicating your users, pick one and use that. If you want to be able to manage your users, groups, HBAC, sudo, etc. centrally then you'll want the users in IPA. But if you leave them locally you may end up with corner case problems. If you *do* end up adding your local users to IPA then yeah, you've got a decision to make. Either your use the existing UID/GID which is probably fine (though you may want to look adding a local range) or you let IPA assign a new UID from its own range, then you have to quickly change file ownership on all enrolled systems. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
I wouldn't recommend duplicating your users, pick one and use that. If you want to be able to manage your users, groups, HBAC, sudo, etc. centrally then you'll want the users in IPA. But if you leave them locally you may end up with corner case problems. If you *do* end up adding your local users to IPA then yeah, you've got a decision to make. Either your use the existing UID/GID which is probably fine (though you may want to look adding a local range) or you let IPA assign a new UID from its own range, then you have to quickly change file ownership on all enrolled systems. Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions. Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions. The initial state and final state of your domain is identical to the initial and final states of each individual machine. The transition period is composed of some machines being migrated and some machines not migrated yet. Those which are not migrated yet have the users in /etc/passwd and have no knowledge of ipa. Those which are migrated should get users from ipa and the duplicate users purged out of /etc/passwd. Setting up a machine with ipa and forgetting to delete the users out of /etc/passwd is probably asking for trouble. This is a separate problem from keeping UIDs the same or not. If you've got NFS set up, you need to either simultaneously migrate all the machines which share files, or you need to keep UIDs/GIDs the same so you can migrate individual machines at your leisure. Separately, you need to tradeoff how much work it is to configure FreeIPA to just continue with your current scheme (set it up to allocate UIDs picking up where you left off) vs. find and chown files on all your machines as part of the migration process. If neither option sounds attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA uses after it takes over. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
On Thu, Jul 31, 2014 at 03:23:50PM +, Nordgren, Bryce L -FS wrote: Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions. The initial state and final state of your domain is identical to the initial and final states of each individual machine. The transition period is composed of some machines being migrated and some machines not migrated yet. Those which are not migrated yet have the users in /etc/passwd and have no knowledge of ipa. Those which are migrated should get users from ipa and the duplicate users purged out of /etc/passwd. Setting up a machine with ipa and forgetting to delete the users out of /etc/passwd is probably asking for trouble. +1 also please note that reversing the order of files and sss must be handled with extreme care. For instance, if someone was smart enough to name a user in IPA with the same name as some daemon user, then you'd effectivelly shadow the daemon account from the machine.. Luckily sssd explicitly doesn't handle root, so even if you reversed the order of files and sss, the sss nsswitch module would just punt on any requests for root. This is a separate problem from keeping UIDs the same or not. If you've got NFS set up, you need to either simultaneously migrate all the machines which share files, or you need to keep UIDs/GIDs the same so you can migrate individual machines at your leisure. Separately, you need to tradeoff how much work it is to configure FreeIPA to just continue with your current scheme (set it up to allocate UIDs picking up where you left off) vs. find and chown files on all your machines as part of the migration process. If neither option sounds attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA uses after it takes over. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + Chef
Hi I am currently deploying CentOS and FreeIPA and i am looking for some recommendation on chef cookbooks. I have googled around but haven't found anything that is current. I found a git repo from Sean OMeara but last contribution was 3 years ago. If anyone can point me in the right direction i would very grateful. Thank You -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Chef
On Thu, Jul 31, 2014 at 11:55 AM, Ash Alam a...@paperlesspost.com wrote: Hi I am currently deploying CentOS and FreeIPA and i am looking for some recommendation on chef cookbooks. I have googled around but haven't found anything that is current. I found a git repo from Sean OMeara but last contribution was 3 years ago. If anyone can point me in the right direction i would very grateful. Thank You I've got a puppet module that I'm actively working on... https://github.com/purpleidea/puppet-ipa If you don't find a ready chef module, you can consider using puppet instead, or start porting it to chef. A lot of the code can be re-used, since my module contains a good amount of puppet. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PatternFly questions
Hi, Sorry for delay - paternity leave took me away from work rather abruptly. Do you still want RFE's written up for these? My brain might have been fried when I thought about this, but is there any mileage in creating an elasticsearch (or similar) database of the useful fields and using that for searching? If LDAP searches are the limiting factor that is. Keeping the databases in sync might be an issue, but the elasticsearch database would be read-only for users and would allow a potentially richer method of searching. Back at work on Monday, so should be able to write up some RFE's then if they're still needed. Cheers D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 18 July 2014 16:09 To: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] PatternFly questions On 07/18/2014 09:23 AM, Martin Kosek wrote: On 07/18/2014 03:12 PM, Dmitri Pal wrote: On 07/18/2014 08:17 AM, Innes, Duncan wrote: Hi Petr, On 18/07/2014 11:24, Petr Vobornik wrote: Hello Duncan, thank you for the input. If you or somebody else have any Web UI ideas/RFEs, feel free to write them down. I would like to know what people don't like or would like to have. On 18.7.2014 10:21, Innes, Duncan wrote: Just poking around the new 4.0 demo page and very much liking what I see. This will make a big difference in use on large estates. A couple PatternFly related questions though: 1. The tables don't sort by column if I click on a column header. Is this not available in PatternFly yet, or have FreeIPA decided against implementing it? First just a note about PatternFly. It's not really a widget library, it is(or should be) more of a set of patterns and styles. But the referential implementation is built on Bootstrap 3, so it is very easy to adopt. PatternFly doesn't have an official pattern for table sorting yet, but it has styles for DataTables (jQuery table plugin) which can do it. I don't remember any decision against it - could be implemented if there is enough will and user demand. Sorting can be done on client side and on server side. Client side is limited to issue #2 - only 20 items, so it is not really helpful. And server side (IPA API) doesn't support specifying a sort attribute atm. You would like the server-side sorting, right? Hadn't considered there to be an option. When I looked at the PatternFly demos I hadn't thought about it, but the speed that FreeIPA pulls data out for rendering, I suppose it would have to be. Even our modest estate (at a few hundred users and hosts) would slow down far too much if the full dataset was sent. The other possibilities thrown up by PatternFly are also interesting; add/remove columns, resize columns etc. I know some of these are still on the drawing board, but there are demo pages available already. 2. Browsing the screen on a large monitor still leaves the user page (at least) limited to around 22 rows. This leaves the bottom third of my browser empty. The table uses the full width of the browser, can it not use the full height too? I have and idea/plan to make it configurable - to specify the number of items and also to allow disabling of paging. The more rows the slower the UI is. Also paging has its own issues which are not straightforward to solve: - http://www.redhat.com/archives/freeipa-devel/2012-August/msg00295.ht ml True. What's the biggest time factor in loading large tables? When admining estates with tens of thousands of entries, however, much emphasis needs to be placed on the table filters. No admin in their right mind is going to be performing actions on all entries simultaneously. Similar to Foreman's filters, could FreeIPA allow (example) in the hosts screen a filter of hostgroup = groupX to show only hosts belonging to that group? Or filtering users with manager = 'Duncan Innes'? Please open RFEs. This is really a valuable feedback. I think we are somewhat talking about this RFE: https://fedorahosted.org/freeipa/ticket/2388 Maybe it is time to resurrect it from Ticket Deferred milestone given it would bring big value for large user deployments. The API and the mighty LDAP search engine is already there: ipa user-add --first=Test --last=User manager ipa user-add --first=Test --last=User employee --manager manager ipa user-add --first=Test --last=User employee2 --manager manager ipa group-add testgroup --desc test ipa group-add-member testgroup --users employee2 # ipa user-find --manager manager --pkey-only --- 2 users matched --- User login: employee User login: employee2 Number of entries returned 2 # ipa user-find --manager manager --in-group testgroup --pkey-only -- 1 user matched -- User login:
[Freeipa-users] memberof plugin?
Hi, I must be missing something obvious in getting memberof plugin to work.. Any ideas? Thanks in advance... ~K -- ./fixup-memberof.pl -D 'cn=Directory Manager' -b 'dc=red,dc=lemon,dc=com' -w - -v ldap_initialize( ldap://localhost:7389 ) add objectclass: top extensibleObject add cn: memberOf_fixup_2014_7_26_22_33_31 add basedn: dc=red,dc=lemon,dc=com adding new entry cn=memberOf_fixup_2014_7_26_22_33_31, cn=memberOf task, cn=tasks, cn=config ldap_add: No such object (32) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Users not inheriting groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi List, I am running into some odd issues with IPA and users not inheriting all groups they are a member of. I spent a lot of time nesting groups so that when we add a user all of the groups they need with one group setting (a boon for automation). However I am finding a small percentage of users who are in the proper groups in IPA but the server does not pick up all the groups involved, until I add those specific users to the group in question. For clarity: 1) Most users inherit groups fine 2) A small percentage (2-3% discovered so far) Do not inherit one or more of the needed groups. 3) Work around found by adding users directly to group instead of nested in proper group (though less than ideal) Versions Client: Linux 2.6.32-431.11.2.el6.x86_64 #1 SMP x86_64 GNU/Linux ipa-client-3.0.0-37.el6.x86_64 libsss_sudo-1.9.2-129.el6_5.4.x86_64 libsss_idmap-1.9.2-129.el6_5.4.x86_64 libsss_autofs-1.9.2-129.el6_5.4.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64 Servers (both identical): Linux 2.6.32-431.17.1.el6.x86_64 #1 SMP x86_64 GNU/Linux ipa-server-3.0.0-37.el6.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 libsss_autofs-1.9.2-129.el6_5.4.x86_64 libsss_idmap-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64 Thanks, Bill G. CENIC www.cenic.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJT2sZjAAoJEJFMz73A1+zr4NIP+QEjmG5EgwLAHhEUPIp9znxp EgJR2xRFl9I+WRh2L1+y5MDGiJwTPCSwak6IRRchbfXNkPNt8xND27LjG5mWynxT kG1nwxF2aczXlUkaA2GDO5524Dj7MwULUoum8xN5Br0VzL9fAblH4Gzh+ZeSZr2W g7r2LelucygELaxQxP8Q/aBoDGnZMlQSahB36MaOwy4wQ+2E/Bp7scShFerBdqaK kRcXRNlGAMtGkOpLT7sf7WYMcVWcY6EX8ZoTB36qucia5C+oGY0psAkaYgJw0tC9 Aht0rj+ZJZqVKoTa1iybfTnfxwrokxFPM1VMOYrXZrWrq1M97KKoPK/mqKoC9spA leNcSJ8yjtTXEFS4RPI4kA9VrujF+4qvKIwZ4EM4Fli2zaFhwmeywtrP/SAMmAGO fbqkEYn4MWrqpRXFSFGpqiycCnXGINMVJkWCWPN89lWX7124cDZJi5PpzAhukWk3 a6Diycia60oY8iAcDqDejO2mXFLO+5iJ+Xaxlr0noKXvMhV1qIEpVNR3wuqcF43W aByAuhvmEhKfJFM4IaZcYI3E8ozblLmY2RH+q5r4vRHWd+10eN+TKhN/kDOEY9gp ELOZ0kxgKkYICJc4gL0VW2fQiVDwQ+2O8LgmLeGOpcic8Yp3yUoEzX+5Z1frVFU5 iGIDDYYNNXU6OmbOOuv+ =MI8L -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
