Re: [Freeipa-users] How to use sudo rules on ubuntu
Step 0 root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf sudoers_debug:1 sudoers: files sss root@clnt:/home/awtadm# ipa-client-install --no-ntp IPA client is already configured on this system. root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf services = nss, pam, ssh, sudo Step1 (there is some problem when create rule on CLI. No problem prompt on Web-based) ... [root@srv ~]# ipa sudorule-add-option readfiles Sudo Option: !authenticate ipa: ERROR: no such entry ... Then: awtadm@clnt:~$ su user1 Password: user1@clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l /etc/shadow: Permission denied 0 user1@clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l [sudo] password for user1: user1 is not in the sudoers file. This incident will be reported. 0 user1@clnt:/home/awtadm$ id uid=142344(user1) gid=142344(user1) groups=142344(user1) user1@clnt:/home/awtadm$ sudo -l [sudo] password for user1: Sorry, user user1 may not run sudo on clnt. user1@clnt:/home/awtadm$ exit exit awtadm@clnt:~$ su user1 Password: user1@clnt:/home/awtadm$ id uid=142344(user1) gid=142344(user1) groups=142344(user1) user1@clnt:/home/awtadm$ sudo -l [sudo] password for user1: Sorry, user user1 may not run sudo on clnt. user1@clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l /etc/shadow: Permission denied 0 user1@clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l [sudo] password for user1: user1 is not in the sudoers file. This incident will be reported. 0 --OR-- Darktower tevfik # ssh user1@10.1.1.174 The authenticity of host '10.1.1.174 (10.1.1.174)' can't be established. ECDSA key fingerprint is 37:32:fc:ca:34:ce:4c:07:e8:b6:f6:56:75:98:69:b8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.1.1.174' (ECDSA) to the list of known hosts. user1@10.1.1.174's password: Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Mon Sep 1 17:50:02 2014 from 10.65.8.100 user1@clnt:~$ sudo /usr/bin/less /etc/shadow |wc -l [sudo] password for user1: user1 is not allowed to run sudo on clnt. This incident will be reported. 0 user1@clnt:~$ sudo -l [sudo] password for user1: User user1 is not allowed to run sudo on clnt. On 01-09-2014 19:05, Lukas Slebodnik wrote: On (01/09/14 17:52), Tevfik Ceydeliler wrote: 1. I think I configure instead of this document Sorry you didn't. 2. I can login with ordinary user login and sudo are not the same think. My FreeIPA server is alredy properly configured with sudo rules. I tried to install freipa-client on ubuntu 14.04 and it owrked without any problem. Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration root@ubuntu1404:/# ipa-client-install --no-ntp root@ubuntu1404:/# echo sudoers: files sss /etc/nsswitch.conf root@ubuntu1404:/# grep services /etc/sssd/sssd.conf services = nss, pam root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf root@ubuntu1404:/# grep services /etc/sssd/sssd.conf services = nss, pam, sudo Step 1: configure sudo rules for ordinary user Please follow the instructions from FreeIPA documentation. http://www.freeipa.org/docs/master/html-desktop/index.html#sudo This step was skipped, becuase it was already done few months ago :-) Step 2: login to machine as ordinary user, which is allowed to use sudo. $ su usersssd01 Password: $ id uid=325600011(usersssd01) gid=325600011(usersssd01) groups=325600011(usersssd01),30011(biggroup1) Step 3: run command sudo -l // this command should show you which commands can be executed as root // with sudo $ sudo -l sudo: unable to resolve host ubuntu1404.example.test [sudo] password for usersssd01: Matching Defaults entries for usersssd01 on ubuntu1404: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User usersssd01 may run the following commands on ubuntu1404: (root) /usr/bin/less, /usr/bin/vim Step 4: If there weren't any problems then user will be able to run command. sudo some_command_listed_in_step3 $ sudo /usr/bin/less /etc/shadow | wc -l 21 $ echo $? 0 $ sudo apt-get install mc Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' as root on ubuntu.example.test. $ echo $? 1 LS -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar
Re: [Freeipa-users] How to use sudo rules on ubuntu
On (02/09/14 11:02), Tevfik Ceydeliler wrote: Step 0 root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf sudoers_debug:1 sudoers: files sss root@clnt:/home/awtadm# ipa-client-install --no-ntp IPA client is already configured on this system. root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf services = nss, pam, ssh, sudo You need to restart sssd after modification of option services in /etc/sssd/sssd.conf. I forgot to mention it. Step1 (there is some problem when create rule on CLI. No problem prompt on Web-based) ... [root@srv ~]# ipa sudorule-add-option readfiles Sudo Option: !authenticate ipa: ERROR: no such entry ... Then: awtadm@clnt:~$ su user1 Password: uid=142344(user1) gid=142344(user1) groups=142344(user1) user1@clnt:/home/awtadm$ sudo -l [sudo] password for user1: Sorry, user user1 may not run sudo on clnt. There is no reason to try sudo commands if sudo -l fails. It works for me on ubuntu 14.04. It is very likely you have problem on FreeIPA Server. Other people can help you with server part, I could help you just with client configuration. (From my point of view, problem is solved) One more time, please follow instructions: http://www.freeipa.org/docs/master/html-desktop/index.html#sudo LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
I restart client after change sssd.conf. On 02-09-2014 11:13, Lukas Slebodnik wrote: On (02/09/14 11:02), Tevfik Ceydeliler wrote: Step 0 root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf sudoers_debug:1 sudoers: files sss root@clnt:/home/awtadm# ipa-client-install --no-ntp IPA client is already configured on this system. root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf services = nss, pam, ssh, sudo You need to restart sssd after modification of option services in /etc/sssd/sssd.conf. I forgot to mention it. Step1 (there is some problem when create rule on CLI. No problem prompt on Web-based) ... [root@srv ~]# ipa sudorule-add-option readfiles Sudo Option: !authenticate ipa: ERROR: no such entry ... Then: awtadm@clnt:~$ su user1 Password: uid=142344(user1) gid=142344(user1) groups=142344(user1) user1@clnt:/home/awtadm$ sudo -l [sudo] password for user1: Sorry, user user1 may not run sudo on clnt. There is no reason to try sudo commands if sudo -l fails. It works for me on ubuntu 14.04. It is very likely you have problem on FreeIPA Server. Other people can help you with server part, I could help you just with client configuration. (From my point of view, problem is solved) One more time, please follow instructions: http://www.freeipa.org/docs/master/html-desktop/index.html#sudo LS -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
@Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately. I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. On Mon, Sep 1, 2014 at 1:06 PM, Martin Kosek mko...@redhat.com wrote: On 08/29/2014 10:21 AM, Zip Ly wrote: @Martin 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? Yes. if so why doesnt't it applies for both admins? Because only a DN of the first admin was added. It applies only to objects bound with this DN then. And it doesn't explain the 90 days, because it is not set in the tutorial. 90 days is the password policy defined password maximum life. You can check with ipa pwpolicy-show [group]. This value is not defined in cn=ipa_pwd_extop,cn=plugins,cn=config, thus not present in the docs. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change. To set the the max password life, use ipa pwpolicy-mod --maxlife $LIFE command (or Web UI). @Dimitri 1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control. @Martin @Will 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still. I think the solution is to: 1) Change the password policy to a very high value (even in years), as Will suggested in this thread. 2) Use service accounts (service-add) with keytabs for services which do not need to change their passwords, given they authenticate with keytab which does not suffer from password complexity issues. 3) Contribute to FreeIPA and make --maxlife 0 or similar mean unlimited validity (https://fedorahosted.org/freeipa/ticket/2795) :-) On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal d...@redhat.com wrote: On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? You are probably changing password for the admin himself. Isn't there a different flow when admin changes his own password? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IRC channel dead?
Hey Folks, New FreeIPA user here, but a long-time IRC user. I hopped on irc.freenode.net #freeipa as mentioned in the Contribute page of the FreeIPA website and found I was the only user. Did the channel move or is it dead? Thanks! - Kodiak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IRC channel dead?
On Tue, Sep 02, 2014 at 08:02:41AM -0400, Kodiak Firesmith wrote: Hey Folks, New FreeIPA user here, but a long-time IRC user. I hopped on irc.freenode.net #freeipa as mentioned in the Contribute page of the FreeIPA website and found I was the only user. Did the channel move or is it dead? There are currently 115 users there. Maybe some sort of network slip and you are connected to the wrong part of the network? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IRC channel dead?
I should never post pre-coffee... I was still on oftc.net (which I'm never on) to check out cloud-init. Sorry folks On Tue, Sep 2, 2014 at 8:17 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Tue, Sep 02, 2014 at 08:02:41AM -0400, Kodiak Firesmith wrote: Hey Folks, New FreeIPA user here, but a long-time IRC user. I hopped on irc.freenode.net #freeipa as mentioned in the Contribute page of the FreeIPA website and found I was the only user. Did the channel move or is it dead? There are currently 115 users there. Maybe some sort of network slip and you are connected to the wrong part of the network? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
On 09/02/2014 10:42 AM, Zip Ly wrote: @Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately. I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. What version of FreeIPA do you use? Maybe you are hitting https://fedorahosted.org/freeipa/ticket/3968 that we fixed in FreeIPA 3.3.3. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
On 09/02/2014 10:08 PM, Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com I thint it might be related to the new permission system that was released in 4.0. Stay tuned, the chivalry is on the way... On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Thanks Dmitri, I'm so close I can almost see the end! On Tue, Sep 2, 2014 at 3:24 PM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 10:08 PM, Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com I thint it might be related to the new permission system that was released in 4.0. Stay tuned, the chivalry is on the way... On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com Can you provide more details on what you're doing, and how you are binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree? AFAICT you should be able to read cn=compat as long as you bind as a user. rob On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
For testing I'm using ldapsearch -LLL -H ldaps://DOMAIN636 -x -D cn=directory manager -w 'nachopassword' -b cn=canlogin,cn=compat,dc=domain,dc=com If I do it with directory manager it works fine, if I use my automation user (just a generic user with no extra permissions) it returns nothing, no error, just empty space if I add -v (verbose) i get ldap_initialize( ldaps://domain.com:636/??base ) filter: (objectclass=*) requesting: All userApplication attributes Thanks everyone! On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com Can you provide more details on what you're doing, and how you are binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree? AFAICT you should be able to read cn=compat as long as you bind as a user. rob On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
If I do this ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com -w 'nachopassword' -b uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com It works fine **Mac_Slave is my automation user. On Tue, Sep 2, 2014 at 3:40 PM, Chris Whittle cwhi...@gmail.com wrote: For testing I'm using ldapsearch -LLL -H ldaps://DOMAIN636 -x -D cn=directory manager -w 'nachopassword' -b cn=canlogin,cn=compat,dc=domain,dc=com If I do it with directory manager it works fine, if I use my automation user (just a generic user with no extra permissions) it returns nothing, no error, just empty space if I add -v (verbose) i get ldap_initialize( ldaps://domain.com:636/??base ) filter: (objectclass=*) requesting: All userApplication attributes Thanks everyone! On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden rcrit...@redhat.com wrote: Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com Can you provide more details on what you're doing, and how you are binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree? AFAICT you should be able to read cn=compat as long as you bind as a user. rob On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. Currently I can only limit users using the searchbase and right now it's cn=users,cn=accounts,dc=DOMAIN,dc=com This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. So my questions are, A)Can we create different OUs in FreeIPA like most LDAP servers? You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree. There you might be able to expose a small subset of users that match your special criteria. The slapi-nis and compat docs are in the doc folder in the corresponding git repo. IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view. HTH B)If not anyone have any idea on how I could do this with OSX's directory Utility? Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Search Base issues
Chris Whittle wrote: If I do this ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com -w 'nachopassword' -b uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com It works fine AFAICT there currently isn't a permission for the compat tree. The admin user can do it via 'Admin can manage any entry and of course DM can do it because it can do anything. A temporary workaround would be to add an aci manually: dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = *)(target = ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com;)(version 3.0;acl Read canlogin compat tree;allow (compare,read,search) userdn = ldap:///all;;) This won't show up as a permission and will grant all authenticated users read access to the canlogin compat tree. I'm assuming here this contains entries keyed on uid. rob **Mac_Slave is my automation user. On Tue, Sep 2, 2014 at 3:40 PM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: For testing I'm using ldapsearch -LLL -H ldaps://DOMAIN636 -x -D cn=directory manager -w 'nachopassword' -b cn=canlogin,cn=compat,dc=domain,dc=com If I do it with directory manager it works fine, if I use my automation user (just a generic user with no extra permissions) it returns nothing, no error, just empty space if I add -v (verbose) i get ldap_initialize( ldaps://domain.com:636/??base http://domain.com:636/??base ) filter: (objectclass=*) requesting: All userApplication attributes Thanks everyone! On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Chris Whittle wrote: hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN cn=canlogin,cn=compat,dc=DOMAIN,dc=com Can you provide more details on what you're doing, and how you are binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree? AFAICT you should be able to read cn=compat as long as you bind as a user. rob On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 09:34 PM, Chris Whittle wrote: Ok Dmitri, I got it added using what you sent and the following links https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt and https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS view. Right now Directory Manager can see it but that is it. Any ideas? You got me :-) I would defer to specialist in this area to solve this problem. On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com mailto:cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in? I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work. As always extremely appreciated! Whitt On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 09/02/2014 03:04 AM, Chris Whittle wrote: I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do.
Re: [Freeipa-users] Cert Renewal
I may need a little more direction here. The output from getcert list-cas does not contain the string 'ca_renewal'. What does this indicate? -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, August 26, 2014 3:53 PM To: Ott, Dennis; Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cert Renewal Ott, Dennis wrote: No services are currently running on the replica (and I am hesitant to start them) but, my recollection is that I did the replica server installation with the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ and /etc/pki-ca/ directories in place on the replica. ipa-getcert list shows all certs with a status of: CA_UNREACHABLE (but then, the service is down. The master also gave this status, even with the service running, until I followed the cert renewal procedure.) So, with the replica running a CA, should I follow the same procedure that I used on the master? Anything else to look out for? No, the procedure is slightly different on the replica. You need to start by ensuring that certmonger has a CA type for renewal: # getcert list-cas Look for ca_renewal Check the CA subsystem certs to see how they are configured. The CA should be dogtag-ipa-retrieve-agent-submit for auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca and subsystemCert cert-pki-ca and a pre-save command of stop_pkicad and a post-save a restart_pkicad PKI-IPA The agent cert, ipaCert, should be using dogtag-ipa-retrieve-agent-submit, a blank pre-save command and a post-save command of restart_httpd. rob Thanks. Dennis -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, August 25, 2014 6:37 PM To: Ott, Dennis; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cert Renewal Ott, Dennis wrote: I have an IPA setup, one master, one replica; originally installed as v 2.x and later updated to v 3.0. For whatever reasons, the certs did not automatically renew and the services would no longer start. I updated the certs manually on the master using the procedure shown at: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal The master is now functioning properly. At this point, the IPA service is still stopped on the replica. I hesitate to start it for concern it could interfere with the now-working master. What would be the recommended method for returning the replica to service? It depends on whether the replica. Does it also run a CA? If not then you can try restarting the certmonger service. This should cause it to fetch new certificates for the other IPA servers. ipa-getcert list will show you the status, wait until they are all MONITORING. Once that works then you can safely restart the world. Any changes on the master will be replicated out, and vice versa. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project