Re: [Freeipa-users] firewalld management

2015-01-01 Thread Rob Crittenden 
Andrew Holway wrote:
> This would perhaps be a very interesting addition to the HBAC stuff.
> We're considering deploying freeipa on EC2 and LDAP backed firewalld
> would be a very powerful tool for a geographically distributed system.

There is an existing open ticket for this request,
https://fedorahosted.org/freeipa/ticket/2110

A user contributed an initial design was contributed a few months ago,
http://www.freeipa.org/page/V4/Firewall_Configuration

Definitely a desirable feature, just a matter of scheduling it.

rob

> 
> 
> On 31 December 2014 at 16:56, Jorick Astrego  > wrote:
> 
> Hi,
> 
> FreeIPA is great! One thing I'm missing though is management of
> firewalld services and ports.
> 
> Is that something that would fit in FreeIPA?
> 
> Currently we are using puppet scripts through katello/the foreman, but
> as this is very error prone we'd like to have it centrally managed a
> different way.
> 
> The firewall rules are very essential IMHO and I thought the whole
> point
> of firewalld is to have make it more manageable...
> 
> I already asked the katello guys but they don't appear very interested
> in implementing something there, then I started thinking it would maybe
> fit a lot better in freeIPA as it has more overlap with the other
> network/authentication stuff.
> 
> It would be wasteful to have another project just for firewalld
> management.
> 
> Happy new year everybody!
> 
> Jorick
> 
> 
> 
> 
> 
> 
> 
> **
> Met vriendelijke groet, With kind regards,
> 
> Jorick Astrego*
> 
> Netbulae Virtualization Experts *
> 
> Tel: 053 20 30 270i...@netbulae.eu 
> Staalsteden 4-3A  KvK 08198180
> Fax: 053 20 30 271www.netbulae.eu 
> 7547
> TA Enschede   BTW NL821234584B01
> 
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] firewalld management

2015-01-01 Thread Andrew Holway 
This would perhaps be a very interesting addition to the HBAC stuff. We're
considering deploying freeipa on EC2 and LDAP backed firewalld would be a
very powerful tool for a geographically distributed system.



On 31 December 2014 at 16:56, Jorick Astrego  wrote:

>  Hi,
>
> FreeIPA is great! One thing I'm missing though is management of
> firewalld services and ports.
>
> Is that something that would fit in FreeIPA?
>
> Currently we are using puppet scripts through katello/the foreman, but
> as this is very error prone we'd like to have it centrally managed a
> different way.
>
> The firewall rules are very essential IMHO and I thought the whole point
> of firewalld is to have make it more manageable...
>
> I already asked the katello guys but they don't appear very interested
> in implementing something there, then I started thinking it would maybe
> fit a lot better in freeIPA as it has more overlap with the other
> network/authentication stuff.
>
> It would be wasteful to have another project just for firewalld
> management.
>
> Happy new year everybody!
>
> Jorick
>
>
>
>
>
>
>
>
> Met vriendelijke groet, With kind regards,
>
> Jorick Astrego
>
> *Netbulae Virtualization Experts *
> --
> Tel: 053 20 30 270 i...@netbulae.eu Staalsteden 4-3A KvK 08198180 Fax:
> 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
> --
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] firewalld management

2015-01-01 Thread Jorick Astrego 
Hi,

FreeIPA is great! One thing I'm missing though is management of
firewalld services and ports.

Is that something that would fit in FreeIPA?

Currently we are using puppet scripts through katello/the foreman, but
as this is very error prone we'd like to have it centrally managed a
different way.

The firewall rules are very essential IMHO and I thought the whole point
of firewalld is to have make it more manageable...

I already asked the katello guys but they don't appear very interested
in implementing something there, then I started thinking it would maybe
fit a lot better in freeIPA as it has more overlap with the other
network/authentication stuff.

It would be wasteful to have another project just for firewalld management.

Happy new year everybody!

Jorick








Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts 



Tel: 053 20 30 270  i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271  www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 3.3.3 and --external-ca

2015-01-01 Thread Martin Minkus 
Hi Daniel,

Oh wow, you might be right!

I just checked the CA cert and the signed IPA cert, and openssl shows:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33 (0x21)
Signature Algorithm: sha1WithRSAEncryption

Now that we know what the problem most likely is, we'll figure out how
we want to move forward from here. That might be to upgrade to SHA256
for our internal CA, apply the patch you provided, or go self-signed...

But good to know.

Thanks,
Martin.


On 12/30/2014 10:02 AM, Daniel Hjorth wrote:
> Hi Martin,
> 
> I think I ran into the same problem.  Do you know which signing algorithm
> your external CA used?  In my case the external CA is on Server 2003 which
> only allowed SHA1 but IPA 3.3.3 seems to require SHA256.
> 
> I was not able to get my CA to use SHA256 so I applied the diff from the
> commit below:
> 
> https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=081580779b2609c3a4
> 53077042f7d3fc7b25a57d
> 
> I then used the "--ca-signing-algorithm=" option when installing IPA.
> This may not be the best solution but it worked and I havenĀ¹t seen any
> issues.
> 
> Hope this helps,
> 
> Daniel
> 
> On 12/29/14, 3:02 PM, "Martin Minkus"  wrote:
> 
>> Hi all,
>>
>> I'm running Freeipa 3.3.3 on CentOS 7.0.
>>
>> It worked fine self signed but I am having difficulty getting it to work
>> with --exernal-ca. I've seen a few other reports of this on the list
>> with no resolution, so I'm not sure whether this is simply broken in
>> this version or what? Maybe I'm just doing something wrong. :)
>>
>> >From /var/log/ipaserver-install.log
>>
>>
>> 2014-12-29T21:25:19Z DEBUG Starting external process
>> 2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
>> 2014-12-29T21:25:21Z DEBUG Process finished, return code=1
>> 2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
>> /tmp/tmp00n3qN.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> loading external CA signing certificate from file: '/root/ipa.crt'
>> loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
>> Installation failed.
>>
>>
>> 2014-12-29T21:25:21Z DEBUG stderr=pkispawn: ERROR...
>> Exception from Java Configuration Servlet: Error in creating pkcs12 to
>> backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException
>>
>> 2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit
>> status 1
>> 2014-12-29T21:25:21Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 638, in run_script
>>return_value = main_function()
>>
>>  File "/sbin/ipa-server-install", line 1094, in main
>>subject_base=options.subject)
>>
>>  File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 478, in configure_instance
>>self.start_creation(runtime=210)
>>
>>  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 364, in start_creation
>>method()
>>
>>  File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 615, in __spawn_instance
>>raise RuntimeError('Configuration of CA failed')
>>
>> 2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
>> exception: RuntimeError: Configuration of CA failed
>>
>>
>> >From /var/log/pki/pki-ca-spawn.20141229132519.log
>>
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip populating
>> 'pki.deployment.infrastructure_layout'
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip populating
>> 'pki.deployment.instance_layout'
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip populating
>> 'pki.deployment.subsystem_layout'
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip populating
>> 'pki.deployment.selinux_setup'
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip deploying
>> 'pki.deployment.webapp_deployment'
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip assigning slots for
>> 'pki.deployment.slot_substitution'
>> 2014-12-29 13:25:19 pkispawn: INFO ... skip generating
>> 'pki.deployment.security_databases'
>> 2014-12-29 13:25:19 pkispawn: INFO ... configuring
>> 'pki.deployment.configuration'
>> 2014-12-29 13:25:19 pkispawn: INFO ... modifying
>> '/root/.dogtag/pki-tomcat/ca/password.conf'
>> 2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
>> /root/.dogtag/pki-tomcat/ca/password.conf
>> 2014-12-29 13:25:19 pkispawn: DEBUG... chown 0:0
>> /root/.dogtag/pki-tomcat/ca/password.conf
>> 2014-12-29 13:25:19 pkispawn: INFO ... modifying
>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>> 2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>> 2014-12-29 13:25:19 pkispawn: DEBUG... chown 992:991
>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>> 2014-12-29 13:25:19 pkispawn: INFO ... executing

Re: [Freeipa-users] Client configuration to point to Replica server once master service failed

2015-01-01 Thread Jan Pazdziora 
On Thu, Jan 01, 2015 at 11:05:32AM +0530, Sanju A wrote:
> 
> I have configured Master - Master replication and replication (bi 
> direction) is working fine. 
> Can I get the configuration that has to be added/modified in server/client 
> machine so as to point to the replica server once the master failed. Right 
> now it is not working.

What is your exact configuration and the use case which does not
work?

Ideally, you want both IPA server to be in the DNS SRV records and
use _srv_ in sssd.conf (no direct specification of --server to
ipa-client-install) to find the replica automatically.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project