Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

2015-10-28 Thread Sven Kieske 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On 21/10/15 17:03, Ludwig Krispenz wrote:
> It looks like it is accessing memory, which was freed in a
> pre-bind plugin, this could be the issue tracked in 
> https://fedorahosted.org/389/ticket/48188

are you sure that we hit this bug or might it also be something else?

- -- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +495772 293100
F: +495772 29
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhaus
en
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
Oeynhausen
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJWMMhdAAoJEMby9TMDAbQRJMMP/1ViLN5epfxEeqQnAYJ0t77Z
EYgJr+2QeBFswosv1xKwAXnY2/fUjyArwgHjg7RnIlm7QSE7bYg9mOI/hOu62Ya5
pXIMIjmlO8HFpx/9xKyfYHkfUX9Q5opYDkmTv9WiqQSc4Iw7yFl41P99GLEdGKtB
sVtNeuhJnsHx6WjJ2VgESSzGEPnUHHsGtmKqgHKAvFo9uaNdHosSLy/zdOVSljdD
J+gEbPTWS5ngaLTsRSOhttGuaWX/BPiNEzw9S+yas+/PZeutD08bgOPtLtKjqnAu
PYk9NrYqTQu1UYMu1x1ZnZ0EzuyJ06ZSdStB3Mb9r4QloMWhCdhsYaZKjs+SNCvE
dBGzpJ8Cst52jBEGeDSG34GqkVh7oXjl4veL+Fl2SamLV1wpDCUT+TpExO3wzEo3
WoGzpxah1MGn1QAFFYXwq6WDX1rZgniwreQ08dBgzKkjQ0kaFxy8taQzxgc4cTTx
9fRPrS/NtUcC98Wb58pRZpFtF4Pc+dj3IPofQpdRDoF3wjTkOKcUVsbazDWPrNJf
Pxv1sJeEMZcuQQ1FxmWu66v/+1wSgoHeUsTkqXpb8sfA/9szxmEsIBFJjudUKF8/
2HwrQe1ofNsRXWtMAM47+7gC1BC86P+tjaMnl7/5xXRDFt92RJB4vCiuN+jf8TJC
pDqMV0GXr2bO5tAxvbka
=Nv3u
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sync IPA and AD while using external CA

2015-10-28 Thread Rob Crittenden 
mitra dehghan wrote:
> hello,
> I want to implement and IPA server and Sync it with my 2012 ms ad. While
> things go well using an internal CA in each server, I came across kind
> of problem when I want integrate solution with my PKI which is already
> serving the AD server.
> I can install IPA with --external-ca switch. but when it comes to Sync.
> agreement it says "TLS error -8179:Peer's Certificate issuer is not
> recognized."
> 
> The architecture is:
> - There is a root CA named contoso.com 
> - There is a subordinate CA named local.dc
> - The certificates of AD and IPA server are both issued by local.dc
> - IPA's certificate is issued  based on the CSR file generated by
> ipa-server-install 
> - I have copied both certificates in /etc/openldap/certs directory and
> the rest was same as what i did in the internal CA scenario.
> 
> while the FreeIPA docs say both servers must have internal CA's i need
> to integrate solution with available PKI. 
> I would be glad hear suggestions if this scenario is applicable and what
> is wrong there.
> thank you

389-ds doesn't use /etc/openldap/certs.

What cert are you passing in when creating the winsync agreement using
ipa-replica-manage?

You may need/want to add these certs to the IPA 389-ds NSS database
prior to setting up the agreement.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-28 Thread Rob Crittenden 
urgrue wrote:
> Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> on how to debug it? Everything looks OK, but passwords are just
> perma-expired at all times.

Need more info on what you're seeing and how the passwords are being
changed.

rob

> 
> 
> On Tue, Oct 27, 2015, 21:45 Rob Crittenden  > wrote:
> 
> urgrue wrote:
> > Hi,
> > On a new install, I'm being forced a password reset on every
> login. Not
> > sure why but this doesn't look right:
> >
> > # date
> > Tue Oct 27 21:02:57 CET 2015
> >
> > # ipa user-status blah1
> > 
> >   Last successful authentication: 2015-10-27T19:34:53Z
> >   Last failed authentication: 2015-10-27T19:34:20Z
> >   Time now: 2015-10-27T20:03:00Z
> >
> > Where is it getting this wrong time from?
> 
> What's wrong with the time? CET is one hour behind GMT right? That is
> reflected by the difference between the output of date and "Time now".
> 
> Passwords administratively reset must be set by the user during the
> first authentication. If the password needs further reset then yeah,
> something is wrong, but the above looks ok.
> 
> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-28 Thread Jakub Hrozek 
On Tue, Oct 27, 2015 at 09:08:30PM +0100, Martin Štefany wrote:
> On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote:
> > On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote:
> > > Hello,
> > > 
> > > did anybody manage to get FreeIPA admin user (member of admins
> > > group,
> > > full sudo access, etc.) to be also Cockpit user with administrative
> > > privileges? I've already figured out that it's closely related to
> > > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > > I
> > > was not able to get a working configuration.
> > > 
> > > Some version / configuration details:
> > > $ cat /etc/centos-release
> > > CentOS Linux release 7.1.1503 (Core)
> > > 
> > > $ rpm -q ipa-client
> > > ipa-client-4.1.0-18.el7.centos.4.x86_64
> > > 
> > > $ rpm -q cockpit   # from sgallagh's COPR repository
> > > cockpit-0.80-1.el7.centos.x86_64
> > > 
> > > $ rpm -q polkit
> > > polkit-0.112-5.el7.x86_64
> > > 
> > > $ sudo ls /etc/polkit-1/rules.d/
> > > 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> > > 
> > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > > polkit.addAdminRule(function(action, subject) {
> > > return ["unix-group:admins", "unix-group:wheel"];
> > > });
> > > 
> > > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > > 40-custom.conf
> > > 
> > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > > [Configuration]
> > > AdminIdentities=unix-group:admins;unix-group:wheel
> > > 
> > > $ ipa user-show martin | grep groups
> > >   Member of groups: trust admins, ipausers, admins, ...
> > > 
> > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > > can't
> > > perform administrative tasks, cannot see journald, etc.
> > > 
> > > One thing that I thought to cause the issue is that pkexec is asking
> > > me
> > > select user first, instead of asking/not asking for password:
> > > $ pkexec cockpit-bridge
> > >  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > > super
> > > user
> > > Multiple identities can be used for authentication:
> > >  1.  Martin Štefany (martin)
> > >  2.  ...
> > >  3.  ...
> > > Choose identity to authenticate as (1-3): 1
> > > Password: 
> > >  AUTHENTICATION COMPLETE ===
> > > cockpit-bridge: no option specified
> > > 
> > > and documentation claims that sudo / pkexec should not ask for
> > > password
> > > for particular user, but 1. I don't like that idea; 2. I have
> > > regular
> > > 1000:1000 user in wheel group for whom everything works just fine -
> > > sudo
> > > and pkexec ask for password as expected, and still in cockpit admin
> > > stuff works as expected.
> > 
> > Can you add the admin user to the wheel group on the Cockpit machine?
> > 
> > But in general I think you're looking for:
> > https://sourceware.org/glibc/wiki/Proposals/GroupMerging
> > first round of patches is ready, although it still needs to go through
> > upstream review (IIRC).
> > 
> 
> Hello Jakub,
> 
> adding specific user to local wheel group works, thank you. But it also
> requires local intervention on the system(s), and on per-user basis.
> 
> Only limitation detail I see now with PolicyKit is that user is granted
> full admin rights via pkexec either when custom /etc/polkit-1/rules.d/40
> -freeipa.rules is defined or when glibc group merging is merged. If I
> understand https://fedorahosted.org/freeipa/ticket/5350 correctly, this
> will be sort-of addressed based on hostgroups, but it will still give
> more control over the system than sudo would do, won't it?

You'd get all the rights that the wheel group gives you. IPA #5350 also
describes merging of a different group into local wheel/adm, but that's
not implemented yet.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sync IPA and AD while using external CA

2015-10-28 Thread mitra dehghan 
hello,
I want to implement and IPA server and Sync it with my 2012 ms ad. While
things go well using an internal CA in each server, I came across kind of
problem when I want integrate solution with my PKI which is already serving
the AD server.
I can install IPA with --external-ca switch. but when it comes to Sync.
agreement it says "TLS error -8179:Peer's Certificate issuer is not
recognized."

The architecture is:
- There is a root CA named contoso.com
- There is a subordinate CA named local.dc
- The certificates of AD and IPA server are both issued by local.dc
- IPA's certificate is issued  based on the CSR file generated by
ipa-server-install
- I have copied both certificates in /etc/openldap/certs directory and the
rest was same as what i did in the internal CA scenario.

while the FreeIPA docs say both servers must have internal CA's i need to
integrate solution with available PKI.
I would be glad hear suggestions if this scenario is applicable and what is
wrong there.
thank you
-- 
m-dehghan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] rest api

2015-10-28 Thread Alexander Bokovoy 

On Wed, 28 Oct 2015, Winfried de Heiden wrote:

Hi all,

In order for an external application to communicate with IPA and/or modify
on (free)Ipa, we want to use the JSON API.

Where can I find documentation how to use this API?

Read my blog post:
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

FreeIPA 4.2 includes an API browser in Web UI.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA with external CA signed certs

2015-10-28 Thread James Masson 



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the IPAs
python-based install code is happy with the cert chain, but the Java based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] rest api

2015-10-28 Thread Rob Crittenden 
Winfried de Heiden wrote:
> Hi all,
> 
> In order for an external application to communicate with IPA and/or
> modify on (free)Ipa, we want to use the JSON API.
> 
> Where can I find documentation how to use this API?
> 
> Thankz!
> 
> Winny
> 
> 
IPA doesn't use REST.

You can get an idea about how to use the API at
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

If you add the -vv option to the ipa command-line you can see the API in
action:

% ipa -vv user-show admin

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] rest api

2015-10-28 Thread Winfried de Heiden 

Hi all,

 In order for an external application to communicate with IPA and/or modify
on (free)Ipa, we want to use the JSON API.

 Where can I find documentation how to use this API?

 Thankz!

 Winny
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-28 Thread urgrue 
Here are some examples:

[root@mule ~]# ipa user-status freddie
---
Account disabled: False
---
  Server: mule.bulb
  Failed logins: 0
  Last successful authentication: 2015-10-28T09:03:48Z
  Last failed authentication: 2015-10-28T09:03:40Z
  Time now: 2015-10-28T18:05:51Z

Number of entries returned 1

[root@mule ~]# ipa user-show freddie
  User login: freddie
  First name: fred
  Last name: orispaa
  Home directory: /home/freddie
  Login shell: /bin/sh
  UID: 50001
  GID: 50001
  Account disabled: False
  Password: True
  Member of groups: admins, ipausers
  Indirect Member of Sudo rule: allow_all
  Kerberos keys available: True
  SSH public key fingerprint:
DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
  freddie@mule (ssh-rsa)

With SSH:

[root@mule ~]$ ssh freddie@mule
freddie@mule's password:
Password expired. Change your password now.
Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user freddie.
Current Password:
New password:
Retype new password:
passwd: Authentication token is no longer valid; new one required
Connection to mule closed.

(Now if I login again, the same process repeats, except the password has
indeed changes)

With su the output is less informative:
[jj@mule ~]$ su - freddie
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
su: incorrect password

(the password was correct and it HAS changed even though the output implies
I entered the wrong current password).

Doing kinit:

-sh-4.1$ id
uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),5(admins)
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
-sh-4.1$ kinit
Password for freddie@BULB:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)

(again the password HAS changed)

In case it's of any relevance, note that root has no issue with kerberos
credentials:
[root@mule ~]# kinit admin
Password for admin@BULB:
[root@mule ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@BULB

Valid starting ExpiresService principal
10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB@BULB



On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden  wrote:

> urgrue wrote:
> > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> > on how to debug it? Everything looks OK, but passwords are just
> > perma-expired at all times.
>
> Need more info on what you're seeing and how the passwords are being
> changed.
>
> rob
>
> >
> >
> > On Tue, Oct 27, 2015, 21:45 Rob Crittenden  > > wrote:
> >
> > urgrue wrote:
> > > Hi,
> > > On a new install, I'm being forced a password reset on every
> > login. Not
> > > sure why but this doesn't look right:
> > >
> > > # date
> > > Tue Oct 27 21:02:57 CET 2015
> > >
> > > # ipa user-status blah1
> > > 
> > >   Last successful authentication: 2015-10-27T19:34:53Z
> > >   Last failed authentication: 2015-10-27T19:34:20Z
> > >   Time now: 2015-10-27T20:03:00Z
> > >
> > > Where is it getting this wrong time from?
> >
> > What's wrong with the time? CET is one hour behind GMT right? That is
> > reflected by the difference between the output of date and "Time
> now".
> >
> > Passwords administratively reset must be set by the user during the
> > first authentication. If the password needs further reset then yeah,
> > something is wrong, but the above looks ok.
> >
> > rob
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-28 Thread craig . linux 
Thanks it worked!
For those also intersted in the settings; 

Permission: ldap_anonymous
Bind Type Rule: anonymous
Granted Rights: (I used) "read","search","compare"
Subtree: cn=users,cn=accounts,dc=example,dc=com
Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
Effective Attributes: 
gecos, mail, mobile, telephoneNumber, uidNumber

cheers,

Craig




On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:
>​Refer this doc
>
> [1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls​
>On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com>
>wrote:
> 
>  Making attributes anonymously readable is very simple. You need to look
>  into RBAC and define the permissions/privileges you need. 
>  On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote:
> 
>Hi,
> 
>We have recently updated from IPA 3 to IPA 4.1 and one of the changes
>in
>security is what attributes are available for the anonymous LDAP
>queries.
> 
>Does anyone know how to edit the anonymous LDAP settings so
>that the following are available?
> 
>mail: [4]cr...@example.com
>postalCode: 3000
>street: 1 Home Parade
>mobile: -000-000
>telephoneNumber: 03--
> 
>Note: We have many different types of LDAP clients here and even
>though
>using encrypted BIND's did work from ldapsearch queries, I couldn't
>get
>them to consistently work from our email clients.
> 
>Regards,
> 
>Craig
>--
>Manage your subscription for the Freeipa-users mailing list:
>[5]https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to [6]http://freeipa.org for more info on the project
> 
> References
> 
>Visible links
>1. 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
>2. mailto:prash...@apigee.com
>3. mailto:craig.li...@mypenguin.net.au
>4. mailto:cr...@example.com
>5. https://www.redhat.com/mailman/listinfo/freeipa-users
>6. http://freeipa.org/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project