Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Andrey Rogovsky]

Hi, Alexander!

Thank for fast reply.
I have replication manager object:
filter: (objectclass=organizationalPerson)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Alexander Bokovoy]

On Thu, 01 Sep 2016, Andrey Rogovsky wrote:

Hi!
Thanks for your advices!
I'm try start replica and get this errors in log:
[01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:24:23 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()

You've been told already that you should have replication manager object
created at both sides. Your 'cn=replicaton manager,cn=config' does not
exist at the replica.

You should read RHDS Administration Guide, at least the part about
supplier bind DN entry, but preferrably the whole chapter it is part of:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html




This is my current replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Andrey Rogovsky]

Hi!
Thanks for your advices!
I'm try start replica and get this errors in log:
[01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:24:23 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()

This is my current replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] pfSense/FreeIPA LDAP Extended Query Fails

[Alexander Bokovoy]

On Wed, 31 Aug 2016, Mike Jacobacci wrote:

Hi,

I have just got authentication against my FreeIPA system working by
following this: https://ask.fedoraproject.org/en/que...uthentication/


The only change I had to make was to set the Search Scope level to
"entire subtree" and I also left the extended query unchecked... With
that setup I am able to authenticate using
"Diagnostics->Authentication".

I really want to restrict access so I can use FreeIPA for our VPN auth
so I tried using the following extended query but it fails:
&(memberOf=cn=admins,cn=groups,cn=accounts,dc=doma in,dc=com)

Looking in pfSense logs, using the extended query (fails):

[24/Aug/2016:11:07:16 -0700] conn=1396 fd=116 slot=116 SSL connection from * to 
*
[24/Aug/2016:11:07:16 -0700] conn=1396 TLS1.2 256-bit AES-GCM
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 BIND dn="" method=128 version=3
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 
filter="(&(uid=user)(&(memberOf=cn=admins,cn=group s,cn=accounts,dc=domain,dc=com)))" 
attrs=ALL
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 RESULT err=0 tag=101 nentries=0 
etime=0
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 UNBIND
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 fd=116 closed - U1

Without the query (success):
[30/Aug/2016:10:23:25 -0700] conn=6432 fd=110 slot=110 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 SRCH base="cn=compat,dc=domain,dc=com" 
scope=2 filter="(uid=user1)” attrs=ALL
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 BIND 
dn="uid=user1,cn=users,cn=compat,dc=domain,dc=com " method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 RESULT err=0 tag=97 nentries=0 etime=0 
dn="uid=user1,cn=users,cn=accounts,dc=domain,dc=co m"
[30/Aug/2016:10:23:25 -0700] conn=6433 fd=118 slot=118 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 fd=110 closed - U1
[30/Aug/2016:10:23:25 -0700] conn=6433 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 SRCH base="uid=user1,cn=users,cn=compat,dc=domain,dc=co 
m" scope=2 filter="(uid=user1)” attrs="memberOf"
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 fd=118 closed - U1

I changed the cn from accounts to compat for the auth container, but
that doesn't make a difference. The last search shows attrs="memberOf",
but anytime I add an extended query the logs show attrs="all", not sure
if that means anything. I tried adding the full memberOf path under the
group member attribute, but that didn't restrict access although the
auth is still success.

[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 SRCH base="uid=user3,cn=users,cn=compat,dc=domain,dc=co 
m" scope=2 filter="(uid=user3)" attrs="memberof=cn=admins,cn=groups,cn=compat,dc=d 
omain,dc=com"
[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 RESULT err=0 tag=101 nentries=1 
etime=0

When doing an ldapsearch, I can see the group:

# admins, groups, compat, domain.com
dn: cn=admins,cn=groups,cn=compat,dc=domain,dc=com
ipaAnchorUUID::
gidNumber: 5
memberUid: admin
memberUid: user1
memberUid: user2
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
cn: admins

Any help would be greatly appreciated.

FreeIPA 4.x requires authenticated bind to be able to see member
attributes of the groups in the main subtree. Your pfSense is using
anonymous bind, thus not being able to see them.

Also, don't use cn=compat,$suffix subtree, it does not help for your task.
Your pfSense device expects different schema than the one provided by
the Compatibility Tree.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA port 80

[Sean Hogan]

Thanks Peter,


So the set up is each vlan has an IPA replica within the firewall boundary
acting as its primary auth/policy server.  If it goes down.. then the
clients can reach back thru the firewall to our backup IPAs.  So I am
trying to pinpoint the actual ports required to be open on the firewall to
allow the clients the ability to get back to the back up IPAs.

It comes down to opening ports thru the firewalls back to our IPA backup
servers.  If port 80 is not required for the clients or servers to get to
IPA behind the firewall then there is no need in opening more ports than
required and getting 443 open adheres more to our security policy than 80.
So if everything is redirected to 443 and 80 is not required as it is all
redirected then the docs I am using are not correct.

I am hoping Simo can weigh in on this


Redhat link shows this for firewall port openings
https://access.redhat.com/solutions/357673
with <-> seeming to indicate bidirectional.  Not sure why NTP requires that
for the clients.

Resolution
IdM Server <-> Clients

 
  NameDestination-port / 
Purpose 
 Type   
 

 
 HTTP/HTTPS  80 / 443 WebUI and IPA CLI admin tools 
communication.   
 TCP
 

 
 LDAP/LDAPS  389 / 636directory service communication.  
 
 TCP
 

 
 Kerberos88 / 464 TCP and UDP communication for authentication  
 

 
 DNS 53 TCP and UDP   nameservice, used also for autodiscovery, 
autoregistration and High Availability   
  Authentication(sssd), optional
 

 
 NTP 123  network time protocol, optional   
 
 UDP
 

 
 kadmind 464 / 749used for principal generation, password 
changes etc.   
 TCP
 

 


IdM Server <-> IdM Server (i.e. Replica)

 
  Name   Destination-port/Type  
  Purpose

 
 HTTP/HTTPS  80 / 443   WebUI and IPA CLI admin tools 
communication. 
 TCP
 

 
 LDAP/LDAPS  389 / 636  directory service communication.
 
 TCP
 

 

Re: [Freeipa-users] IPA port 80

[Peter Fern]

On 01/09/16 08:35, Simo Sorce wrote:
> Port 80 is not required, the only thing you'll find there is a redirect
> to the HTTPS port.

What about CRL/OCSP (and possibly others)?  The Apache configs
explicitly do not redirect to HTTPS except for the /ipa path for this
reason.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA port 80

[Sean Hogan]

Thank you Simo,


  Is there a better source for the IPA ports required you can direct me to
other than this https://access.redhat.com/solutions/357673
which shows the below:

Resolution
IdM Server <-> Clients

  
 Name  Destination-port / 
Purpose 
  Type  
  

  
 HTTP/HTTPS   80 / 443 WebUI and IPA CLI admin tools communication. 
  
  TCP   
  

  
 LDAP/LDAPS   389 / 636directory service communication. 
  
  TCP   
  

  
 Kerberos 88 / 464 TCP and UDP communication for authentication 
  

  
 DNS  53 TCP and UDP   nameservice, used also for autodiscovery, 
autoregistration and High Availability   
   Authentication(sssd), optional   
  

  
 NTP  123  network time protocol, optional  
  
  UDP   
  

  
 kadmind  464 / 749used for principal generation, password 
changes etc.   
  TCP   
  

  


IdM Server <-> IdM Server (i.e. Replica)

 
 Name Destination-port/Type 
  Purpose

 
 HTTP/HTTPS   80 / 443  WebUI and IPA CLI admin tools 
communication. 
  TCP   
 

 
 LDAP/LDAPS   389 / 636 directory service communication.
 
  TCP   
 

 
 Kerberos 88 / 464 TCP and UDP  communication for authentication
 

 
 DNS  53 / TCP and  nameservice, used also for autodiscovery, 
autoregistration and High Availability Authentication  
  UDP   (sssd), optional
 

 
 NTP  123   network time protocol, optional 
 
  UDP   

[Freeipa-users] pfSense/FreeIPA LDAP Extended Query Fails

[Mike Jacobacci]

Hi,

I have just got authentication against my FreeIPA system working by following 
this:
https://ask.fedoraproject.org/en/que...uthentication/ 


The only change I had to make was to set the Search Scope level to "entire 
subtree" and I also left the extended query unchecked... With that setup I am 
able to authenticate using "Diagnostics->Authentication".

I really want to restrict access so I can use FreeIPA for our VPN auth so I 
tried using the following extended query but it fails:
&(memberOf=cn=admins,cn=groups,cn=accounts,dc=doma in,dc=com)

Looking in pfSense logs, using the extended query (fails):

[24/Aug/2016:11:07:16 -0700] conn=1396 fd=116 slot=116 SSL connection from * to 
*
[24/Aug/2016:11:07:16 -0700] conn=1396 TLS1.2 256-bit AES-GCM
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 BIND dn="" method=128 version=3
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 SRCH 
base="cn=accounts,dc=domain,dc=com" scope=2 
filter="(&(uid=user)(&(memberOf=cn=admins,cn=group 
s,cn=accounts,dc=domain,dc=com)))" attrs=ALL
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 RESULT err=0 tag=101 nentries=0 
etime=0
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 UNBIND
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 fd=116 closed - U1

Without the query (success):
[30/Aug/2016:10:23:25 -0700] conn=6432 fd=110 slot=110 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 SRCH 
base="cn=compat,dc=domain,dc=com" scope=2 filter="(uid=user1)” attrs=ALL
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 BIND 
dn="uid=user1,cn=users,cn=compat,dc=domain,dc=com " method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=user1,cn=users,cn=accounts,dc=domain,dc=co m"
[30/Aug/2016:10:23:25 -0700] conn=6433 fd=118 slot=118 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 fd=110 closed - U1
[30/Aug/2016:10:23:25 -0700] conn=6433 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 SRCH 
base="uid=user1,cn=users,cn=compat,dc=domain,dc=co m" scope=2 
filter="(uid=user1)” attrs="memberOf"
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 fd=118 closed - U1

I changed the cn from accounts to compat for the auth container, but that 
doesn't make a difference. The last search shows attrs="memberOf", but anytime 
I add an extended query the logs show attrs="all", not sure if that means 
anything. I tried adding the full memberOf path under the group member 
attribute, but that didn't restrict access although the auth is still success.

[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 SRCH 
base="uid=user3,cn=users,cn=compat,dc=domain,dc=co m" scope=2 
filter="(uid=user3)" attrs="memberof=cn=admins,cn=groups,cn=compat,dc=d 
omain,dc=com"
[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 RESULT err=0 tag=101 nentries=1 
etime=0

When doing an ldapsearch, I can see the group:

# admins, groups, compat, domain.com
dn: cn=admins,cn=groups,cn=compat,dc=domain,dc=com
ipaAnchorUUID:: 
gidNumber: 5
memberUid: admin
memberUid: user1
memberUid: user2
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
cn: admins

Any help would be greatly appreciated.

Cheers,
Mike-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA port 80

[Peter Fern]

You need to serve CRLs and OCSP via HTTP to avoid clients failing to
verify the cert of the host serving the CRL/OCSP when the cert on that
host needs to be verified at itself.

I'm not sure why you'd particularly care though - reading the Apache
configs and you should see that other than a couple of exceptions, all
HTTP traffic is redirected to HTTPS.

On 01/09/16 07:22, Sean Hogan wrote:
>
> Hi all,
>
> Been reading a lot about Port 80 for IPA and firewalls but have not
> found a concrete answer. I know the redhat docs indicate port 80 is
> required bidirectional however I need to investigate if it is truly
> needed.
>
> GUI only responds to 443 so not sure what else would be utilizing port
> 80. I have seen some references that dogtag proxies its ports to 80
> and 443 but if the gui is running on 443 does that mean dogtag is
> proxying via 443 only? Or is there a way to tell? Has anyone attempted
> not opening port 80 from IPA Server to IPA Server and clients to IPA
> server?
> ipa-server-3.0.0-50.el6.1.x86_64
>
>
>
>
> Sean Hogan
>
>
>
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA port 80

[Simo Sorce]

On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote:
> 
> 
> Hi all,
> 
>   Been reading a lot about Port 80 for IPA and firewalls but have not found
> a concrete answer.  I know the redhat docs indicate port 80 is required
> bidirectional however I need to investigate if it is truly needed.
> 
> GUI only responds to 443 so not sure what else would be utilizing port 80.
> I have seen some references that dogtag proxies its ports to 80 and 443 but
> if the gui is running on 443 does that mean dogtag is proxying via 443
> only?  Or is there a way to tell?   Has anyone attempted not opening port
> 80 from IPA Server to IPA Server and clients to IPA server?
> ipa-server-3.0.0-50.el6.1.x86_64

Port 80 is not required, the only thing you'll find there is a redirect
to the HTTPS port.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA port 80

[Sean Hogan]

Hi all,

  Been reading a lot about Port 80 for IPA and firewalls but have not found
a concrete answer.  I know the redhat docs indicate port 80 is required
bidirectional however I need to investigate if it is truly needed.

GUI only responds to 443 so not sure what else would be utilizing port 80.
I have seen some references that dogtag proxies its ports to 80 and 443 but
if the gui is running on 443 does that mean dogtag is proxying via 443
only?  Or is there a way to tell?   Has anyone attempted not opening port
80 from IPA Server to IPA Server and clients to IPA server?
ipa-server-3.0.0-50.el6.1.x86_64




Sean Hogan



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

[Timo Aaltonen]

On 31.08.2016 11:18, Petr Spacek wrote:
> On 31.8.2016 00:23, Timo Aaltonen wrote:
>> On 29.08.2016 10:34, Timo Aaltonen wrote:
>>> On 21.04.2016 22:01, Timo Aaltonen wrote:

 ps. Debian unstable will have 4.3.1 once the package has gone through
 the NEW queue because the packaging got split in certain ways
>>>
>>> No it did not, because the ftpmaster rejected the upload since it ships
>>> with minified javascript which is not considered modifiable source code.
>>> And the old version has now been removed from Debian because it was
>>> unmaintainable.
>>>
>>> So I hope #5639 will be resolved at some point. Note that Debian doesn't
>>> require the javascript to be minified during package build, just that
>>> the source would ship the unminified copy as well.
>>
>> Turns out it wasn't too much of an effort to pull in unminified bits of
>> everything that is shipped minified (just ~630kB..), so I guess Freeipa
>> will be uploaded back fairly soon...
> 
> Timo,
> 
> can you share script/procedure you used? It would save us some time spent on
> re-inventing what you have done :-)
> 
> We need to see how complex change it would be so we could pull it into master
> eventually.

I put it in https://fedorahosted.org/freeipa/ticket/5639

for dojo & build I looked at the profile.js files. But now I see that I
didn't look at webui.profile.js... could be something is missing still.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Andrey Rogovsky]

Hi, Mark!

Thanks for explain. Now I create replication manager: (I hope)
[root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
"cn=directory manager" -W -b cn=config "cn=replication manager"
Enter LDAP Password:
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
 =

What is next? I use manual from 8 version and this a bit obsoleted.


2016-08-31 19:30 GMT+03:00 Mark Reynolds :

> Hi Andrey,
>
> It looks like you still did not create the replication manager entry.
> You must create that manager entry on the standalone server.  Please read
> the link I sent you:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/10/html/Administration_Guide/Creating_the_
> Supplier_Bind_DN_Entry.html
>
> You can verify its existence by doing this search against the standalone
> server:
>
> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager" -W
> -b cn=config "cn=replication manager"
>
> Mark
>
>
> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>
> Hi!
> Thank you for fast reply.
> Yes, I want use standalone 389DS to replica from FreeIPA.
> There is my replica:
> filter: (objectclass=nsds5replica)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Mark Reynolds]

Hi Andrey,

It looks like you still did not create the replication manager entry.  
You must create that manager entry on the standalone server.  Please
read the link I sent you:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html


You can verify its existence by doing this search against the standalone
server:

ldapsearch -h ldap1.example.com  -p 389 -xLLL
-D "cn=directory manager" -W -b cn=config "cn=replication manager"

Mark


On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
> Hi!
> Thank you for fast reply.
> Yes, I want use standalone 389DS to replica from FreeIPA.
> There is my replica:
> filter: (objectclass=nsds5replica)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Andrey Rogovsky]

Hi!
Thank you for fast reply.
Yes, I want use standalone 389DS to replica from FreeIPA.
There is my replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Mark Reynolds]

On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
> Hi!
>
> I try configure manual replica from FreeIPA DS to 389 DS.
> I have two VM: ldap1.example.com  and
> ldap2.example.com 
> I was used this
> manual 
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html
> for configure relica
>
> There was replica agreement before starting:
>
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] Help with sudo permission for a command

[Ryan Whalen]

Hey Pavel,

Thanks for the reply! It's not exactly that I want to allow any command to
be run as app_user. The command I actually want to run is very long, and
complicated and wouldn't mean much in this context, so I simplified my
example. The problem is that *any command *I run will fail, wether or not
they already have the permissions to run said command.

The exact command that I want to run *will work* if I `sudo su - app_user`
and then run the command in the new shell for `app_user`.  It *wont work* if
I try to run `sudo su - app_user -c `. So the user has the
permissions to run the command. it just wont work with the `-c` option.

So thats where I'm stuck. From my perspective they should have all the
permissions that they need. They have sudo privileges to `sudo su -
app_user -c` as well as the specific command that I want to be run.

Thanks

Ryan

On Wed, Aug 31, 2016 at 4:51 AM, Pavel Březina  wrote:

> On 08/30/2016 05:08 PM, Ryan Whalen wrote:
>
>> Hi All,
>>
>> Im having an issue getting a command to run properly, and the issue
>> seems to be with Freeipa sudo permissions. Specifically 'sudo su -
>> app_user -c ""' prompts for a password when run.
>>
>> However if I 'sudo su - app_user' and then run the '' as
>> app_user, it works fine.
>>
>> example:
>> ```
>> $ ssh r...@production-server.pp
>> Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15
>> ryan$ sudo su - app_user -c "df"
>> [sudo] password for ryan:
>> ^C
>> ryan$ sudo su - app_user
>> app_user$ df
>> Filesystem   1K-blocks Used Available Use% Mounted on
>> /dev/sda3 14845784  6667296   7417708  48% /
>> tmpfs  14742280   1474228   0% /dev/shm
>> /dev/sda1   48765281221380831  18% /boot
>> 10.51.0.34:/srv/nfs/app
>>   287687168 69111040 218576128  25% /var/app
>> 10.51.0.54:/srv/nfs/ipa
>>16377088  3728640  11809792  24% /home/ipa
>> ap_user$
>> ```
>>
>> I have a sudo rule that allows `/bin/su - app_user` and `/bin/su -
>> app_user -c` but I cant get the `-c` to work in a single command. I also
>> tried giving sudo permission to `/bin/bash` in case the `-c` needed it
>> to create a new shell for some reason, but it didn't work.
>>
>> Does anyone have any thoughts on what permissions I might be missing to
>> allow the user to run `sudo su - app_user -c `?
>>
>> Thanks,
>> Ryan
>>
>>
>>
> Try to allow /bin/su - app_user -c '*'
>
> If I understand you correctly, you want to allow user to run any command
> as app_user. You can do it also by creating a rule that allows to run any
> command and run it as app_user.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Command-line replication is not works in FreeIPA-Master

[Andrey Rogovsky]

Hi!

I try configure manual replica from FreeIPA DS to 389 DS.
I have two VM: ldap1.example.com and ldap2.example.com
I was used this manual
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html
for configure relica

There was replica agreement before starting:

# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

[Deepak Dimri]

Thanks Martin, That worked.
Though this ACI did not help me achieve what i was looking for. Let me ask this 
to you if you can advice me something:-
i want to create a permission which should allow an admin to 'add'/'delete' 
hosts from "foo-hostgroup" list only if the "member attribute"value is equal to 
"foo". I basically want to restrict the foo admin to not to add any other host 
in the "foo-hostgroup other than the host having an attribute value as "foo". 
Why i can achieve this?
Many Thanks,Deepak


Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5)
To: deepak_di...@hotmail.com; freeipa-users@redhat.com
From: mba...@redhat.com
Date: Wed, 31 Aug 2016 12:06:02 +0200


  

  
  






On 31.08.2016 11:49, Deepak Dimri
  wrote:



  
  


  
Hi All,
I am getting ACL
Syntax Error(-5) when
trying to add ACI to my freeIPA server.  Any idea why i am
getting this error?
  

Maybe your ACI is incorrect?




  


  
This is the error i
am getting:



ldap_modify: Invalid syntax (21)


 additional
  info: ACL Syntax 
Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
acl \22permission:Allow admin to modify  hosts membership
within  permitted hostgroups\22; allow (write) groupdn
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)


  
  

Can you try here 'version3.0;' to put space between
  version and number

  

  Otherwise it looks good to me.




  
my ldif entries:


  
dn:
cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
add: aci
aci: (targetattr =
"userclass")(targetfilter =
"(objectclass=ipahost)")(version3.0;acl "permission:Allow
admin to modify  hosts membership within  permitted
hostgroups";allow (write) groupdn
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;)


  
Also, one general question i should be able to
  view the ACI under freeIPA permission tab once it gets created
  correct?
  

No, you have to add FreeIPA permission, custom ACIs are not tracked
in webUI/CLI



IMO it should be possible to create this permission using webUI



Martin


  



Thanks & regards,
Deepak



  
  

  
  



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

[Martin Basti]

On 31.08.2016 11:49, Deepak Dimri wrote:



Hi All,

I am getting *ACL Syntax Error(-5) *when trying to add ACI to my 
freeIPA server.  Any idea why i am getting this error?



Maybe your ACI is incorrect?



This is the error i am getting:


ldap_modify: Invalid syntax (21)

*additional info: ACL Syntax 
Error(-5)*:(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0; 
acl \22permission:Allow admin to modify  hosts membership within  
permitted hostgroups\22; allow (write) groupdn 
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)




Can you try here'version3.0;' to put space between version and number

Otherwise it looks good to me.


my ldif entries:


dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com

add: aci

aci: (targetattr = "userclass")(targetfilter = 
"(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to 
modify  hosts membership within  permitted hostgroups";allow (write) 
groupdn 
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;)



Also, one general question i should be able to view the ACI under 
freeIPA permission tab once it gets created correct?


No, you have to add FreeIPA permission, custom ACIs are not tracked in 
webUI/CLI


IMO it should be possible to create this permission using webUI

Martin



Thanks & regards,

Deepak






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting ACL Syntax Error(-5)

[Deepak Dimri]

Hi All,I am getting ACL Syntax Error(-5) when trying to add ACI to my freeIPA 
server.  Any idea why i am getting this error?
This is the error i am getting:
ldap_modify: Invalid syntax (21)








additional info: ACL Syntax 
Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
 acl \22permission:Allow admin to modify  hosts membership within  permitted 
hostgroups\22; allow (write) groupdn 
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)
my ldif entries:
dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
add: aci
aci: (targetattr = "userclass")(targetfilter = 
"(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to modify  
hosts membership within  permitted hostgroups";allow (write) groupdn 
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;)
Also, one general question i should be able to view the ACI under freeIPA 
permission tab once it gets created correct?
Thanks & regards,Deepak
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate users with password from one IPA to another

[Rene Trippen]

On 25.08.2016 19:44, Rob Crittenden wrote:

Rene Trippen wrote:

Hi,

I`ve got an IPA with a broken CA infrastructure (don`t know what
happened, but new clients cannot be registered)
It is even not possible to setup a new replica.


It may be fairly straightforward to getting the CA back up. How is it
broken?

I don't know how that happened exactly, we had an IPA 3.x Server, then 
we migrated it to another machine and upgraded to IPA 4.1, later, we 
upgraded (on the same machine) to IPA 4.2.
The IPA Server is basically working, but when I want to register a new 
machine, the registration process fails with following (I think these 
are the relevant lines) error


2016-08-30T22:40:25Z DEBUG flushing ldap://ipa.internal.domain:389 from 
SchemaCache
2016-08-30T22:40:25Z DEBUG retrieving schema for SchemaCache 
url=ldap://ipa.internal.domain:389 
conn=

2016-08-30T22:40:26Z DEBUG Adding CA certificates to the IPA NSS database.
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'

2016-08-30T22:40:26Z DEBUG Process finished, return code=0
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'

2016-08-30T22:40:26Z DEBUG Process finished, return code=255
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=certutil: could not add certificate to 
token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to 
database.


2016-08-30T22:40:26Z ERROR Failed to add INTERNAL.DOMAIN IPA CA to the 
IPA NSS database.

2016-08-30T22:40:26Z ERROR Installation failed. Rolling back changes.


The client tries to add 2 certificates, but fails with the second, I 
think, it is because we have 2 CA certificates (one from the old IPA 3.x 
server and one from the new 4.x server). My current workaround is to 
register the client with an ipa3.x client, then I do an upgrade to the 
4.x client


I've tried many ways to setup a new CA:
- tried ipa-cacert-manage renew
- tried to setup a new replica with new CA, but the setup failed with 
the same problems described above
- tried to remove all old certificates refering to the old ipa server 
(but I think I failed somewhere)


My thoughts are, the CA is in a bad condition, and I spent much time in 
trying to fix it, with no success. And, my fears are, if I find some 
crude, not documented workaround for the CA problem, the problem maybe 
pops up at the next update. So, setting up a fresh IPA and migrating 
everything (except the clients), was my hope to get an IPA running 
without all the CA problems. Migrating the clients is not the problem, 
that can be done by script (spacewalk or ansible), but migrating the 
users is not that easy, because the users cannot be scripted :)




So, I wanted to setup a new IPA Server with new CA, and I want to move
all users with their passwords to the new IPA instance.
I`ve tried with 'ipa migrate-ds'

ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--group-overwrite-gid --with-compat ldap://

The output is OK
===
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.


But  the ipa/migration website is not working for me.
Anyway, is there a way to export the users with passwords? I think I
have to export some kerberos specific stuff from the old IPA?


The log file /var/log/httpd/error_log may have details on what isn't
working.


Sorry, that was not clearly described:

The site is basically working, but when I enter the password, nothing 
happens in the backend (I cannot login with my user on the ipa login site).


- rene



The way to export users with passwords is the method you've already
tried. To not have to change a password at all would require the same
Kerberos master key and these are generated randomly at install time.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help with sudo permission for a command

[Pavel Březina]

On 08/30/2016 05:08 PM, Ryan Whalen wrote:

Hi All,

Im having an issue getting a command to run properly, and the issue
seems to be with Freeipa sudo permissions. Specifically 'sudo su -
app_user -c ""' prompts for a password when run.

However if I 'sudo su - app_user' and then run the '' as
app_user, it works fine.

example:
```
$ ssh r...@production-server.pp
Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15
ryan$ sudo su - app_user -c "df"
[sudo] password for ryan:
^C
ryan$ sudo su - app_user
app_user$ df
Filesystem   1K-blocks Used Available Use% Mounted on
/dev/sda3 14845784  6667296   7417708  48% /
tmpfs  14742280   1474228   0% /dev/shm
/dev/sda1   48765281221380831  18% /boot
10.51.0.34:/srv/nfs/app
  287687168 69111040 218576128  25% /var/app
10.51.0.54:/srv/nfs/ipa
   16377088  3728640  11809792  24% /home/ipa
ap_user$
```

I have a sudo rule that allows `/bin/su - app_user` and `/bin/su -
app_user -c` but I cant get the `-c` to work in a single command. I also
tried giving sudo permission to `/bin/bash` in case the `-c` needed it
to create a new shell for some reason, but it didn't work.

Does anyone have any thoughts on what permissions I might be missing to
allow the user to run `sudo su - app_user -c `?

Thanks,
Ryan




Try to allow /bin/su - app_user -c '*'

If I understand you correctly, you want to allow user to run any command 
as app_user. You can do it also by creating a rule that allows to run 
any command and run it as app_user.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

[Petr Spacek]

On 31.8.2016 00:23, Timo Aaltonen wrote:
> On 29.08.2016 10:34, Timo Aaltonen wrote:
>> On 21.04.2016 22:01, Timo Aaltonen wrote:
>>>
>>> ps. Debian unstable will have 4.3.1 once the package has gone through
>>> the NEW queue because the packaging got split in certain ways
>>
>> No it did not, because the ftpmaster rejected the upload since it ships
>> with minified javascript which is not considered modifiable source code.
>> And the old version has now been removed from Debian because it was
>> unmaintainable.
>>
>> So I hope #5639 will be resolved at some point. Note that Debian doesn't
>> require the javascript to be minified during package build, just that
>> the source would ship the unminified copy as well.
> 
> Turns out it wasn't too much of an effort to pull in unminified bits of
> everything that is shipped minified (just ~630kB..), so I guess Freeipa
> will be uploaded back fairly soon...

Timo,

can you share script/procedure you used? It would save us some time spent on
re-inventing what you have done :-)

We need to see how complex change it would be so we could pull it into master
eventually.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Site functionality between clients and server

[Jakub Hrozek]

On Tue, Aug 30, 2016 at 03:29:46PM -0700, Michael wrote:
> Our environment has multiple FreeIPA servers and associated SRV records.  
> During client install, I can’t determine how each installation chooses the 
> value to be placed in the ipa_server property of sssd.conf.
> 
> Can Free IPA clients be configured to prefer an ldap server on its own 
> subnet?  On a defined list of subnets, like Active Directory Sites?

Coming up in 4.4:
http://www.freeipa.org/page/V4/DNS_Location_Mechanism

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate users with password from one IPA to another

[Rene Trippen]

On 25.08.2016 19:44, Rob Crittenden wrote:

Rene Trippen wrote:

Hi,

I`ve got an IPA with a broken CA infrastructure (don`t know what
happened, but new clients cannot be registered)
It is even not possible to setup a new replica.


It may be fairly straightforward to getting the CA back up. How is it
broken?

I don't know how that happened exactly, we had an IPA 3.x Server, then 
we migrated it to another machine and upgraded to IPA 4.1, later, we 
upgraded (on the same machine) to IPA 4.2.
The IPA Server is basically working, but when I want to register a new 
machine, the registration process fails with following (I think these 
are the relevant lines) error


2016-08-30T22:40:25Z DEBUG flushing ldap://ipa.internal.domain:389 from 
SchemaCache
2016-08-30T22:40:25Z DEBUG retrieving schema for SchemaCache 
url=ldap://ipa.internal.domain:389 
conn=

2016-08-30T22:40:26Z DEBUG Adding CA certificates to the IPA NSS database.
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'

2016-08-30T22:40:26Z DEBUG Process finished, return code=0
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'

2016-08-30T22:40:26Z DEBUG Process finished, return code=255
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=certutil: could not add certificate to 
token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to 
database.


2016-08-30T22:40:26Z ERROR Failed to add INTERNAL.DOMAIN IPA CA to the 
IPA NSS database.

2016-08-30T22:40:26Z ERROR Installation failed. Rolling back changes.


The client tries to add 2 certificates, but fails with the second, I 
think, it is because we have 2 CA certificates (one from the old IPA 3.x 
server and one from the new 4.x server). My current workaround is to 
register the client with an ipa3.x client, then I do an upgrade to the 
4.x client


I've tried many ways to setup a new CA:
- tried ipa-cacert-manage renew
- tried to setup a new replica with new CA, but the setup failed with 
the same problems described above
- tried to remove all old certificates refering to the old ipa server 
(but I think I failed somewhere)


My thoughts are, the CA is in a bad condition, and I spent much time in 
trying to fix it, with no success. And, my fears are, if I find some 
crude, not documented workaround for the CA problem, the problem maybe 
pops up at the next update. So, setting up a fresh IPA and migrating 
everything (except the clients), was my hope to get an IPA running 
without all the CA problems. Migrating the clients is not the problem, 
that can be done by script (spacewalk or ansible), but migrating the 
users is not that easy, because the users cannot be scripted :)




So, I wanted to setup a new IPA Server with new CA, and I want to move
all users with their passwords to the new IPA instance.
I`ve tried with 'ipa migrate-ds'

ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--group-overwrite-gid --with-compat ldap://

The output is OK
===
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.


But  the ipa/migration website is not working for me.
Anyway, is there a way to export the users with passwords? I think I
have to export some kerberos specific stuff from the old IPA?


The log file /var/log/httpd/error_log may have details on what isn't
working.


Sorry, that was not clearly described:

The site is basically working, but when I enter the password, nothing 
happens in the backend (I cannot login with my user on the ipa login 
site).


- rene



The way to export users with passwords is the method you've already
tried. To not have to change a password at all would require the same
Kerberos master key and these are generated randomly at install time.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Site functionality between clients and server

[Michael]

Our environment has multiple FreeIPA servers and associated SRV records.  
During client install, I can’t determine how each installation chooses the 
value to be placed in the ipa_server property of sssd.conf.

Can Free IPA clients be configured to prefer an ldap server on its own subnet?  
On a defined list of subnets, like Active Directory Sites?



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project