Re: [Freeipa-users] FreeIPA and sudo Defaults
More information: [root@puppet01 ~]# cat /etc/sssd/sssd.conf [domain/example.com] cache_credentials = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = puppet01.example.com chpass_provider = ipa ipa_server = ipa01.example.com, ipa02.example.com ldap_tls_cacert = /etc/ipa/ca.crt ldap_network_timeout = 2 ldap_opt_timeout = 2 ldap_search_timeout = 2 ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = example.com [nss] filter_users = root,apache,postgres,oracle,tomcat,puppet,foreman,foreman-proxy filter_groups = root,apache,postgres,oracle,tomcat,puppet,foreman-proxy homedir_substring = /home [pam] [sudo] [autofs] [ssh] We don't use _srv_ as we have no control over the DNS servers. [root@puppet01 ~]# cat /etc/nsswitch.conf | grep -v \# passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files aliases:files nisplus sudoers:files sss [root@puppet01 ~]# The client runs sudo successfully for other rules that are in place. From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 12:10 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA and sudo Defaults Information: IPA server and client both running on RHEL 6.7 fully patched. IPA server version: ipa-server-3.0.0-47.el6.x86_64 sssd client version: sssd-1.12.4-47.el6.x86_64 IPA server hosts dozens of sudo rules that work as expected. This is the first rule, however, that needs the !requiretty in the Defaults for the user. Thanks D From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 10:58 To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and sudo Defaults Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root@puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root@puppet01 ~]# [innesd@puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd@puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root@ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root@ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd@puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd@puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any Matching Defaults entries for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Thanks in advance, Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system
Re: [Freeipa-users] Which client is noisy?
Petr, We're using a different domain for IPA thankfully (unix.example.com), but the AD guys control DNS and don't want to touch anything in the DNS that might affect their example.com records. Everything is on the same VLANs, so I didn't want to press with any configuration request that might have broken things. Thierry, Looking at the logconv output, rebooting the noisiest IPA server, looking at the data again - it's becoming more clear that the failover of the clients is moving to the next system in the list, but then remaining there until it's forced to by that one going offline too. I knew this might happen when we designed the system, but as I said above, we didn't meet a very flexible AD team. Cheers all, Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: 01 June 2015 15:40 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Which client is noisy? On 1.6.2015 10:56, Innes, Duncan wrote: We don't have access to the _SRV_ records as the AD domain controls that, so we had to hard code the main and failover servers on the Side note: It sounds that your FreeIPA setup is using the same domain name as AD realm. This is directly against http://www.freeipa.org/page/Deployment_Recommendations#DNS and will cause pain moving forward as AD Trusts and DNSSEC validation will be impossible. Please follow http://www.freeipa.org/page/Deployment_Recommendations for the next deployment :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Real-time replication status (RFE)?
For sure Rob. It's a dirty hack to get the information that we desperately needed at one point. We had a pretty severe issue with our IPA servers a while back which was eventually solved by reinstalling all but the initial IPA server, deleting the old replication agreements and building the new ones back up. This page was of high value at that time. It's still useful for an occasional check of the status. D -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 06 February 2015 14:06 To: Innes, Duncan; Baird, Josh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Real-time replication status (RFE)? Innes, Duncan wrote: Check: https://gist.github.com/duncaninnes/c91985822be9782df581 which contains 2 scripts based on: http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationm on itoring.html I just expanded it to cope with a list of servers, then version 2 sorts by last end, last start, hostname. This version allows me to see more clearly if a certain replication is out of date. Could have done a sort by column and added a refresh button, or automatic refresh, but that wasn't the immediate aim. Since then it's just stuck, so could do with some love from any suitably minded persons. It also doesn't gracefully handle situations where one server in the list is offline, or taking too long to respond. Both scripts are put in /var/www/cgi-bin on one of my IPA servers, and accessed via: https://ipa01.example.com/cgi-bin/monitor2.pl for example. Not sure if I modified the httpd configs - it's a while ago that I sorted it out. HTH Duncan We try to avoid using Directory Manager as much as possible which is one of the reasons we haven't done something like this already. I'd definitely recommend using startTLS for your bind, at a minimum. The issue starts with the fact that we don't have a hostgroup consisting of all IPA masters maintained automatically so there is no easy way to do delegation. You could do this manually if you wanted though, something like: # ipa hostgroup-add ipamasters --desc='Manual list of IPA masters' # ipa hostgroup-add-member --hosts=ipa1.example.com ipamasters # ipa hostgroup-add-member --hosts=ipa2.example.com ipamasters Now create a role that with a privilege to be able to read replication agreements (and add and delete them too, so be aware). # ipa role-add ipamasters --desc='IPA Masters' # ipa role-add-privilege --privileges='Replication Administrators' ipamasters # ipa role-add-member --hostgroup=ipamasters ipamasters You can test this with: # kinit -kt /etc/krb5.keytab # ldapsearch -Y GSSAPI -b 'cn=mapping tree,cn=config' '(objectclass=nsDS5ReplicationAgreement)' You'd just need to the ipamasters hostgroup up-to-date, and considering that this list probably stabilizes over time, shouldn't be a ton of effort. rob -Original Message- From: Baird, Josh [mailto:jba...@follett.com] Sent: 05 February 2015 17:08 To: Innes, Duncan; Rob Crittenden; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? That would be great, thanks! Josh -Original Message- From: Innes, Duncan [mailto:duncan.in...@virginmoney.com] Sent: Thursday, February 05, 2015 11:34 AM To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? The screen mockup in that ticket is based on a Perl script that I stuck in cgi-bin to pull just those stats off each IPA server I have and display them. Can share the code if you're interested. D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: 05 February 2015 14:19 To: Baird, Josh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Real-time replication status (RFE)? Baird, Josh wrote: Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more centralized that could give me a replication health report for all masters/replicas. Ideally, this type of feature would be exposed in the UI and would also include information or insight into the status of any IPA - AD trust relationships. Am I missing a feature that already exists? If not, is there something like this on the IPA roadmap? This is being tracked in https://fedorahosted.org/freeipa/ticket/4390 It depends on some other work being done first. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs
Re: [Freeipa-users] Real-time replication status (RFE)?
Check: https://gist.github.com/duncaninnes/c91985822be9782df581 which contains 2 scripts based on: http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmon itoring.html I just expanded it to cope with a list of servers, then version 2 sorts by last end, last start, hostname. This version allows me to see more clearly if a certain replication is out of date. Could have done a sort by column and added a refresh button, or automatic refresh, but that wasn't the immediate aim. Since then it's just stuck, so could do with some love from any suitably minded persons. It also doesn't gracefully handle situations where one server in the list is offline, or taking too long to respond. Both scripts are put in /var/www/cgi-bin on one of my IPA servers, and accessed via: https://ipa01.example.com/cgi-bin/monitor2.pl for example. Not sure if I modified the httpd configs - it's a while ago that I sorted it out. HTH Duncan -Original Message- From: Baird, Josh [mailto:jba...@follett.com] Sent: 05 February 2015 17:08 To: Innes, Duncan; Rob Crittenden; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? That would be great, thanks! Josh -Original Message- From: Innes, Duncan [mailto:duncan.in...@virginmoney.com] Sent: Thursday, February 05, 2015 11:34 AM To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? The screen mockup in that ticket is based on a Perl script that I stuck in cgi-bin to pull just those stats off each IPA server I have and display them. Can share the code if you're interested. D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: 05 February 2015 14:19 To: Baird, Josh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Real-time replication status (RFE)? Baird, Josh wrote: Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more centralized that could give me a replication health report for all masters/replicas. Ideally, this type of feature would be exposed in the UI and would also include information or insight into the status of any IPA - AD trust relationships. Am I missing a feature that already exists? If not, is there something like this on the IPA roadmap? This is being tracked in https://fedorahosted.org/freeipa/ticket/4390 It depends on some other work being done first. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England
Re: [Freeipa-users] Real-time replication status (RFE)?
The screen mockup in that ticket is based on a Perl script that I stuck in cgi-bin to pull just those stats off each IPA server I have and display them. Can share the code if you're interested. D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: 05 February 2015 14:19 To: Baird, Josh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Real-time replication status (RFE)? Baird, Josh wrote: Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more centralized that could give me a replication health report for all masters/replicas. Ideally, this type of feature would be exposed in the UI and would also include information or insight into the status of any IPA - AD trust relationships. Am I missing a feature that already exists? If not, is there something like this on the IPA roadmap? This is being tracked in https://fedorahosted.org/freeipa/ticket/4390 It depends on some other work being done first. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimum Disk Size
Our standard RHEL6 OS install worked perfectly well for testing IPA with larger user/host numbers: part /boot --fstype=ext4 --size=256 --ondisk=sda --fsoptions noatime part pv.01 --size=1000 --grow --ondisk=sda volgroup vg_root pv.01 logvol / --vgname=vg_root --name=lv_root --size=3072 --fstype=ext4 --fsoptions noatime logvol swap --vgname=vg_root --name=lv_swap --size=1024 --fstype=swap logvol /opt --vgname=vg_root --name=lv_opt--size=1024 --fstype=ext4 --fsoptions noatime logvol /var --vgname=vg_root --name=lv_var--size=1024 --fstype=ext4 --fsoptions noatime logvol /var/log --vgname=vg_root --name=lv_vlog --size=1024 --fstype=ext4 --fsoptions noatime logvol /var/log/audit --vgname=vg_root --name=lv_vaudit --size=512 --fstype=ext4 --fsoptions noatime logvol /tmp --vgname=vg_root --name=lv_tmp--size=1024 --fstype=ext4 --fsoptions noatime,nodev,nosuid,noexec logvol /home --vgname=vg_root --name=lv_home --size=1024 --fstype=ext4 --fsoptions noatime,nodev Then to load test and move into production, we simply added an extra partition for /var/lib/dirsrv: logvol /var/lib/dirsrv --vgname=vg_root --name=lv_ldap --size=4096 --fstype=ext4 --fsoptions noatime Which still uses less than 1Gb with nearly 1500 users and around 700 hosts: # df -P Filesystem1024-blocksUsed Available Capacity Mounted on /dev/mapper/vg_root-lv_root 3030800 1478012 1395504 52% / tmpfs 1962324 4 1962320 1% /dev/shm /dev/sda1 245679 69576162996 30% /boot /dev/mapper/vg_root-lv_home999320 29724917168 4% /home /dev/mapper/vg_root-lv_opt 9993201328945564 1% /opt /dev/mapper/vg_root-lv_tmp 999320 44312902580 5% /tmp /dev/mapper/vg_root-lv_var 999320 296952649940 32% /var /dev/mapper/vg_root-lv_ldap 3997376 640084 3147580 17% /var/lib/dirsrv /dev/mapper/vg_root-lv_vlog 1515376 514128922612 36% /var/log /dev/mapper/vg_root-lv_vaudit 499656 29608443836 7% /var/log/audit # HTH D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dan Mossor Sent: 04 February 2015 01:04 To: FreeIPA List Subject: [Freeipa-users] Minimum Disk Size What would be the minimum recommended disk size for a virtual FreeIPA server on a network consisting of less than 30 users and 100 hosts? Regards, Dan -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Logging: IPA to Rsyslog to Logstash
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 20 December 2014 03:37 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Logging: IPA to Rsyslog to Logstash On 12/19/2014 11:35 AM, Innes, Duncan wrote: Is it feasible to alter the timestamp resolution that dirsrv uses? This would help separate log lines properly. Please file a 389 RFE. Done: https://fedorahosted.org/389/ticket/47982 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Logging: IPA to Rsyslog to Logstash
Earlier this year I said I'd feed back how my IPA to Rsyslog to Logstash
experiments went.
They went badly. And I didn't get much time. Today, however, I managed
to get over my imaginary finishing line:
All systems are RHEL 6.6.
Rsyslog (rsyslog7-7.4.10) is configured to import logs from some dirsrv
files:
# cat /etc/rsyslog.d/dirsrv.conf
module(load=imfile PollingInterval=2)
input(type=imfile
File=/var/log/dirsrv/slapd-EXAMPLE-COM/access
Tag=dirsrv
StateFile=statedirsrv
Facility=local0)
input(type=imfile
File=/var/log/dirsrv/slapd-EXAMPLE-COM/errors
Tag=dirsrv
StateFile=statedirsrverr
Severity=error
Facility=local0)
#
This pulls in those log entries on a regular basis. Rsyslog8 allows you
to use inotify for file changes, but that's not available to me.
Rsyslog is then also configured to push all logs to my Logstash servers:
# cat /etc/rsyslog.d/logstash.conf
template(name=ls_json type=list option.json=on)
{ constant(value={)
constant(value=\@timestamp\:\) property(name=timegenerated
dateFormat=rfc3339)
constant(value=\,\@version\:\1)
constant(value=\,\message\:\) property(name=msg)
constant(value=\,\host\:\) property(name=hostname)
constant(value=\,\my_environment\:\dev)
constant(value=\,\my_project\:\Infrastructure)
constant(value=\,\my_use\:\IPA)
constant(value=\,\logsource\:\) property(name=fromhost)
constant(value=\,\severity_label\:\)
property(name=syslogseverity-text)
constant(value=\,\severity\:\) property(name=syslogseverity)
constant(value=\,\facility_label\:\)
property(name=syslogfacility-text)
constant(value=\,\facility\:\) property(name=syslogfacility)
constant(value=\,\program\:\) property(name=programname)
constant(value=\,\pid\:\) property(name=procid)
constant(value=\,\rawmsg\:\) property(name=rawmsg)
constant(value=\,\syslogtag\:\) property(name=syslogtag)
constant(value=\}\n)
}
*.* @@logstash01.example.com:5500;ls_json
$ActionExecOnlyWhenPreviousIsSuspended on
@@logstash02.example.com:5500;ls_json
/var/log/localbuffer
$ActionExecOnlyWhenPreviousIsSuspended off
[root@lvdlvldap02 ~]#
Which pushes all logs to my logstash servers in JSON format. Failover
is built in by using 2 logstash servers.
The client needs to have SELinux managed to allow rsyslog to write to
port 5500:
# semanage port -a -t syslogd_port_t -p tcp 5500
# semanage port -l | grep 5500
The Logstash servers are then configured to listen on this port and do
some simple groking, before sending everything to the ElasticSearch
cluster:
# cat /etc/logstash/conf.d/syslog.conf
input {
tcp {
type = syslogjson
port = 5500
codec = json
}
}
filter {
# This replaces the host field (UDP source) with the host that
generated the message (sysloghost)
if [sysloghost] {
mutate {
replace = [ host, %{sysloghost} ]
remove_field = sysloghost # prune the field after successfully
replacing host
}
}
if [type] == syslogjson {
grok {
patterns_dir = /opt/logstash/patterns
match = { message = %{VIRGINFW} }
match = { message = %{AUDITAVC} }
match = { message = %{COMMONAPACHELOG} }
tag_on_failure = []
}
}
# This filter populates the @timestamp field with the timestamp that's
in the actual message
# dirsrv logs are currently pulled in every 2 minutes, so @timestamp
is wrong
if [syslogtag] == dirsrv {
mutate {
remove_field = [ 'rawmsg' ]
}
grok {
match = [ message, %{HTTPDATE:log_timestamp} ]
}
date {
match = [ log_timestamp, dd/MMM/YYY:HH:mm:ss Z]
locale = en
remove_field = [ log_timestamp ]
}
}
}
output {
elasticsearch {
protocol = node
node_name = Indexer01
}
}
#
It works well for the most part. I'm not performing any groking of the
actual message line as yet to pull out various bits of data into their
own separate fields, but at least I'm managing to log the access and
errors from multiple IPA servers.
The @timestamp field ends up with the timestamp from the actual message
line, so it's only down to second accuracy. This means that multiple
log lines on the same second lose their ordering when viewed in the
Logstash/Kibana interface. But the important thing at this point is
that they're now held centrally.
Is it feasible to alter the timestamp resolution that dirsrv uses? This
would help separate log lines properly.
Cheers Merry Festive Holiday thing
Duncan
This message has been checked for viruses and spam by the Virgin Money email
scanning system powered by Messagelabs.
This e-mail is intended to be confidential to the recipient. If you receive a
copy in error, please inform the sender and then delete this message.
Virgin Money plc - Registered in England and Wales (Company no. 6952311).
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
Virgin Money plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential
Re: [Freeipa-users] PatternFly questions
Bump Back to work now - do you want RFE's written up for this stuff, or do you have it in hand? D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan Sent: 31 July 2014 21:47 To: d...@redhat.com; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] PatternFly questions Hi, Sorry for delay - paternity leave took me away from work rather abruptly. Do you still want RFE's written up for these? My brain might have been fried when I thought about this, but is there any mileage in creating an elasticsearch (or similar) database of the useful fields and using that for searching? If LDAP searches are the limiting factor that is. Keeping the databases in sync might be an issue, but the elasticsearch database would be read-only for users and would allow a potentially richer method of searching. Back at work on Monday, so should be able to write up some RFE's then if they're still needed. Cheers D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 18 July 2014 16:09 To: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] PatternFly questions On 07/18/2014 09:23 AM, Martin Kosek wrote: On 07/18/2014 03:12 PM, Dmitri Pal wrote: On 07/18/2014 08:17 AM, Innes, Duncan wrote: Hi Petr, On 18/07/2014 11:24, Petr Vobornik wrote: Hello Duncan, thank you for the input. If you or somebody else have any Web UI ideas/RFEs, feel free to write them down. I would like to know what people don't like or would like to have. On 18.7.2014 10:21, Innes, Duncan wrote: Just poking around the new 4.0 demo page and very much liking what I see. This will make a big difference in use on large estates. A couple PatternFly related questions though: 1. The tables don't sort by column if I click on a column header. Is this not available in PatternFly yet, or have FreeIPA decided against implementing it? First just a note about PatternFly. It's not really a widget library, it is(or should be) more of a set of patterns and styles. But the referential implementation is built on Bootstrap 3, so it is very easy to adopt. PatternFly doesn't have an official pattern for table sorting yet, but it has styles for DataTables (jQuery table plugin) which can do it. I don't remember any decision against it - could be implemented if there is enough will and user demand. Sorting can be done on client side and on server side. Client side is limited to issue #2 - only 20 items, so it is not really helpful. And server side (IPA API) doesn't support specifying a sort attribute atm. You would like the server-side sorting, right? Hadn't considered there to be an option. When I looked at the PatternFly demos I hadn't thought about it, but the speed that FreeIPA pulls data out for rendering, I suppose it would have to be. Even our modest estate (at a few hundred users and hosts) would slow down far too much if the full dataset was sent. The other possibilities thrown up by PatternFly are also interesting; add/remove columns, resize columns etc. I know some of these are still on the drawing board, but there are demo pages available already. 2. Browsing the screen on a large monitor still leaves the user page (at least) limited to around 22 rows. This leaves the bottom third of my browser empty. The table uses the full width of the browser, can it not use the full height too? I have and idea/plan to make it configurable - to specify the number of items and also to allow disabling of paging. The more rows the slower the UI is. Also paging has its own issues which are not straightforward to solve: - http://www.redhat.com/archives/freeipa-devel/2012-August/msg00295.ht ml True. What's the biggest time factor in loading large tables? When admining estates with tens of thousands of entries, however, much emphasis needs to be placed on the table filters. No admin in their right mind is going to be performing actions on all entries simultaneously. Similar to Foreman's filters, could FreeIPA allow (example) in the hosts screen a filter of hostgroup = groupX to show only hosts belonging to that group? Or filtering users with manager = 'Duncan Innes'? Please open RFEs. This is really a valuable feedback. I think we are somewhat talking about this RFE: https://fedorahosted.org/freeipa/ticket/2388 Maybe it is time to resurrect it from Ticket Deferred milestone given it would bring big value for large user deployments. The API and the mighty LDAP search engine is already there: ipa user-add --first=Test --last=User manager ipa user-add --first=Test --last=User employee --manager manager ipa user-add --first=Test --last=User employee2 --manager manager ipa group-add testgroup --desc test ipa group-add-member testgroup --users employee2 # ipa
Re: [Freeipa-users] PatternFly questions
Hi, Sorry for delay - paternity leave took me away from work rather abruptly. Do you still want RFE's written up for these? My brain might have been fried when I thought about this, but is there any mileage in creating an elasticsearch (or similar) database of the useful fields and using that for searching? If LDAP searches are the limiting factor that is. Keeping the databases in sync might be an issue, but the elasticsearch database would be read-only for users and would allow a potentially richer method of searching. Back at work on Monday, so should be able to write up some RFE's then if they're still needed. Cheers D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 18 July 2014 16:09 To: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] PatternFly questions On 07/18/2014 09:23 AM, Martin Kosek wrote: On 07/18/2014 03:12 PM, Dmitri Pal wrote: On 07/18/2014 08:17 AM, Innes, Duncan wrote: Hi Petr, On 18/07/2014 11:24, Petr Vobornik wrote: Hello Duncan, thank you for the input. If you or somebody else have any Web UI ideas/RFEs, feel free to write them down. I would like to know what people don't like or would like to have. On 18.7.2014 10:21, Innes, Duncan wrote: Just poking around the new 4.0 demo page and very much liking what I see. This will make a big difference in use on large estates. A couple PatternFly related questions though: 1. The tables don't sort by column if I click on a column header. Is this not available in PatternFly yet, or have FreeIPA decided against implementing it? First just a note about PatternFly. It's not really a widget library, it is(or should be) more of a set of patterns and styles. But the referential implementation is built on Bootstrap 3, so it is very easy to adopt. PatternFly doesn't have an official pattern for table sorting yet, but it has styles for DataTables (jQuery table plugin) which can do it. I don't remember any decision against it - could be implemented if there is enough will and user demand. Sorting can be done on client side and on server side. Client side is limited to issue #2 - only 20 items, so it is not really helpful. And server side (IPA API) doesn't support specifying a sort attribute atm. You would like the server-side sorting, right? Hadn't considered there to be an option. When I looked at the PatternFly demos I hadn't thought about it, but the speed that FreeIPA pulls data out for rendering, I suppose it would have to be. Even our modest estate (at a few hundred users and hosts) would slow down far too much if the full dataset was sent. The other possibilities thrown up by PatternFly are also interesting; add/remove columns, resize columns etc. I know some of these are still on the drawing board, but there are demo pages available already. 2. Browsing the screen on a large monitor still leaves the user page (at least) limited to around 22 rows. This leaves the bottom third of my browser empty. The table uses the full width of the browser, can it not use the full height too? I have and idea/plan to make it configurable - to specify the number of items and also to allow disabling of paging. The more rows the slower the UI is. Also paging has its own issues which are not straightforward to solve: - http://www.redhat.com/archives/freeipa-devel/2012-August/msg00295.ht ml True. What's the biggest time factor in loading large tables? When admining estates with tens of thousands of entries, however, much emphasis needs to be placed on the table filters. No admin in their right mind is going to be performing actions on all entries simultaneously. Similar to Foreman's filters, could FreeIPA allow (example) in the hosts screen a filter of hostgroup = groupX to show only hosts belonging to that group? Or filtering users with manager = 'Duncan Innes'? Please open RFEs. This is really a valuable feedback. I think we are somewhat talking about this RFE: https://fedorahosted.org/freeipa/ticket/2388 Maybe it is time to resurrect it from Ticket Deferred milestone given it would bring big value for large user deployments. The API and the mighty LDAP search engine is already there: ipa user-add --first=Test --last=User manager ipa user-add --first=Test --last=User employee --manager manager ipa user-add --first=Test --last=User employee2 --manager manager ipa group-add testgroup --desc test ipa group-add-member testgroup --users employee2 # ipa user-find --manager manager --pkey-only --- 2 users matched --- User login: employee User login: employee2 Number of entries returned 2 # ipa user-find --manager manager --in-group testgroup --pkey-only -- 1 user matched -- User login
[Freeipa-users] PatternFly questions
Just poking around the new 4.0 demo page and very much liking what I see. This will make a big difference in use on large estates. A couple PatternFly related questions though: 1. The tables don't sort by column if I click on a column header. Is this not available in PatternFly yet, or have FreeIPA decided against implementing it? 2. Browsing the screen on a large monitor still leaves the user page (at least) limited to around 22 rows. This leaves the bottom third of my browser empty. The table uses the full width of the browser, can it not use the full height too? Still a huge improvement though - these are just niggles. Cheers D This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PatternFly questions
Hi Petr, On 18/07/2014 11:24, Petr Vobornik wrote: Hello Duncan, thank you for the input. If you or somebody else have any Web UI ideas/RFEs, feel free to write them down. I would like to know what people don't like or would like to have. On 18.7.2014 10:21, Innes, Duncan wrote: Just poking around the new 4.0 demo page and very much liking what I see. This will make a big difference in use on large estates. A couple PatternFly related questions though: 1. The tables don't sort by column if I click on a column header. Is this not available in PatternFly yet, or have FreeIPA decided against implementing it? First just a note about PatternFly. It's not really a widget library, it is(or should be) more of a set of patterns and styles. But the referential implementation is built on Bootstrap 3, so it is very easy to adopt. PatternFly doesn't have an official pattern for table sorting yet, but it has styles for DataTables (jQuery table plugin) which can do it. I don't remember any decision against it - could be implemented if there is enough will and user demand. Sorting can be done on client side and on server side. Client side is limited to issue #2 - only 20 items, so it is not really helpful. And server side (IPA API) doesn't support specifying a sort attribute atm. You would like the server-side sorting, right? Hadn't considered there to be an option. When I looked at the PatternFly demos I hadn't thought about it, but the speed that FreeIPA pulls data out for rendering, I suppose it would have to be. Even our modest estate (at a few hundred users and hosts) would slow down far too much if the full dataset was sent. The other possibilities thrown up by PatternFly are also interesting; add/remove columns, resize columns etc. I know some of these are still on the drawing board, but there are demo pages available already. 2. Browsing the screen on a large monitor still leaves the user page (at least) limited to around 22 rows. This leaves the bottom third of my browser empty. The table uses the full width of the browser, can it not use the full height too? I have and idea/plan to make it configurable - to specify the number of items and also to allow disabling of paging. The more rows the slower the UI is. Also paging has its own issues which are not straightforward to solve: - http://www.redhat.com/archives/freeipa-devel/2012-August/msg00295.html True. What's the biggest time factor in loading large tables? When admining estates with tens of thousands of entries, however, much emphasis needs to be placed on the table filters. No admin in their right mind is going to be performing actions on all entries simultaneously. Similar to Foreman's filters, could FreeIPA allow (example) in the hosts screen a filter of hostgroup = groupX to show only hosts belonging to that group? Or filtering users with manager = 'Duncan Innes'? Still a huge improvement though - these are just niggles. Cheers D -- Petr Vobornik Cheers D This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.0 Demo
I may be jumping the gun slightly, but I'm wondering when the demo site will be upgraded to FreeIPA 4.0? Cheers D This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Standard Logging
Hi folks, Is there any movement towards getting FreeIPA to use more standard logging tools? Journald or rsyslog. Wondering because at the moment, the rotation of logs is non standard compared to most of the rest of our estate. It would be a boost for us to know that rsyslog/journald are handling the logging (enabling us to get the log files sent over the network) and logrotate is rotating the logs and can compress logs if we want (which we do). Cheers Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Standard Logging
Fair call Rob, I should have put standard in quotes. I think I meant to. I know applications doing their own logging is pretty wide spread too. It's just that moving to a more unified tool that performed the logging, remote shipping, rotation, compression etc (where required) would be great. Whilst I like journald a lot, it still misses native log shipping. I think it's being worked on though. As an IdM user, I figure I'll have to wait around quite a while to get any such features. I'll have a poke around with using rsyslog for some IPA logs just now. Cheers Duncan -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 17 June 2014 17:07 To: Innes, Duncan; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Standard Logging Innes, Duncan wrote: Hi folks, Is there any movement towards getting FreeIPA to use more standard logging tools? Journald or rsyslog. I wouldn't exactly call servers logging to their own files as non-standard. You can theoretically configure most services to use at least rsyslogd now. I says theoretically because we haven't tried in the context of IPA but I doubt you'd be plowing any new ground by configuring it. Wondering because at the moment, the rotation of logs is non standard compared to most of the rest of our estate. It would be a boost for us to know that rsyslog/journald are handling the logging (enabling us to get the log files sent over the network) and logrotate is rotating the logs and can compress logs if we want (which we do). There is a long-term ticket to use journald, https://fedorahosted.org/freeipa/ticket/4296 rob This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA public demo available
This is good to see - sometimes difficult to be allowed to pop up another dev IPA server in a corporate network. Is it possible to determine the current running version of IPA from the Web interface? Never had to do this as I've always had console access to my servers, but I can't find anywhere that tells me the current version on this demo. Thanks Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek Sent: 05 June 2014 09:51 To: freeipa-users@redhat.com; freeipa-inter...@redhat.com; sssd-us...@lists.fedorahosted.org Subject: [Freeipa-users] FreeIPA public demo available Hello all FreeIPA users and enthusiasts! I would like to invite everyone to try our new public FreeIPA demo instance running on Red Hat OpenStack platform: http://www.freeipa.org/page/Demo The demo will always hold the latest stable version of FreeIPA or a Beta version of a next major release (e.g. when 4.0 Beta is available). The demo is great for: * Testing changes and enhancements in the most recent CLI/Web UI/API * Testing integration in the OS - FreeIPA clients can be enrolled * Testing web applications with LDAP/Kerberos authentication and advanced integration with FreeIPA You can read all the details in the page referred above. Feedback welcome! -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA public demo available
I've already seen some screenshots - it's a *big* improvement! -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 06 June 2014 09:08 To: Innes, Duncan; freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA public demo available Good question. Note that this server is just a sandbox, so if you need to store data persistently, own VM would a better choice. Current FreeIPA server demo is version 3.3.5, unfortunately you cannot find that out from current Web UI. FreeIPA 4.0 (in development) will have a dialog with version though. Do not worry, you will notice when 4.0 Beta is enrolled there as it's Web UI has been revisited and is awesome :-) Martin On 06/06/2014 09:55 AM, Innes, Duncan wrote: This is good to see - sometimes difficult to be allowed to pop up another dev IPA server in a corporate network. Is it possible to determine the current running version of IPA from the Web interface? Never had to do this as I've always had console access to my servers, but I can't find anywhere that tells me the current version on this demo. Thanks Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek Sent: 05 June 2014 09:51 To: freeipa-users@redhat.com; freeipa-inter...@redhat.com; sssd-us...@lists.fedorahosted.org Subject: [Freeipa-users] FreeIPA public demo available Hello all FreeIPA users and enthusiasts! I would like to invite everyone to try our new public FreeIPA demo instance running on Red Hat OpenStack platform: http://www.freeipa.org/page/Demo The demo will always hold the latest stable version of FreeIPA or a Beta version of a next major release (e.g. when 4.0 Beta is available). The demo is great for: * Testing changes and enhancements in the most recent CLI/Web UI/API * Testing integration in the OS - FreeIPA clients can be enrolled * Testing web applications with LDAP/Kerberos authentication and advanced integration with FreeIPA You can read all the details in the page referred above. Feedback welcome! -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list
Re: [Freeipa-users] Setting up IPA to log remotely
I'm starting to log IPA to a central point too. I'd hoped the A part of IPA would have arrived, but other functionality has pushed it down the priority list. Would be good to see it arrive as something integrated with systemd/journald with fully separated log fields instead of a simple log text line. For now, rsyslog does a decent job of sending the logs over the network and I'm using logstash to parse logs and pop them into elasticsearch for analysing via Kibana. I've had most trouble with the rsyslog side of things, but that's because I tried to get rsyslog to send in JSON format rather than plain text. Once I reigned in my ambition, it proved to be somewhat easier - All I've added to RHEL6 client is a file /etc/rsyslog.d/logstash.conf with contents: *.* @logstash.example.com:5544 and (firewalls permitting) my logs end up at the logstash server for parsing. Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Brendan Kearney Sent: 03 June 2014 03:26 To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up IPA to log remotely On Tue, 2014-06-03 at 00:42 +, Steven Jones wrote: Hi, I'll raise a request for this to be added then. Its a bit of an enterprise requirement feature that is of use for us. Not having much luck with rsyslog and application logs at the moment, good and accurate docs seem lacking for RHEL6. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 3 June 2014 9:27 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up IPA to log remotely Steven Jones wrote: Is there a way to get IPA to send its logs remotely? We intend to do something like this with audit, most likely using the systemd journal, but it's a ways off. For now you'd need to do it manually on a per-service basis. I'd suggest looking at rsyslogd. You should be able to at least get the Apache and 389-ds logs using that. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users check out http://www.rsyslog.com/doc/master/index.html for good and accurate docs. i am using fedora 16 and 20 with RELP, fowarding syslog from everywhere to a central location, and then dumping the logs into mysql. phplogcon bolts on top of it for a web view of all the logs. on a sending source: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $SystemLogRateLimitInterval 0 $IMUXSockRateLimitInterval 0 $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Provides RELP transmission $ModLoad omrelp *.* :omrelp:192.168.25.1:20514;RSYSLOG_ForwardFormat ~ on a receiving destination: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $SystemLogRateLimitInterval 0 $IMUXSockRateLimitInterval 0 $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Provides RELP reception $ModLoad imrelp $InputRELPServerRun 20514 # Provides MySQL connectivity $ModLoad ommysql # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING $WorkDirectory /var/spool/rsyslog # default location for work (spool) files $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName dbq# set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure # for PostgreSQL replace :ommysql: by :ompgsql: below: *.* :ommysql:server.domain.tld,Syslog,user,password ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the
Re: [Freeipa-users] Setting up IPA to log remotely
Kibana just renders the data, so I have no specific configuration for
that.
My logstash config (mostly cribbed from logstash.net) is as follows:
/etc/logstash/conf.d/syslog.conf
Containing:
input {
syslog {
type = syslog
port = 5544
}
udp {
type = syslogjson
port = 5500
codec = json
}
}
filter {
# This replaces the host field (UDP source) with the host that
generated the message (sysloghost)
if [sysloghost] {
mutate {
replace = [ host, %{sysloghost} ]
remove_field = sysloghost # prune the field after successfully
replacing host
}
}
}
output {
elasticsearch {
protocol = node
node_name = Indexer01
}
}
This is my dev cluster which runs a logstash-1.4.1 RPM install
connecting to an elasticsearch cluster running on 3 workstations and a
laptop. The UDP connection is only used by a single client, so could be
ignored. This is the JSON sending that I referred to previously. Not
entirely successful so far.
On my prod system I've also managed to write some grok filters:
/etc/logstash.conf
input {
syslog {
type = syslog
port = 5544
}
}
filter {
if [type] == syslog {
grok {
patterns_dir = /opt/logstash/patterns
match = { message = %{BESPOKFW} }
match = { message = %{AUDITAVC} }
}
}
}
output {
elasticsearch {
embedded = true
template_overwrite = true
manage_template = false
}
}
With
/opt/logstash/patterns/bespokfw containing
NETFILTERMAC
%{COMMONMAC:dst_mac}:%{COMMONMAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
IPTABLES1 (?:%{WORD:vmfw}: IN=(%{WORD:in_device})?
OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.*SRC=%{IP:src_ip}
DST=%{IP:dst_ip}.*PROTO=%{WORD:proto}?.*SPT=%{INT:src_port}?.*DPT=%{INT:
dst_port}?.*)
IPTABLES2 (?:%{WORD:vmfw}: IN=(%{WORD:in_device})?
OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.*SRC=%{IP:src_ip}
DST=%{IP:dst_ip}.*PROTO=%{INT:proto}?.*)
BESPOKFW (?:%{IPTABLES1}|%{IPTABLES2})
And
/opt/logstash/patterns/auditavc containing
AVCDEV (%{NUMBER:devmaj}:%{NUMBER:devmin})
AUDITAVC (?:type=%{WORD:audit_type}
audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):
avc:\s*%{WORD:avc_action}\s*\{ %{WORD:avc_type} \}
for\s*pid=(%{NUMBER:avc_pid})? comm=\(%{WORD:avc_comm})?\
%{WORD:avc_class}=\(%{NOTSPACE:avc_class_value})?\(
dev=(%{AVCDEV:avc_dev})? ino=(%{NUMBER:avc_ino})?)?
scontext=(%{NOTSPACE:avc_scontext})?
tcontext=(%{NOTSPACE:avc_tcontext})? tclass=(%{WORD:avc_tclass})?)
This is running a tarball version of logstash (1.3.3 I think) with an
embedded elasticsearch instance.
Both work reasonably well. Am looking to bring more log data back at
the moment (i.e. application specific logs).
Cheers
Duncan
-Original Message-
From: Josh [mailto:joka...@gmail.com]
Sent: 03 June 2014 11:54
To: Innes, Duncan
Cc: freeipa-users
Subject: Re: [Freeipa-users] Setting up IPA to log remotely
On Jun 3, 2014, at 4:37 AM, Innes, Duncan
duncan.in...@virginmoney.com wrote:
I'm starting to log IPA to a central point too. I'd hoped
the A part
of IPA would have arrived, but other functionality has
pushed it down
the priority list. Would be good to see it arrive as something
integrated with systemd/journald with fully separated log fields
instead of a simple log text line.
For now, rsyslog does a decent job of sending the logs over the
network and I'm using logstash to parse logs and pop them into
elasticsearch for analysing via Kibana. I've had most trouble with
the rsyslog side of things, but that's because I tried to
get rsyslog
to send in JSON format rather than plain text. Once I
reigned in my
ambition, it proved to be somewhat easier -
Any chance you could share your kibana configuration?
All I've added to RHEL6 client is a file
/etc/rsyslog.d/logstash.conf
with contents:
*.* @logstash.example.com:5544
and (firewalls permitting) my logs end up at the logstash
server for
parsing.
Duncan
snip
-josh
This message has been checked for viruses and spam by the
Virgin Money email scanning system powered by Messagelabs.
This message has been checked for viruses and spam by the Virgin Money email
scanning system powered by Messagelabs.
This e-mail is intended to be confidential to the recipient. If you receive a
copy in error, please inform the sender and then delete this message.
Virgin Money plc - Registered in England and Wales (Company no. 6952311).
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
Virgin Money plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential Regulation
Authority.
The following companies also trade as Virgin Money. They are both authorised
and regulated by the Financial Conduct Authority, are registered in England and
Wales and have their registered office at Jubilee House, Gosforth, Newcastle
upon
Re: [Freeipa-users] Backup / Restore
Martin, Did the backup/restore scripts reach more than experimental status? Looks like they were released in FreeIPA 3.2. It's a problem for me that this kind of functionallity hasn't yet moved into RHEL. Backup/restore from some corporate use perspectives, cannot rely on system snapshotting. Whilst a snapshot may make an easier recovery procedure for an admin, it is a take-it-or-leave-it approach. I cannot, for example, restore missing data that was deleted by mistake without loosing other edits that have happened in the interim. A VM snapshot is certainly a valid last-stop method of backing up IPA, but it doesn't cover some of the use cases that most companies find themselves having to deal with. Thanks Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek Sent: 27 March 2014 12:31 To: Andrew Holway; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Backup / Restore On 03/27/2014 01:09 PM, Andrew Holway wrote: Hello, I am being tasked with setting up freeipa for an organisation. A replica will be created but they also require a backup / restore strategy. Has anyone implemented backup restore? Ideas? Recommendations? Dragons? Thanks, Andrew Good topic! I would be really interested in experience from FreeIPA users. I can only provide information from FreeIPA development team member point of view. Our thoughts on topic of Backup and restore: http://www.freeipa.org/page/Backup_and_Restore Original design of backup and restore scripts: http://www.freeipa.org/page/V3/Backup_and_Restore As you can read in the first document, we are not yet convinced that backuprestore scripts is the right thing to do + we also do not have enough information from the field. If these scripts is what admin wants, if yes - do they work for them? If you check open Backup and Restore tickest, there are really not many of them: https://fedorahosted.org/freeipa/query?status=assignedstatus= newstatus=reopenedcomponent=Backuporder=prioritycol=idcol=summaryc ol=statuscol=typecol=prioritycol=milestonecol=componentgrou p=milestone Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication issue
Sorry - the upgrade was actually from RHEL 6.3 to RHEL 6.5. ipa went from ipa-server-2.2.0-16.el6.x86_64 to ipa-server-3.0.0-37.el6.x86_64 Cheers Duncan From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: 05 March 2014 00:02 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication issue RHEL 6.4 to RHEL 6.5? regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Innes, Duncan duncan.in...@virginmoney.com Sent: Wednesday, 5 March 2014 9:22 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Replication issue Hi, I'm testing an upgrade of my prod IPA servers in a dev cluster at the moment. Finally completed the upgrade, so I tested some user adds via the WebUI. Added user aardvark on ipa01 - replicated to ipa02 Added user beaver on ipa02 - NOT replicated to ipa01 Added user banana on ipa02 - replicated to ipa01 Added user elephant on ipa02 - replicated to ipa01 Edited user beaver on ipa02 - NOT replicated to ipa01 Is there anything I can do to force IPA to replicate that user from ipa02 to ipa01? I have tried running 'ipa-replica-manage force-sync --from ipa02' on ipa01, but it hasn't appeared to do anything. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication issue
=Password Policy,cn=accounts,dc=dev,dc=vmoney,dc=local--no CoS Templates found, which should be added before the CoS Definition. [04/Mar/2014:20:00:19 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=dev,dc=vmoney,dc=local--no CoS Templates found, which should be added before the CoS Definition. [04/Mar/2014:20:00:19 +] set_krb5_creds - Could not get initial credentials for principal [ldap/lvdlvldap02.unix.vmoney.local@DEV.VMONEY.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [04/Mar/2014:20:00:19 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [04/Mar/2014:20:00:19 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Mar/2014:20:00:19 +] NSMMReplicationPlugin - agmt=cn=meTolvdlvldap01.unix.vmoney.local (lvdlvldap01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [04/Mar/2014:20:00:19 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Mar/2014:20:00:19 +] - Listening on All Interfaces port 636 for LDAPS requests [04/Mar/2014:20:00:19 +] - Listening on /var/run/slapd-DEV-VMONEY-LOCAL.socket for LDAPI requests [04/Mar/2014:20:00:22 +] NSMMReplicationPlugin - agmt=cn=meTolvdlvldap01.unix.vmoney.local (lvdlvldap01:389): Replication bind with GSSAPI auth resumed The confusing point for me is that users were successfully added in each direction before and after the failing beaver user. Cheers Duncan From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: 04 March 2014 22:41 To: Innes, Duncan; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication issue On 03/04/2014 01:22 PM, Innes, Duncan wrote: Hi, I'm testing an upgrade of my prod IPA servers in a dev cluster at the moment. Finally completed the upgrade, so I tested some user adds via the WebUI. Added user aardvark on ipa01 - replicated to ipa02 Added user beaver on ipa02 - NOT replicated to ipa01 Added user banana on ipa02 - replicated to ipa01 Added user elephant on ipa02 - replicated to ipa01 Edited user beaver on ipa02 - NOT replicated to ipa01 Is there anything in /var/log/dirsrv/slapd-DOMAIN-COM/errors on ipa01 or ipa02? Is there anything I can do to force IPA to replicate that user from ipa02 to ipa01? I have tried running 'ipa-replica-manage force-sync --from ipa02' on ipa01, but it hasn't appeared to do anything. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email
[Freeipa-users] Replication issue
Hi, I'm testing an upgrade of my prod IPA servers in a dev cluster at the moment. Finally completed the upgrade, so I tested some user adds via the WebUI. Added user aardvark on ipa01 - replicated to ipa02 Added user beaver on ipa02 - NOT replicated to ipa01 Added user banana on ipa02 - replicated to ipa01 Added user elephant on ipa02 - replicated to ipa01 Edited user beaver on ipa02 - NOT replicated to ipa01 Is there anything I can do to force IPA to replicate that user from ipa02 to ipa01? I have tried running 'ipa-replica-manage force-sync --from ipa02' on ipa01, but it hasn't appeared to do anything. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SUDOers config with cleartext password?
Hi folks, Just wondering if it's really the case that I have to use a cleartext bindpw in my /etc/sudo-ldap.conf file in order to get sudoers looking at my FreeIPA servers? It's the first time I've looked into this side of things in FreeIPA and it just seems a bit more clunky than other areas in my mind. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SUDOers config with cleartext password?
Thanks, I'll try and speed up my migration to RHEL 6.4 then :) Duncan -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: 30 September 2013 17:26 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SUDOers config with cleartext password? On Mon, 30 Sep 2013, Innes, Duncan wrote: Hi folks, Just wondering if it's really the case that I have to use a cleartext bindpw in my /etc/sudo-ldap.conf file in order to get sudoers looking at my FreeIPA servers? It's the first time I've looked into this side of things in FreeIPA and it just seems a bit more clunky than other areas in my mind. If you have Fedora 18+ or RHEL 6.4+, you simply follow this recipe: https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html and everything should work without exposing anything in clear text. -- / Alexander Bokovoy This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On Thu, Sep 26, 2013 at 02:58:43PM +0100, Innes, Duncan wrote: Sorry, -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 26 September 2013 14:29 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/26/2013 01:05 PM, Innes, Duncan wrote: Hi, Can I force IPA to accept a new password that I have chosen? What password do you have in mind? A password of an IPA user? Yes - for my authentication when SSHing onto a Linux box. Today I've had to change my password in 2x AD domains and other places according to policy. I've done this. But coming to IPA, I find that I've chosen a BAD PASSWORD. Without getting into the merits of the AD password policy and the security of the password I've chosen, can I force IPA to accept my new password at all? Well, without getting into security of the approach, you could change the global password policy or group password policy so that the new password is accepted: $ ipa pwpolicy-mod --minlength=5 or $ ipa pwpolicy-add usergroup --minlength=5 ... to fix whatever failing password policy attribute. The error comes from a dictionary check I think. AD does as well as far as I know, but would appear to have a smaller dictionary or looser rules. Kind of what I expected/feared though. I don't want to change the IPA policy at all, just override it's objection. For now, I went the long route and changed my IPA password first, then changed the other passwords To match what IPA was happy with. Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Thanks HTH bye, Sumit HTH, Martin Cheers thanks for your help Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
From: Martin Kosek [mailto:mko...@redhat.com] Sent: 27 September 2013 09:28 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/27/2013 09:31 AM, Innes, Duncan wrote: From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? ... Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules like pam_pwquality.so and only use the server policy. Martin OK - this is opening my eyes somewhat. I know about the password policy section of IPA, but there doesn't appear to be anywhere to control the quality of the password. Is this done by PAM on the server? If it's not, how do I enforce things like ensuring at least 1 upper case, 1 lower case, 1 number and 1 special character? I don't see that in the docs. Would like to be able to ensure that the minimum password policy is centralised rather than perhaps having an erroneous strict policy on a few machines. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Automated Kickstart Enrollment
Hi folks, I've got a question about kickstart enrollment with a one-time password. Namely, is there any way that it can be done *without* the one-time password. We're comfortable with the pre-creation of the host in IPA, but just wonder if there's a way to enrol without the one-time password. The estate is Red Hat (mostly 6) and we deploy systems via kickstart from the Satellite. Can the Satellite push out a certificate from the IPA system that would allow client to enrol without the OTP? Our enrollment script runs as part of the kickstart postinstall with the OTP effectively sitting in plain text in the script. Removing the OTP would remove the plain text authentication from this script, but I may be opening other security holes as a result. Cheers Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?
Are there any results you can even talk about at this stage? If not, I'd suggest turning up the heat a notch or two to get it on the boil :-) I know this is FreeIPA, but RedHat shipping Identity Management as a supported feature without any backup/restore mechanism is a pretty big hole in functionality. D Duncan Innes | Linux Architect From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 18 December 2012 18:42 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? On 12/18/2012 01:39 PM, David Copperfield wrote: Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Yes there is a simmering effort. But there are unfortunately no results we can share yet. Thanks. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. The following companies also trade as Virgin Money and are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482) are authorised and regulated by the Financial Services Authority. Virgin Money Cards Limited (Company no. 4232392) is introducer appointed representative only of Virgin Money Personal Financial Service Limited. For further details of Virgin Money group companies please visit our website at virginmoney.com This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. The following companies also trade as Virgin Money and are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482) are authorised and regulated by the Financial Services Authority. Virgin Money Cards Limited (Company no. 4232392) is introducer appointed representative only of Virgin Money Personal Financial Service Limited. For further details of Virgin Money group companies please visit our website at virginmoney.com___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of KodaK Sent: 26 August 2012 05:06 To: freeipa-users@redhat.com Subject: [Freeipa-users] Desperate help requested. I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Thanks for any help you can give. And wish me luck. Thanks, --Jason I faced a similar situation recently, but my version wasn't worded so harshly. The line to take has already been pointed out - IPA managed sudo SELinux from a central point. These concepts are entirely outwith the capabilities of Active Directory. You could also state the yet-to-be-developed 'A' part of IPA for any Auditing requirements. We also emphasised here that AD was written purely for Windows domains and that the effort put in to allowing extra schema for Unix domains is really not ideal. You should state, if you have not already done so, that you plan to link the AD and IPA domains (via a trust or a sync). That will allay any fears that users will have different passwords or even usernames to access various machines. So your boss's boss's boss can be assured that you are *authenticating* against AD, but you should still be able to have IPA in there to manage the idiosyncrasies of the Unix estate. Hope this helps Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
Thanks Simo, I was hoping for an alternative to the DNS _srv_ records due to the Windows guys having exclusive use of those records (for now). Is it feasible for IPA communications to be force round robined between two or more servers that are replicas of each other? If it's a possibility, I will raise a ticket. Thanks Duncan Innes | Linux Architect -Original Message- From: Simo Sorce [mailto:sso...@redhat.com] Sent: 21 August 2012 08:04 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients - Original Message - OK - thanks. But is there any way IPA can be tweaked to do this without an external product (albeit a Red Hat one)? Is it possible for the sssd clients to round-robin their requests between 2 or more servers? At the monment only by using _srv_ records you could do some round-robin (assuming DNS supports it). Please do not use the load balancer as suggest in a previous reply, also using a A record would not work as machines joined to IPa need the 'correct' serve name to be able to perform GSSAPI authentication. A round-robin A record would make that fail. A round-robin CNAME record might work if your DNS server supports something like that. Is this an sssd question or generic enough to be in this list? It's both, SSSD implements the client, but in FreeIPA domains we need a joint solution due to Kerberos requirements for DNS names. Would this functionallity be of use to freeIPA in general? (my view = yes) Yes. HTH, Simo. Cheers Duncan Innes | Linux Architect From: Mark St. Laurent [mailto:mstla...@redhat.com] Sent: 20 August 2012 15:15 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing / Norman Mark St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ From: Duncan Innes duncan.in...@virginmoney.com To: freeipa-users@redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 ipa4 when both 1 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772
Re: [Freeipa-users] Specifying load balancing to SSSD clients
Thanks Simo, I was hoping for an alternative to the DNS _srv_ records due to the Windows guys having exclusive use of those records (for now). Is it feasible for IPA communications to be force round robined between two or more servers that are replicas of each other? If it's a possibility, I will raise a ticket. The easiest solution for now is to configure your clients by using the primary and backup options in SSSD, and just configure clients to have different orders, so that they will attach to separate servers by default. Ie client 1 has primary serves of ipa1, ipa2, while client 2 has ipa2, ipa1, and so on. Without control of name resolution on the server side at the moment we do not have other ways to do load balancing. Simo. That's exactly my strategy for now. Will be doing it randomly via script, so hopefully I won't end up with all the noisy servers hitting ipa1, for example! It'll do for now though. Duncan Thanks Duncan Innes | Linux Architect -Original Message- From: Simo Sorce [mailto:sso...@redhat.com] Sent: 21 August 2012 08:04 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients - Original Message - OK - thanks. But is there any way IPA can be tweaked to do this without an external product (albeit a Red Hat one)? Is it possible for the sssd clients to round-robin their requests between 2 or more servers? At the monment only by using _srv_ records you could do some round-robin (assuming DNS supports it). Please do not use the load balancer as suggest in a previous reply, also using a A record would not work as machines joined to IPa need the 'correct' serve name to be able to perform GSSAPI authentication. A round-robin A record would make that fail. A round-robin CNAME record might work if your DNS server supports something like that. Is this an sssd question or generic enough to be in this list? It's both, SSSD implements the client, but in FreeIPA domains we need a joint solution due to Kerberos requirements for DNS names. Would this functionallity be of use to freeIPA in general? (my view = yes) Yes. HTH, Simo. Cheers Duncan Innes | Linux Architect From: Mark St. Laurent [mailto:mstla...@redhat.com] Sent: 20 August 2012 15:15 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients http://www.redhat.com/products/enterprise-linux-add-ons/load-balanci ng / Norman Mark St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ From: Duncan Innes duncan.in...@virginmoney.com To: freeipa-users@redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 ipa4 when both 1 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want
Re: [Freeipa-users] Specifying load balancing to SSSD clients
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: 20 August 2012 15:28 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients On Mon, Aug 20, 2012 at 02:48:30PM +0100, Innes, Duncan wrote: Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 ipa4 when both 1 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 Yes, this has been done on the SSSD side as https://fedorahosted.org/sssd/ticket/1128 The new feature is going to be part of SSSD 1.9.0. In particular, you would configure the IPA domain like this: ipa_server = ipa1.domain.com, ipa2.domain.com ipa_backup_server = ipa3.domain.com, ipa4.domain.com What I'm wondering is if I can force my clients to load balance communication between ipa1 ipa2. No, load balancing is currently not supported. What *might* work, although I haven't tested the scenario, is creating a new DNS A record that would resolve to IP addresses of both ipa1 and ipa2. The clients would then connect to the first IP address they received. But as I said, I haven't tested this at all. Feel free to file an RFE, but quite frankly, I think this is precisely what SRV records have been designed for. The load balancing would be performed based on the value of the weight field in the SRV record. I think I'll raise a ticket then. Not that the _srv_ records don't do the right job. It's just that in my scenario they are unusable. I can't be alone in deploying IPA in a network already dominated by AD. For now (as I said in another reply), I'll randomly configure clients to either ipa1/ipa2 or ipa2/ipa1. Thanks D Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Specifying load balancing to SSSD clients
Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 ipa4 when both 1 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
OK - thanks. But is there any way IPA can be tweaked to do this without an external product (albeit a Red Hat one)? Is it possible for the sssd clients to round-robin their requests between 2 or more servers? Is this an sssd question or generic enough to be in this list? Would this functionallity be of use to freeIPA in general? (my view = yes) Cheers Duncan Innes | Linux Architect From: Mark St. Laurent [mailto:mstla...@redhat.com] Sent: 20 August 2012 15:15 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ Norman Mark St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ From: Duncan Innes duncan.in...@virginmoney.com To: freeipa-users@redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 ipa4 when both 1 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS 500
On Thu, 2012-07-19 at 07:36 -0400, Stephen Gallagher wrote: On Thu, 2012-07-19 at 00:53 +, Steven Jones wrote: Actually its pamunless IPA is as well. Which makes sense then to have an application run 500 so inherently it cannot be logged into via ssh Well, it's possible to configure your system to allow logging in to users below 500, but it's not recommended. The real risk is of having system services with an ID that conflicts with a user. In general we do not recommend to set ids on your own, let ipa choose IDs unless you have a constraint that prevents you from letting that happen. Does this mean that it's impossible to have IPA authenticate the oracle user or any other user that is normally below 500? Our security team is asking that we manage the passwords of oracle and other users centrally. Can IPA do this for me? Thanks Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
