Re: [Freeipa-users] disable inactive accounts and delete old accounts

[Giger, Justean]

I should add that I do not have the "disable last success" option enabled for 
the IPA server
Justean

From: Justean Giger <jgi...@one.verizon.com<mailto:jgi...@one.verizon.com>>
Date: Friday, January 6, 2017 at 9:10 AM
To: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" 
<freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
Subject: disable inactive accounts and delete old accounts

I am trying to use the krblastsuccessfulauth attribute to detect accounts that 
have been inactive for >90 days as per this post: 
https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
I need to be able to disable these accounts at 90 days then delete them after 
180 days.
However, I find most of my users do not have the krblastsuccessfulauth 
attribute populated. This is not because their accounts have never been used as 
I see they do have valid passwords which expire in the future so they had to 
login at least once (not necessarily with Kerberos though). Is there another 
attribute we can/should use for this?

Justean
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] disable inactive accounts and delete old accounts

[Giger, Justean]

I am trying to use the krblastsuccessfulauth attribute to detect accounts that 
have been inactive for >90 days as per this post: 
https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
I need to be able to disable these accounts at 90 days then delete them after 
180 days.
However, I find most of my users do not have the krblastsuccessfulauth 
attribute populated. This is not because their accounts have never been used as 
I see they do have valid passwords which expire in the future so they had to 
login at least once (not necessarily with Kerberos though). Is there another 
attribute we can/should use for this?

Justean Giger
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [E] Migration Question

[Giger, Justean]

We did the same and have had zero issues. In fact, one overzealous colleague 
moved one out of our 5 IDM servers to Oracle while all the others were still on 
Red Hat and things still worked. I have not tried to get support for IDM with 
Oracle though so not sure how that goes.

From: 
> on 
behalf of "Armstrong, Jeffrey" 
>
Date: Wednesday, September 14, 2016 at 6:20 AM
To: "freeipa-users@redhat.com" 
>
Subject: [E] [Freeipa-users] Migration Question

Hi

My company is migrating from RedHat Linux to Oracle Linux.  I warned them that 
IdM could be a problem. Does anyone know If IPA works after the migration?

Jeff Armstrong



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Change default email format

[Justean]

Good morning, I was wondering if there is a way to change the way freeipa 
builds a user's email address by default. Currently it takes the username and 
appends the domain name but I would like it to take the form 
firstname.lastn...@domainname.com
Thank you. 
Sipazzo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Change default email format

[Justean]

Wow, thank you so much for such a complete explanation. I appreciate the 
effort. I am out for the next day or so but will try and implement this as soon 
as I can.Thank you again and I will let you know the results.
  From: Alexander Bokovoy aboko...@redhat.com
 To: Justean juste...@yahoo.com 
Cc: freeipa-users@redhat.com freeipa-users@redhat.com 
 Sent: Wednesday, August 5, 2015 12:40 PM
 Subject: Re: [Freeipa-users] Change default email format
   
On Wed, 05 Aug 2015, Alexander Bokovoy wrote:
On Mon, 03 Aug 2015, Justean wrote:
Good morning, I was wondering if there is a way to change the way
freeipa builds a user's email address by default. Currently it takes
the username and appends the domain name but I would like it to take
the form firstname.lastn...@domainname.com
It is not possible to redefine email's format via configuration so you
need to write some code. Luckily, you can amend existing code without
touching it.

Below is an example:
---
/usr/lib/python2.7/site-packages/ipalib/plugins/user-ext-mail-format.py
---
from ipalib.plugins.user import user_add

def override_default_mail_cb(self, ldap, dn, entry_attrs, attrs_list, *keys, 
**options):
  if not 'mail' in entry_attrs:
        name = {'givenname': entry_attrs.get('givenname').lower(),
                'sn': entry_attrs.get('sn').lower()}
        mail = {givenname}.{sn}.format(**name)
        entry_attrs['mail'] = self.obj.normalize_and_validate_email(mail)
  return dn

user_add.register_pre_callback(override_default_mail_cb, first=True)
---

What this Python code does? It adds a callback to user-add method in IPA
that is run before other callbacks (first=True). The callback is then
checks if mail attribute was already specified by the administrator
when calling 'ipa user-add' (Web UI calls this for you). If not, it
derives mail format from lower-cased versions of first and last names of
the user (known as 'givenname' and 'sn' attributes in LDAP
correspondingly). It then sets mail attribute to a full email format via
self.obj.normalize_and_validate_email() function which will pick up the
default DNS domain value and construct correct email.

You need to maintain this plugin extension on all IPA masters used for
creating users. Best way to do that is by packaging the plugin in an RPM
and installing it on IPA masters.

You also need to restart httpd service on IPA master to apply the
plugin.

It is used like this:

# systemctl restart httpd
# ipa user-add some.user --first Some --last User 
--
Added user some.user
--
 User login: some.user
 First name: Some
 Last name: User
 Full name: Some User
 Display name: Some User
 Initials: SU
 Home directory: /home/some.user
 GECOS: Some User
 Login shell: /bin/sh
 Kerberos principal: some.u...@example.com
 Email address: some.u...@example.com
 UID: 1634400022
 GID: 1634400022
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
Actually, I realized because I gave the same user login as
'FirstName.LastName', it might be less apparent that the code works.
Let's try with another user:

# ipa user-add foo.bar --first Some --last User 

Added user foo.bar

  User login: foo.bar
  First name: Some
  Last name: User
  Full name: Some User
  Display name: Some User
  Initials: SU
  Home directory: /home/foo.bar
  GECOS: Some User
  Login shell: /bin/sh
  Kerberos principal: foo@example.com
  Email address: some.u...@example.com
  UID: 1634400023
  GID: 1634400023


  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


-- 
/ Alexander Bokovoy


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client

[Justean]

Our Redhat 5.10 servers that were moved into our IPA domain cannot run any IPA 
user's crons we can't even list the crons:
 crontab -l you (username) are not allowed to access to (crontab) becauseof 
pam configuration 

I don't know if I should be manually editing the /etc/pam.d/system-auth-ac 
and/or /etc/pam.d/crond to get this working and if so what I should put for the 
config. 

The client version is ipa-client-2.1.3-7.el5.x86_64 and the server version is 
ipa-server-3.0.0-42.el6.x86_64
 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client

[Justean]

Ahh, I got you. We do use hbac rules, I did not think I need to add crond as a 
service to allow because it isn't even in the list of services available but I 
see that I do have to just manually add the service. Thank you, it is working 
now

  From: Rob Crittenden rcrit...@redhat.com
 To: Justean juste...@yahoo.com; freeipa-users@redhat.com 
freeipa-users@redhat.com 
 Sent: Friday, November 14, 2014 11:43 AM
 Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers 
as ipa client
   
Justean wrote:


 Our Redhat 5.10 servers that were moved into our IPA domain cannot run
 any IPA user's crons we can't even list the crons:
 
 crontab -l you (/username/) are not allowed to access to (crontab)
 because of pam configuration
 
 I don't know if I should be manually editing the
 /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working
 and if so what I should put for the config.
 
 The client version is ipa-client-2.1.3-7.el5.x86_64 and the server
 version is ipa-server-3.0.0-42.el6.x86_64

I would suspect this is due to HBAC. Do you use the HBAC feature?
Perhaps you need to add rules for these hosts.

rob



   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Solaris 10 client configuration using profile

[Giger, Justean]

Thank you both. I successfully set up a new profile on the server and am able 
to use it with authentication. It seems to work for existing users but I am 
having issues when I add new user access via HBAC so I am trying to figure that 
part out. There are a few options I can invoke using ldapclient manual that I 
cannot seem to add to the profile (mainly attributeMap settings) but I don't 
think that is the issue. I will plug away at it more tomorrow and see if I can 
figure it out.

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sigbjorn Lie
Sent: Saturday, October 11, 2014 11:26 AM
To: Alexander Bokovoy
Cc: sipazzo; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile




On Sat, October 11, 2014 19:54, Alexander Bokovoy wrote:
 On Sat, 11 Oct 2014, Rob Crittenden wrote:

 sipazzo wrote:
 Thank you,I know where the profile is in the directory tree and how 
 I would invoke it were it there...I don't know how to get it into 
 the directory tree so that it is available to clients. I see posts 
 giving examples of different profilesthat could be used but no post as to 
 how to add it to the directory. Sorry if I am missing something obvious.


 
 On Fri, 10/10/14, Rob Crittenden rcrit...@redhat.com wrote:


 Subject: Re: [Freeipa-users] Solaris 10 client configuration using 
 profile
 To: sipazzo sipa...@yahoo.com, freeipa-users@redhat.com
 Date: Friday, October 10, 2014, 4:53 PM


 sipazzo wrote:

 Hello, I am trying to set up a default profile for my Solaris 10 IPA 
 clients as recommended. I generated a profile on a Solaris with the 
 attributes I needed except I got an invalid parameter error when 
 specifying the domainName attribute like this -a 
 domainName=example.com even though this parameter works when I use 
 it in ldapclient manual. More of an issue though is I have been 
 unable to find documentation on getting the profile incorporated 
 into the ipa server. How do I get this profile on the ipa server and 
 make it available to my Solaris clients? Also, my understanding is 
 the clients periodically check this profile so they stay updated with the 
 latest configuration information. What generates this check? Is it time 
 based, a restart of a service or ??

 Thank you for any

 assistance.


 It's been forever since I configured a Solaris anything client but I 
 can tell you where the profile gets stored: 
 cn=profilename,cn=default,ou=profile,$SUFFIX

 IPA ships with a default
 profile of:

 dn:
 cn=default,ou=profile,$SUFFIX ObjectClass:
 top ObjectClass: DUAConfigProfile
 defaultServerList: $FQDN
 defaultSearchBase: $SUFFIX
 authenticationMethod: none
 searchTimeLimit: 15
 cn:
 default serviceSearchDescriptor:
 passwd:cn=users,cn=accounts,$SUFFIX
 serviceSearchDescriptor:
 group:cn=groups,cn=compat,$SUFFIX
 bindTimeLimit: 5
 objectClassMap:
 shadow:shadowAccount=posixAccount
 followReferrals:TRUE


 The full schema can be found at
 http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html


 So if your profile is named
 foo you'd invoke it with something like:

 # ldapclient init -a
 profileName=foo ipa.example.com

 rob



 Here is an example inspired by
 https://bugzilla.redhat.com/show_bug.cgi?id=815515


 $ ldapmodify -x -D 'cn=Directory Manager' -W
 dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
 objectClass: top
 objectClass: DUAConfigProfile
 cn: solaris_authssl_test
 authenticationMethod: tls:simple
 bindTimeLimit: 5
 credentialLevel: proxy
 defaultSearchBase: dc=example,dc=com
 defaultSearchScope: one
 defaultServerList: ipa01.example.com ipa02.example.com 
 ipa03.example.com
 followReferrals: TRUE
 objectclassMap: shadow:shadowAccount=posixAccount
 objectclassMap: printers:sunPrinter=printerService
 preferredServerList: ipa01.example.com ipa02.example.com
 profileTTL: 6000
 searchTimeLimit: 10
 serviceSearchDescriptor: 
 passwd:cn=users,cn=accounts,dc=example,dc=com
 serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
 serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
 serviceSearchDescriptor: 
 ethers:cn=computers,cn=accounts,dc=example,dc=com
 serviceSearchDescriptor: 
 automount:cn=default,cn=automount,dc=example,dc=com
 serviceSearchDescriptor:
 auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=e
 xample,dc=com
 serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
 serviceSearchDescriptor: 
 printers:ou=printers,ou=test,dc=example,dc=com
 blank line
 ^D


 You may want to check out
 https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.

 Should the profile be available anonymously? It is not in 4.x:
 $ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test # extended LDIF # # 
 LDAPv3 # base ou=profile,dc=ipacloud,dc=test with scope subtree # 
 filter: (objectclass=*) # requesting: ALL #


 # search result
 search: 2
 result: