[Freeipa-users] FIPS 140-2 Compliance
Good Morning! Happy New Year to you, and any news on getting to FIPS Compliance? Michael Sean Conley Principal Systems Engineer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Original java script I have been TRYING to modify to use the flatness that is IPA.
So, I did a lot more research on our issue. We fixed it - Miller time was had by all that wanted a good beer. Did some ldap searches - to get the specific binding user - we did this... ldapsearch -Z -H ldap://aba-idam.aba.home.com -D 'uid=ddf,cn=users,cn=accounts,dc=aba,dc=home,dc=com' -W -b 'cn=users,cn=accounts,dc=aba,dc=home,dc=com' '(uid=ddf)' uid And made sure to enter in the full connection.username and its associated context. - Rob was exactly right! but, we still got errors until we looked at the role (ahem: Roles) played in the game. So, the Roles were REALLY important in the script... We created a role called admin, and added the user as the script REALLY needs the user to be an admin - I dunno why, but the developers said so, so we then did an ldap search on the role of admin ldapsearch -Z -H ldap://aba-idam.aba.home.com -D 'uid=ddf,cn=users,cn=accounts,dc=aba,dc=home,dc=com' -W -b 'cn=admin,cn=groups,cn=compat,dc=aba,dc=home,dc=com' 'cn=admin' then entering those properties as below... initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=ddf,cn=users,cn=accounts,dc=aba,dc=home,dc=com connection.password=iloveaba! connection.url=ldaps://aba-idam.aba.home.com:636 user.base.dn=cn=users,cn=accounts,dc=aba,dc=home,dc=com user.filter=(uid=%u) user.search.subtree=true role.base.dn=cn=groups,cn=compat,dc=aba,dc=home,dc=com role.name.attribute=cn role.filter=(member=uid=%u,cn=groups,cn=compat,dc=aba,dc=home,dc=com) role.search.subtree=true role.mapping=admin=group,admin,manager,viewer,webconsole authentication=simple ssl.protocol=SSL ssl.truststore=truststore ssl.algorithm=PKIX Saved it, crossed our fingers and tried to log in to the docker object... [admin@aba-desktop ~]$ ssh ddf@localhost -p 8101 Password authentication Password: _ __ __ _ / ___| ___ _ _(_) ___ ___| \/ (_)_ __ \___ \ / _ \ '__\ \ / / |/ __/ _ \ |\/| | \ \/ / ___) | __/ | \ V /| | (_| __/ | | | |> < |/ \___|_|\_/ |_|\___\___|_| |_|_/_/\_\ Apache ServiceMix (7.0.0.M1) Hit '' for a list of available commands and '[cmd] --help' for help on a specific command. Hit '' or 'osgi:shutdown' to shutdown ServiceMix. ddf@root> BOOM! Thank you Rob and Petr Michael Sean Conley-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Original java script I ahave been TRYING to modify to use the flatness that is IPA.
Hey gang, so this is the original file I was using to get us hooked in via LDAPS for the webpage. Note - it has OU's instead of CN's, Anyway, I'm still at a loss. What do you folks think? initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=cn=Directory Manager connection.password=password connection.url=ldaps://aba-ldap.aba.house.com:636 user.base.dn=ou=ApplicationUsers,ou=People,dc=aba,dc=house,dc=com user.filter=(uid=%u) user.search.subtree=true role.base.dn=ou=JBoss,ou=Roles,dc=aba,dc=house,dc=com role.name.attribute=cn role.filter= (member=uid=%u,ou=ApplicationUsers,ou=People,dc=aba,dc=house,dc=com) role.search.subtree=true role.mapping=admin=group,admin,manager,viewer,webconsole authentication=simple ssl.protocol=SSL ssl.truststore=truststore ssl.algorithm=PKIX Michael Sean Conley-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...
so if I am reading you correctly connection.username=cn=ddfusr should be connection.username=uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com? Michael Sean Conley From: Rob Crittenden To: Michael Sean Conley , freeipa-users@redhat.com Date: 08/12/2016 04:13 PM Subject:Re: [Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect... Michael Sean Conley wrote: > UID binding - I believe - from what I saw in the script. > > > I ran the nifty search... First on user "binding"... > > Got an error 32. > > tried it with ddfusr > > # ldapsearch -Z -H ldap://aba-idam.aba.home.com -D > 'uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com' -W -b > 'cn=users,cn=accounts,dc=aba,dc=home,dc=com' '(uid=ddfusr)' cn > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (uid=ddfusr) > # requesting: cn > # > > # ddfusr, users, accounts, aba.home.com > dn: uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com > cn: ddf user > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Fabulous. > > So, I then checked the java xml file... > > > className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" > flags="required"> >initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory >connection.username=cn=ddfusr >connection.password=iloveaba! >connection.url=ldaps://aba-idam.aba.house.com:636 >user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com >user.filter=(uid=%u) >user.search.subtree=true >role.base.dn=cn=JBoss,cn=users,cn=accounts,dc=aba,dc=house,dc=com >role.name.attribute=cn > > role.filter=(member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com) >role.search.subtree=true >role.mapping=admin=group,admin,manager,viewer,webconsole >authentication=simple >ssl.protocol=SSL >ssl.truststore=truststore >ssl.algorithm=PKIX > > > > and I tried to log in with the ddfusr account and > > Error 32. You're still using the wrong user to bind. There is no cn=ddfusr. At best there is a uid=ddfusr if the user.base is automatically added (which it probably isn't). It probably needs to be uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com just like in the ldapsearch. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...
UID binding - I believe - from what I saw in the script. I ran the nifty search... First on user "binding"... Got an error 32. tried it with ddfusr # ldapsearch -Z -H ldap://aba-idam.aba.home.com -D 'uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com' -W -b 'cn=users,cn=accounts,dc=aba,dc=home,dc=com' '(uid=ddfusr)' cn Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=ddfusr) # requesting: cn # # ddfusr, users, accounts, aba.home.com dn: uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com cn: ddf user # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Fabulous. So, I then checked the java xml file... initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=cn=ddfusr connection.password=iloveaba! connection.url=ldaps://aba-idam.aba.house.com:636 user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com user.filter=(uid=%u) user.search.subtree=true role.base.dn=cn=JBoss,cn=users,cn=accounts,dc=aba,dc=house,dc=com role.name.attribute=cn role.filter=(member= uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com) role.search.subtree=true role.mapping=admin=group,admin,manager,viewer,webconsole authentication=simple ssl.protocol=SSL ssl.truststore=truststore ssl.algorithm=PKIX and I tried to log in with the ddfusr account and Error 32. Rassin Frassin! It's too Friday for this. Michael Sean Conley-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1142)[:1.8.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:617)[:1.8.0_65] at java.lang.Thread.run(Thread.java:745)[:1.8.0_65] RH IDM ACCESS LOG FILE [12/Aug/2016:11:05:34 -0500] conn=850 fd=112 slot=112 SSL connection from 172.17.4.64 to 172.17.4.20 [12/Aug/2016:11:05:34 -0500] conn=850 TLS1.2 256-bit AES-GCM [12/Aug/2016:11:05:34 -0500] conn=850 op=0 BIND dn="cn=binding" method=128 version=3 [12/Aug/2016:11:05:34 -0500] conn=850 op=0 RESULT err=32 tag=97 nentries=0 etime=0 [12/Aug/2016:11:05:34 -0500] conn=850 op=-1 fd=112 closed - B1 Michael Sean Conley-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and FIPS 140-2
Yep, did so right away. and yes, this is for the future state of IPA. Michael Sean Conley Hardware/Infrastructure Intelligence, Information and Services Raytheon Company 972-643-9887 (office) michael.sean.con...@raytheon.com From: Martin Kosek To: Michael Sean Conley , Rob Crittenden Cc: freeipa-users@redhat.com Date: 08/05/2016 06:33 AM Subject:Re: [Freeipa-users] IPA and FIPS 140-2 Are you now asking about when upstream version is FIPS compliant or some downstream distribution? If you are asking about RHEL, as indicated by https://bugzilla.redhat.com/show_bug.cgi?id=1125174 the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is too late to add it there. However, as Rob mentioned, it would really great if you file a support case (if we are talking about RHEL) and get it linked to that bug. Due to the interest, it is already high in the RHEL-7.4 considerations, but adding +1 won't hurt and you may also receive updates on development status. Martin On 08/04/2016 06:40 PM, Michael Sean Conley wrote: > Is there any indication of a timeframe for it to become FIPS compliant? If we > are talking weeks, rather than years... > > *Michael Sean Conley* > > > Inactive hide details for Rob Crittenden ---08/04/2016 11:37:23 AM---Michael > Sean Conley wrote: > Does ANYONE have any experienRob Crittenden ---08/04/2016 > 11:37:23 AM---Michael Sean Conley wrote: > Does ANYONE have any experience > getting IPA to work with FIPS? > > From: Rob Crittenden > To: Michael Sean Conley , > freeipa-users@redhat.com > Date: 08/04/2016 11:37 AM > Subject: Re: [Freeipa-users] IPA and FIPS 140-2 > > --- > > > > Michael Sean Conley wrote: >> Does ANYONE have any experience getting IPA to work with FIPS? >> >> We're trying desperately to get this going, as we have some requirements >> that the Identity Management Tool we choose must be FIPS 140-2 compliant. > > No, it doesn't work in FIPS mode yet. If you open a support case with > Red Hat your case can be added to > https://bugzilla.redhat.com/show_bug.cgi?id=1125174 > > While most, if not all, of the individual components can run in FIPS > mode there are a lot of moving parts to coordinate to ensure they comply > with the FIPS Security Policy and to handle some corner cases in the > management framework. > > rob > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and FIPS 140-2
Is there any indication of a timeframe for it to become FIPS compliant? If we are talking weeks, rather than years... Michael Sean Conley From: Rob Crittenden To: Michael Sean Conley , freeipa-users@redhat.com Date: 08/04/2016 11:37 AM Subject:Re: [Freeipa-users] IPA and FIPS 140-2 Michael Sean Conley wrote: > Does ANYONE have any experience getting IPA to work with FIPS? > > We're trying desperately to get this going, as we have some requirements > that the Identity Management Tool we choose must be FIPS 140-2 compliant. No, it doesn't work in FIPS mode yet. If you open a support case with Red Hat your case can be added to https://bugzilla.redhat.com/show_bug.cgi?id=1125174 While most, if not all, of the individual components can run in FIPS mode there are a lot of moving parts to coordinate to ensure they comply with the FIPS Security Policy and to handle some corner cases in the management framework. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA and FIPS 140-2
Does ANYONE have any experience getting IPA to work with FIPS? We're trying desperately to get this going, as we have some requirements that the Identity Management Tool we choose must be FIPS 140-2 compliant. GGHHH Michael Sean Conley-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA DS migration
Hello, I need to migrate the users from an existing IPA server to a new IPA server on an isolated network. It appears that “ipa migrate-ds” works only when direct connection to source LDAP server is possible. I have searched with no success for a method that would be more like an LDIF-based migration. These servers are in different realms and so have different base DNs. My hope is that I could create an LDIF file from a query against the source server, modify records to reflect the new base DN, copy result to destination server, and import it there. Can anyone direct me to some good resources or other recommendations to accomplish this? The source server in this case is CentOS 7 with FreeIPA v4.1.0. The planned destination server is RHEL 7 with FreeIPA v4.2.0. Thanks much in advance! Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] using wildcard cert from external CA
Sorry for the redundancy but I thought it would be better to start a new thread since I am really asking a different question at this point. We are trying to stand up an IPA instance using real certs (wildcard) for our domain, so that external users get a valid cert when coming the the https UI. I am trying to follow the steps given in this thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. It seems no matter what I do, I end up with: "full certificate chain is not present in /etc/ipa/pki/example.org.p12". Has this process been documented more completely anywhere? Is this still a valid process? I know that there is now an -external-ca option to ipa-server-install, but I have questions about the CSR process from my CA and they are not being very responsive. I have also been told that this option would require a reseller arrangement potentially costing a lot of money... we don't want to be in the CA business... we just want our external users to be able to securely access IPA. Thanks again in advance for any assistance. Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to chain CA certs
Not sure if I should start a new thread for this, but... I am now trying to follow the instructions given in this thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. I think this configuration should work well with our deployment strategy. I feel like I am following the steps exactly but always end up with "full certificate chain is not present in /etc/ipa/pki/example.org.p12² during ipa-server-install. Have others followed this process more recently? I am wondering if there might have been any changes so that these steps no longer work, or possibly there is an easier way to do this now. I am running version: ipa-server-4.1.0-18.el7.centos.4.x86_64. On 11/1/15, 10:40 PM, "Fraser Tweedale" wrote: >On Mon, Nov 02, 2015 at 01:29:48AM +, Sean Conley - US wrote: >> Hello, >> >> I am new to FreeIPA and am attempting to stand up my first >> operational instance. We do have a commercial wildcard >> certificate (*.internal.example.org) that should cover the IPA >> server itself (ipa.internal.example.org). I used the -external-CA >> option when running the setup and so a CSR was generated. Since >> we have a wildcard cert, I wasn't sure if I really need to submit >> the CSR to our PKI vendor. At the same time, it's not clear to me >> through searching documents how I would extend the CA chain. Do I >> need to submit that CSR or is there a way for me to do this on my >> own? >> >Welcome to FreeIPA :) > >If you have a relationship with a Certificate Authority willing to >sign an intermediate CA certificate for you, then you can use the >--external-ca option, submit the generate CSR to your CA and once >you receive your signed CA certificate, continue ipa-server-install. > >For a publicly-trusted intermediate CA cert, you are probably >looking at $10,000s or $100,000s in fees, infrastructure and >compliance costs to achieve this. Public CAs much prefer to keep >you coming back to them for publicly trusted certificates :) > >If you already have some internal CA for your organisation, you can >use it to sign the CSR. > >Otherwise, you can install FreeIPA with its own root CA (this is the >default). > >HTH, >Fraser > >> Any assistance is much appreciated. >> >> Sean >> > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to chain CA certs
Hello, I am new to FreeIPA and am attempting to stand up my first operational instance. We do have a commercial wildcard certificate (*.internal.example.org) that should cover the IPA server itself (ipa.internal.example.org). I used the -external-CA option when running the setup and so a CSR was generated. Since we have a wildcard cert, I wasn't sure if I really need to submit the CSR to our PKI vendor. At the same time, it's not clear to me through searching documents how I would extend the CA chain. Do I need to submit that CSR or is there a way for me to do this on my own? Any assistance is much appreciated. Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project