Re: [Freeipa-users] Client Certificate
Yes Dmitri these two hints would definitely help, the servers are not 4.x yet though. On 19 September 2014 23:14, Dmitri Pal d...@redhat.com wrote: On 09/19/2014 04:03 PM, Walid wrote: Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. Couple hints. 1. If you have a keytab stashed and the system was rebuilt you can now rerun ipa-client-install using this keytab to get a new one and configure the client system. It can run and then die but if you store the keytab after running ipa-client-install you would be able to revive it next time 2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab command. It is implemented to allow clusters that have to share the same key but it might be applicable to your use case too. Thanks Dmitri On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote: On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid I think the main problem is making sure that the client can connect to IPA server. You can elect to not use ipa-client and just copy configuration files. The problem is that SSSD requires some type of the authentication to get to IPA as a host to do the lookups. So this connection must be authenticated. Since you want it to be stateless you do not want to manage keys or certs the only option (which I really do not like) is to use bind password in a file for LDAP connection. You would probably use the same unprivileged account for this bind. However when we get to 4.x you would need to adjust permissions on the server side to make sure that proper read permissions are granted. Having a password in a file is a security risk so make sure it is not leaked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote: On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid I think the main problem is making sure that the client can connect to IPA server. You can elect to not use ipa-client and just copy configuration files. The problem is that SSSD requires some type of the authentication to get to IPA as a host to do the lookups. So this connection must be authenticated. Since you want it to be stateless you do not want to manage keys or certs the only option (which I really do not like) is to use bind password in a file for LDAP connection. You would probably use the same unprivileged account for this bind. However when we get to 4.x you would need to adjust permissions on the server side to make sure that proper read permissions are granted. Having a password in a file is a security risk so make sure it is not leaked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Client Certificate
Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? On 18 September 2014 17:43, Rob Crittenden rcrit...@redhat.com wrote: Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa 2 client connecting to ipa 3 server
Thanks Dmitri, so sssd is out of the picture in this case? On 20 August 2014 16:43, Dmitri Pal d...@redhat.com wrote: On 08/20/2014 03:30 PM, Walid wrote: Hello All, What is the recommendation on having ipa2 clients connecting to IPA 3 server, we have some RHEL5.3 clients (I know they are EOL, however end user still wants as it is) that we would like to connect them to IPA 3.x server running RHEL6.5. Any one running free-ipa on RHEL instead of the Red Hat packages on RHEL5, and RHEL6? regards Walid 5.3 clean can be connected to IPA using pam_krb5 or pam_ldap for authentication and nss_ldap for identity. Perfectly reasonable and supported configuration. No need to run unsupported packages on RHEL. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa 2 client connecting to ipa 3 server
Thanks Rob, we have native python2.4, and anaconda python 2.7, so i guess if anything needs python 2.6 or greater it would not be an issue. I am just wondering if there are people using the upstream project in such a legacy system ;-) On 20 August 2014 16:55, Rob Crittenden rcrit...@redhat.com wrote: Walid wrote: Hello All, What is the recommendation on having ipa2 clients connecting to IPA 3 server, we have some RHEL5.3 clients (I know they are EOL, however end user still wants as it is) that we would like to connect them to IPA 3.x server running RHEL6.5. Should work fine with no problems. Any one running free-ipa on RHEL instead of the Red Hat packages on RHEL5, and RHEL6? Depending on the versions of IPA and RHEL it can be difficult but not impossible. The biggest obstacle is missing or older dependencies, some of which are extremely non-trivial to backport. RHEL 5 still has Python 2.4 which makes the backport that much more difficult. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-server and conrainers
Hi, Could you share the presentation with us. regards Walid On 10 June 2014 15:10, Jan Pazdziora jpazdzi...@redhat.com wrote: On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: HI! Alexandr, I've seen Your presentation at RedHat forum. Very good presentation! :) I've got a question about FreeIPA from that presentation. Of course question is not only for You. So, the question: Are there any plans for integration freeipa-server with containers? * working freeipa as a single container; We have testing FreeIPA in Fedora 20 container at https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ However, at this point the size of that image is over 1.2 GB so we were not announcing it yet as we try to find ways to make the image smaller and thus more easily consumable. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: /etc/services map migration from NIS to IPA
Hi, the only ipa services i am able to see is the Kerberos concept of service principle, how about services map as in /etc/services that is managed by NIS, i can only see the following page not updated from 14 months ago https://fedorahosted.org/freeipa/ticket/2638 kind regards Walid ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: /etc/services map migration from NIS to IPA
Thanks, will take a look and see what i can do On 11 December 2013 23:03, Dmitri Pal d...@redhat.com wrote: On 12/11/2013 02:52 PM, Walid wrote: time is of an issue, where shall i start looking? can you give me a hint/url, or reference that i can start from Absolutely. Start here: http://www.freeipa.org/page/Contribute/Code Take a look here: http://www.freeipa.org/page/General_considerations Learn this: http://abbra.fedorapeople.org/guide.html Create a proposal/design page on wiki http://www.freeipa.org/page/V3_Proposals using http://www.freeipa.org/page/Feature_template Look at the code here: https://git.fedorahosted.org/git/freeipa Develop patches following style guide http://www.freeipa.org/page/Python_Coding_Style Send then to the list Address feedback and resubmit Observe patches merge Enjoy the benefits! Do not hesitate to ask questions at any point of your journey, we are here to help. On 11 December 2013 22:40, Dmitri Pal d...@redhat.com wrote: On 12/11/2013 02:25 PM, Walid A. Shaari wrote: Hi, the only ipa services i am able to see is the Kerberos concept of service principle, how about services map as in /etc/services that is managed by NIS, i can only see the following page not updated from 14 months ago https://fedorahosted.org/freeipa/ticket/2638 kind regards Walid ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users You can load the services into IPA and manage them using LDAP. This would work as with any other LDAP server. The ticket is about making it nice to manage as we manage other things in IPA using CLI/UI. If you are interested to contribute management interface for CLI/UI to do it via ipa command line and GUI we would be glad to help you with this effort. If you have some Python skills it should not be that hard. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users