Re: [Freeipa-users] Support status of additional OU's / acis in ipa ds
On Sat, 2016-01-23 at 09:55 -0500, Rob Crittenden wrote: > Alexander Bokovoy wrote: > > On Sat, 23 Jan 2016, William Brown wrote: > > > Hi, > > > > > > I'm wondering about what the freeipa support policy is on adding > > > an > > > extra OU to the root of my domain, as well as my own acis. Will > > > FreeIPA > > > ignore this? Or will it potentially cause future issues? > > > > > > IE adding ou=contacts,dc=ipa,dc=example,dc=com > > There are currently no plans on introducing OUs. > > > > I think he just wants to add his own container as an OU. If that's > the > case then yeah, IPA shouldn't even notice it. No guarantee that this > will be true forever. Similarly I think any acis on that dn will be > ignored simply because IPA would have no reason to operate there. > Yep, that is exactly what I want to do. I'll give it a go, and will just have to be careful and watch out on upgrades from now on then I guess. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Support status of additional OU's / acis in ipa ds
Hi, I'm wondering about what the freeipa support policy is on adding an extra OU to the root of my domain, as well as my own acis. Will FreeIPA ignore this? Or will it potentially cause future issues? IE adding ou=contacts,dc=ipa,dc=example,dc=com -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issue with fresh install of FreeRADIUS
On Wed, 2016-01-06 at 10:06 -0500, Anthony Cheng wrote: > Hi all, > > Just did a fresh install of FreeRADIUS following this guide on a > Centos 7 box - http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadi > us_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 > > Local testing with radtest works, however radiusd have issues. I do > find it odd that these line indicated success: > > Process: 1270 ExecStartPre=/bin/chown -R radiusd.radiusd > /var/run/radiusd (code=exited, status=0/SUCCESS) > Does your radius server depend on your ipa instance? If so there is a bug open at the moment that freeradius should start AFTER ipa.service / dirsrv.target. At the moment radiusd starts before them, and will fail to start as it cannot connect to the directory server. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeRadius and FreeIPA
On Mon, 2016-01-18 at 22:01 +1000, William Brown wrote: > So as a result, they CAN do > vlan assignment based on tags in the access-accept packet, but it's a > hack. Sorry, I should say "They don't use the tags in the access-accept" they use an out-of-band mechanism to transmit the vlan id rather than the radius access-accept. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeRadius and FreeIPA
On Mon, 2016-01-18 at 16:22 +0500, Arthur Fayzullin wrote: > Thank for such good explanation! that has pointed my search. > I have succeed in integration freeradius with freeipa by help of > William Brown and his blog. Thanks to Him :-) > Links to related articles in his blog: > first part: https://firstyear.id.au/entry/22 > second part: https://firstyear.id.au/entry/45 > Sorry, my certs are based on my IPA domain. Try these links if you dont want to temporarily accept. http://firstyear.id.au/entry/22 http://firstyear.id.au/entry/45 > > everything works fine. now it would be fine to define different admin > level for different users on different network devices. > But anyway everything works!!! Thanks to all! With the setup that I have here you cannot do this. mschapv2 doesn't let you insert vlan tags to the NAS, so as a result you can't do this. The way that cisco access points and other vendors get around this, is that they generally have a wireless controller that does part of the hankshake seperately to the NAS itself. So as a result, they CAN do vlan assignment based on tags in the access-accept packet, but it's a hack. If you want to do vlan assignment without access to cisco specific hardware, you'll need to use something that isn't eap. However, most devices require customer profiles in this scenarios (Windows, ios, osx etc). TTLS for example, cannot be configured on windows out of box, and ios / osx require enterprise deployment profiles iirc. You could always setup multiple SSID's, have them each auth to a different radius service (default, inner-tunnel ... make a new set) Then you can have * wifi -> inner-tunnel * wifi-admin -> inner-tunnel-admin You can define different authentication rules then, because you can specify different requirements for group memberships at this point. Hope this helps, -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and DHCP
On Fri, 2015-10-16 at 15:01 +0200, Nicola Canepa wrote: > Hello. > Is there a suggested way to have DHCP IP/MAC associations managed > through the IPA web interface? > > Thank you for any pointer. Hi, There is currently no way to manage DHCP with FreeIPA. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DDNS with DHCPD and IPA
On Thu, 2014-04-03 at 11:02 -0700, Andy Tomlin wrote:
> That would be my preference, would then work same as bind/dhcpd before
> switching to ipa. I just dont know how to do it correctly.
>
>
This assumes dhcp and named are on the same system.
For an unrelated project I wrote some docs here:
http://tollgate.readthedocs.org/en/3.0.1/fedora-deploy.html#core-network
And the example config files referenced are:
https://github.com/micolous/tollgate/tree/master/docs/example/fedora
The important parts are:
rndc-confgen -a -r keyboard -b 256
chown named:named /etc/rndc.key
In named.conf add after the options section:
include "/etc/rndc.key";
In the zone (In ipa you will need to add this permission)
grant rndc-key wildcard * ANY;
Then in dhcpd:
include "/etc/rndc.key";
And to the dhcpd range:
zone dhcp.example.lan. {
primary 127.0.0.1;
key "rndc-key";
}
zone 0.4.10.in-addr.arpa. {
primary 127.0.0.1;
key "rndc-key";
}
This should coexist peacefully with freeipa, but try to make sure your
DDNS updated zone is say dhcp.example.com rather than a zone you care
about. Consider you have a domain controller called x.example.com, and
you allow DDNS to example.com. If someone set their hostname to x, they
could take over the DNS records for your DC. Better to have a second
zone to prevent this.
--
William Brown
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] stopping su -
> authrequiredpam_wheel.soroot_only use_uid > > But I really want to do this with IPA or I have to get on each server and > add and remove admins by hand (hint 300 servers)...that is the idea of > something like IPA for medo it once centrally. > Also, you can create and manage these files with spacewalk / satellite. Though in the future arguably it would be useful for IPA to have some level of satellite integration for this exact scenario. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rfe: ldap for dhcp
On 06/27/2012 12:14 AM, Simo Sorce wrote: > On Tue, 2012-06-26 at 15:54 +0200, Natxo Asenjo wrote: >> On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher >> wrote: >> On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: >> > hi, >> > >> > recently it was brought to my attendtion that isp-dhcpd >> version 4.2 >> > supports getting its database information from ldap. Earlier >> versions >> > support it as well with a patch. >> > >> > It would be awesome if this could be integrated in IPA. >> > >> > I am aware you guys have your hands full with plenty of >> stuff, but if >> > this could get integrated IPA would be even further than AD >> (that as >> > far as I know cannot do this). >> >> >> Natxo, would you be interested in contributing this >> functionality? If >> you are familiar with Python, an excellent primer on FreeIPA >> development >> can be found at http://abbra.fedorapeople.org/guidnatxoe.html >> >> The core FreeIPA team has a lot on their plate right now, so >> any major >> new features like this would probably need to be contributed >> from wider >> community or else deferred until the current crop of >> functionality is >> complete. >> >> We'd be happy to help you along if you (or anyone else on this >> mailing >> list) wants to take this feature on. >> >> Not familiar with Python (Perl guy, basic), but I can always try >> stuff. I am just a sysadmin :-) >> >> I have read the link you posted, and I think I would need a *lot* of >> hand holding to get it in the web-ui. >> >> What I can try is see if it works outside of the web ui. Importing the >> dhcp schema in the directory and filling in the dhcp objects. Then get >> it to work with a dhcp server. >> >> If that works, then we can see how we get from there. >> >> I already appreciate you take this seriously. Thanks! > > Hi Naxto, > take a look at the freeipa-devel list, > William Brown is working on basic integration and has sent a few mails, > where he points at a git tree with some work. > Maybe you can coordinate to do some testing, that would be useful. > > I'm CCing him. > > Simo. > Hi all, Find my work here : https://bitbucket.org/Firstyear/freeipa-dhcp I currently have a large set of changes sitting on my laptop awaiting push / formation of a patch for review. I'll try to send this in at some stage today. Take a look at https://bitbucket.org/Firstyear/freeipa-dhcp/src/f63a7e505705/TODO.DHCP for my "todo" list, and at http://www.freeipa.org/page/DHCP_Integration_Design for some of my planning about this integration. Both are subject to change in the near future however. At this stage, if you just pull my changes, the Schema for isc-dhcp is included and will work in a default install of FreeIPA if you feel like manually adding in your objects. However, the risk is that in the future the work I am doing will clobber the efforts you make in setting this up by hand. If you are still interested in doing a setup by hand, look at the file /usr/share/doc/dhcp-4.2.4/ldap/README.ldap from the dhcp package on fedora. I'm still a way from being able to run the "ipa-dhcp-install" command, or even testing this, but once I get to that point, I'll let you know so you can test this out. My first goal is getting the command line tools to be "solid" then turning my attention to the WebUI. Feel free to chat to me about this more, on the FreeIPA-devel list, or the #freeipa irc channel. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
