[Freeipa-users] migrating from OpenLDAP to freeIPA
Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat --user-container=ou=People,dc=sample,dc=com --group-container=ou=Group,dc=sample,dc=com --bind-dn=cn=Manager,dc=sample,dc=com ldap://openldap.sample.com ipa: ERROR: group LDAP search did not return any result (search base: ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) This is how looks a group in openldap database: dn: cn=ftp,ou=Group,dc=sample,dc=com objectClass: posixGroup objectClass: top cn: ftp userPassword: {crypt}x gidNumber: 50 I tried migrate it without compat support and I got the same error. Any clue about this problem? Thanks in advance!... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrating from OpenLDAP to freeIPA
Hi Rob, Thanks so much for your help!. Our openLDAP uses memberuid attribute because we migrated the original database from NIS server. Your tip worked great. Just let me correct a typo error: --group-objectclass=posixgroup Thanks again, cbu On 05/01/2014 11:58 AM, Rob Crittenden wrote: cbul...@gmail.com wrote: Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat --user-container=ou=People,dc=sample,dc=com --group-container=ou=Group,dc=sample,dc=com --bind-dn=cn=Manager,dc=sample,dc=com ldap://openldap.sample.com ipa: ERROR: group LDAP search did not return any result (search base: ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) This is how looks a group in openldap database: dn: cn=ftp,ou=Group,dc=sample,dc=com objectClass: posixGroup objectClass: top cn: ftp userPassword: {crypt}x gidNumber: 50 I tried migrate it without compat support and I got the same error. Any clue about this problem? Thanks in advance!... We look for RFC2307(bis) groups with an objectclass of either groupOfUniqueNames or groupOfNames. How does your group have any members without one of these? You should be able to pull these in with --groupobjectclass=posixgroup rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Using local sudoers file
I would like to continue using sudoers file for a while before to migrate it to freeipa. I changed nsswitch.conf to use sudo just from file but when I try some command that needs sudo privileges I get the error: sudo: pam_ldap: ldap_search_s No such object I followed the recommendations from: www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf but when I add sudo in services at sssd.conf and restart sssd service it fails for configuration error. -ipa-server 3.0.0-26 (Red Hat 6.4) -ipa-client 2.1.3-7 (Red Hat 5.8) Any recommendation about this problem? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
Thanks Rob and Rodney! Your recommendations worked. On 10/08/2013 12:53 PM, Rob Crittenden wrote: Rodney L. Mercer wrote: I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. crypt will work. Or you can pass it in the clear and it will encrypt it for you using the default password scheme, SSHA1 IIRC. rob Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Lock account
Hi All, I would like to know if it is possible lock an user account after an inactive period of time. Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Lock account
Thanks Rob your prompt reply and info! On 09/27/2013 03:53 PM, Rob Crittenden wrote: cbul...@gmail.com wrote: Hi All, I would like to know if it is possible lock an user account after an inactive period of time. Not automatically, no. You'd need a cron job and an ldap query to find inactive users (across all IPA masters), then lock those you find. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis bypass Password Policies
Hi JR, Thanks and I'm sorry for the delay. Your idea is good and I used something like that for other openldap implementation but in this case I need that all my users continue using their userid and pass in order to log in. We use NoMachine for Remote Access and this application has problem with password expiration or password change that is the reason why I was thinking bypass the password policies. Please let me know if you need any additional information about it. Thanks! On 09/20/2013 04:10 PM, JR Aquino wrote: Is your client simply using LDAP to bind and authenticate your service? If so, you may be able to create a special dedicated sysaccount in: cn=sysaccounts,cn=etc,dc=domain,dc=com This account could be used to bind your service without having it be a member of the standard users database subjected to Password Policy expirations etc. You cannot hope to secure that which you do not first understand ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Sep 18, 2013, at 10:00 AM, cbul...@gmail.commailto:cbul...@gmail.com wrote: Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis bypass Password Policies
Hi Simon, The first option. I would like to be able to continue to authenticate even if the passwords are expired. It sounds crazy but we need to accomplish that just for one service. Thanks in advance! On 09/19/2013 10:28 PM, Simo Sorce wrote: On Wed, 2013-09-18 at 12:00 -0500, cbul...@gmail.com wrote: Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? I am not sure I understand in what way you'd want to bypass them. You'd like to be able to continue to authenticate even if the passwords are expired ? Or you just want to avoid being sent password expiration messages ? Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] slapi-nis bypass Password Policies
Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
Brian, Simo and Jakub, Thanks so much for your help. I will create a ticket for this problem. Thanks! On 09/16/2013 05:31 AM, Jakub Hrozek wrote: On Sat, Sep 14, 2013 at 01:11:36PM -0400, Brian Lindblom wrote: Of course, I would imagine that since the GECOS field is set upon account creation based on the values provided for first and last name, and since GECOS is not a provided field in the UI for user attributes, that GECOS should be updated automatically to reflect those changes. Bug perhaps? You're right, I didn't realize that the reporter was modifying first and last name separately, I was under the assumption he had modified GECOS. Thanks for pointing that out. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
Hi Jakub!.. Don't worry and thank for your help. Let me try it tomorrow and I will let you know asap. Thanks! On 09/10/2013 06:30 AM, Jakub Hrozek wrote: On Wed, Sep 04, 2013 at 11:14:50AM -0500, cbul...@gmail.com wrote: Hi Jakub, Thanks for your time and tips about sssd cache! I'm sorry about the late response, I didn't flag your response when it came back.. I did the test and let me explain what I got: - After step 4 I can see dataExpireTimestamp to 1 for the user. OK, this is expected. - After step 7 dataExpireTimestamp is back to 0 but the user data have not changed. This is really strange because if the dataExpireTimestamp was reset after the lookup, then the backend has updated the entry...and it should have updated the entry with the up-to-date data.. Can you put debug_level=8 into the [nss] and [domain] sections and paste or attach the contents of /var/log/sssd/sssd_nss.log and /var/log/sssd/sssd_$domain.log after the request that follows the sss_cache run? Also in the logs you should see the server the SSSD connects to, can you check if there is maybe some replica that is out of sync? Unfortunately I can't reproduce the bug here.. The first line after the command ldbsearch is: asq: Unable to register control with rootdse! No, that's an internal info, ignore this message. Is it a problem? We are not using nscd service. Please let me know if you need to do some other tests. Thanks in advance! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] slapi-nis user password error
Hi, I have some services that need to work with a NIS server and I would like to use slapi-nis plugin in order to use just FreeIPA as our Directory Server. The users were imported from a openldap server and the password encryption is MD5. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? Thanks!! CBU ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
Hi Alexander, Thanks so much for you reply. Do you know if there is a patch available for RH 6.3 that I can use?... Thanks again, On 09/05/2013 09:47 AM, Alexander Bokovoy wrote: On Thu, 05 Sep 2013, cbul...@gmail.com wrote: Hi, I have some services that need to work with a NIS server and I would like to use slapi-nis plugin in order to use just FreeIPA as our Directory Server. The users were imported from a openldap server and the password encryption is MD5. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? From what you are describing, it looks like what I have fixed recently in slapi-nis as side-effect of adding support for trusted domains. Not sure if Nalin has backported this fix to older versions (slapi-nis 0.48 is in Fedora 19 at this point) but filing a bug against RHEL 6.3 would help in promoting the fix to stable packages. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
Nalin, Alexander and Dmitri, Thanks so much for help and clarified me some points. Yes, we are using {CRYPT} and after configure Kerberos for authentication we are able to log in. Again, thank so much! On 09/05/2013 10:11 AM, Nalin Dahyabhai wrote: On Thu, Sep 05, 2013 at 09:17:36AM -0500, cbul...@gmail.com wrote: The users were imported from a openldap server and the password encryption is MD5. Is that {CRYPT} using an md5-based crypt, or {MD5} or {SMD5}? A client that's trying to check passwords using hashes which it reads via NIS is usually only compatible with hashes that are identified with {CRYPT}. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Which authentication mechanism did you configure in combination with NIS for user information? Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? If you're using pam_unix (which you probably are, if you're using neither LDAP nor Kerberos for authenticating users), then you need to have {CRYPT} hashes in your user entries. If you don't have those, you'll need to remedy that first, by configuring the server to use the CRYPT password storage scheme (IIRC the default is SSHA), and then forcing some password changes. After that, the default configuration for the version of slapi-nis you have should cause them to start showing up when you use getent (or ypmatch) to read the user's entry from the passwd map. Then you can double-check that a password is correct by taking a hashed value and a candidate password and running them through something like python -c 'import crypt; print crypt.crypt(password,hash)' to check if hashing the password using the salt that's part of the hashed value reproduces the hashed value, which is more or less what pam_unix does to check the password. That all said, I'd recommend using SSSD's support for reading identity information via LDAP, or better still its IPA provider, which can interact with the IPA server when it's in migration mode, and start moving you toward being able to switch over to using Kerberos. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
Hi Jakub, Thanks for your time and tips about sssd cache! I did the test and let me explain what I got: - After step 4 I can see dataExpireTimestamp to 1 for the user. - After step 7 dataExpireTimestamp is back to 0 but the user data have not changed. The first line after the command ldbsearch is: asq: Unable to register control with rootdse! Is it a problem? We are not using nscd service. Please let me know if you need to do some other tests. Thanks in advance! On 09/04/2013 10:31 AM, Jakub Hrozek wrote: On Wed, Sep 04, 2013 at 10:18:13AM -0500, cbul...@gmail.com wrote: Hi Chris, Thanks for your reply!I forgot to mention that we tried sss_cache (sss_cache -u user_id and sss_cache -U) in other RH6 ipa client and it did not work...If we delete manually all /var/lib/sss/db we can see the change but it is not going to be a nice solution. This sounds really strange. Can you run a little experiment for me? Can you install the ldb-tools package and then run: 1) getent passwd $username 2) ldbsearch -H /var/lib/sss/db/cache_$domain.ldb name=$username 3) modify the entry 4) sss_cache -U 5) ldbsearch -H /var/lib/sss/db/cache_$domain.ldb name=$username 6) getent passwd $username 7) ldbsearch -H /var/lib/sss/db/cache_$domain.ldb name=$username after you run 2) you should see how the entry looks in the cache with the old attributes. After running 5) you should see the same attributes, except for dataExpireTimestamp that should be set to 1. After running 6), getent should yield the updated data and 7) should reflect ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Incorrect user information
Hi, We have a freeipa server (RedHat 6.3, freeipa:3.0.0-26) and freeipa client (RedHat 5.9, freeipa client 2.1.3.-5) working in our test testing scenario without further problems. We are able to use SUDO, HBAC etc. Our problem is when we change a user info (Name or Last Name) and check it using the command: getent passwd id_user it showed us the older user information. We set entry_cache_user_timeout = 0 in sssd.conf file in order to clear the cache data but it did not work. Also we tried with: use_fully_qualified_domains attribute as recommend in: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html#idp26289072 but it was not helpful. If we check the user info using ldapsearch command we can see the right user info information. Changing the uid or gid we see the new change right away. Any clue about this problem? Thanks! CBU ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users