Re: [Freeipa-users] Deploying freeipa behind nginx
Yes it works if I specify the -s as ldap.mycorp.com. So we have progress! It now appears to authenticate fine when it posts the session but I have a new error. I get an Ipa Error 911 Missing HTTP referer. br/ You have to configure your browser to send HTTP referer header. I assume this is because the external name doesn't match the internal name. Is there a way to modify this somewhere? Thanks. Steve On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose sb...@redhat.com wrote: On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote: Hi Sumit, That does indeed work. What does that tell us? I'm sorry, but it only tells that in general GSSAPI/Kerberos is working. I think it does not help much with your original issue. About ipa-getkeytab, does it work if you specify the server with the -s/--server option? bye, Sumit Steve On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose sb...@redhat.com wrote: On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
On Mon, 03 Feb 2014, Steve Severance wrote: Yes it works if I specify the -s as ldap.mycorp.com. So we have progress! It now appears to authenticate fine when it posts the session but I have a new error. I get an Ipa Error 911 Missing HTTP referer. br/ You have to configure your browser to send HTTP referer header. I assume this is because the external name doesn't match the internal name. Is there a way to modify this somewhere? You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the security errata addressing it. We are deliberately closing cross-site forgery by enforcing HTTP referrer checks. Your nginx proxy would be a middle man which we are attempting to protect against. Recent discussions on how to allow your use case but still keep the security tight can be seen here: http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter part of the thread). Discussion stalled since then. Thanks. Steve On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose sb...@redhat.com wrote: On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote: Hi Sumit, That does indeed work. What does that tell us? I'm sorry, but it only tells that in general GSSAPI/Kerberos is working. I think it does not help much with your original issue. About ipa-getkeytab, does it work if you specify the server with the -s/--server option? bye, Sumit Steve On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose sb...@redhat.com wrote: On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
So I understand the mitigation of CSRF attacks. I would like ipa to be able to handle a specific set of referers. My use case may be less common since my freeipa instance is handling our server infrastructure not desktops. I have everything working now. Here is an example nginx server config in case anyone else needs it: server { server_name ipa.corp.com; listen 443 ssl; location / { proxy_cookie_domain ldap.corp.com ipa.corp.com; proxy_pass https://ldap.corp.com/; proxy_set_header Referer https://ldap.corp.com/ipa/ui; } } ipa.corp.com would be the external server and ldap.corp.com would be the internal server. Thanks for your help. Steve On Mon, Feb 3, 2014 at 11:10 AM, Alexander Bokovoy aboko...@redhat.comwrote: On Mon, 03 Feb 2014, Steve Severance wrote: Yes it works if I specify the -s as ldap.mycorp.com. So we have progress! It now appears to authenticate fine when it posts the session but I have a new error. I get an Ipa Error 911 Missing HTTP referer. br/ You have to configure your browser to send HTTP referer header. I assume this is because the external name doesn't match the internal name. Is there a way to modify this somewhere? You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the security errata addressing it. We are deliberately closing cross-site forgery by enforcing HTTP referrer checks. Your nginx proxy would be a middle man which we are attempting to protect against. Recent discussions on how to allow your use case but still keep the security tight can be seen here: http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter part of the thread). Discussion stalled since then. Thanks. Steve On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose sb...@redhat.com wrote: On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote: Hi Sumit, That does indeed work. What does that tell us? I'm sorry, but it only tells that in general GSSAPI/Kerberos is working. I think it does not help much with your original issue. About ipa-getkeytab, does it work if you specify the server with the -s/--server option? bye, Sumit Steve On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose sb...@redhat.com wrote: On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
Hi Dmitri, I am using Free Ipa 3.1.5 on Fedora 18. The design basically looks like the following. All of this is hosted at AWS in our VPC. The nginx box is on a web addressable subnet while the FreeIPA box is on a private subnet that is not internet accessible. My goal is to be able to use the web UI from our office without having to invest in a hardware VPN connection. So nginx basically just acts as a reverse proxy and created the connection on the users behalf to the ipa server. I can login into other machines I have both in our private data center and in AWS using ipa and that works great as far as I can tell. Any more information I can supply? Thanks. Steve On Wed, Jan 29, 2014 at 4:18 AM, Dmitri Pal d...@redhat.com wrote: On 01/28/2014 05:29 PM, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve To be able to help a small diagram would be really helpful. The error above indicates that there is an entity that tries to connect to the LDAP using Kerberos GSSAPI and can't because it either does not have kerberos identity or keys or it is misconfigured and can't get to them. The diagram of request flow would help to troubleshoot the issue. What version of FreeIPA you are using? What platform? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
On 01/28/2014 05:29 PM, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread (https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com http://ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com http://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve To be able to help a small diagram would be really helpful. The error above indicates that there is an entity that tries to connect to the LDAP using Kerberos GSSAPI and can't because it either does not have kerberos identity or keys or it is misconfigured and can't get to them. The diagram of request flow would help to troubleshoot the issue. What version of FreeIPA you are using? What platform? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Deploying freeipa behind nginx
Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users