[Freeipa-users] Approach to allowing users access to NFS with kerberos through containers

[Kevin Vasko via FreeIPA-users]

Our users on their local machines (which are enrolled into our domain/realm) 
access (mount read/write) our NFS shares as they need with their LDAP accounts. 

We are wanting to allow users to use docker containers to mount/access these 
same mount/NFS Servers. These containers are short lived so enrolling them into 
the realm wouldn’t be feasible. Is there a short circuit to allow users to have 
access to the Kerberos tickets so they can mount the NFS stores? Or is this a 
bad idea? 

-Kevin
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Managing different Sub CAs in FreeIPA without their shared Root CA

[Florence Blanc-Renaud via FreeIPA-users]

On 3/11/20 5:01 PM, Alexander Petrenz via FreeIPA-users wrote:

Hi,
I'm new to FreeIPA and I have a conceptual question.

I have an existing PKI-Infrastructure with one root CA and three derived 
Sub-CAs.
Now I want to change the PKI-Management to FreeIPA without replacing the 
already existing Sub-CAs.

My first question is: Is it possible to have more then one external CAs (by the 
installation with "external-ca") in FreeIPA? The goal is to import the three 
existing external Sub-CAs with their keys in FreeIPA. I have found various sources from 
around 2015 that such a feature will be implemented later but I didn't found any 
information if it is implemented yet - or not.
Furthermore I don't want to import the root CA with its key into FreeIPA. As 
far I understood this would be a security benefit if the ipa server would be 
compromised. If that idea is wrong, I would be happy to get some advice on this.


Hi,
when the command ipa-server-install --exernal-ca is used, it means that 
IPA will also host a CA service with its own cert, but that cert is 
signed by a single external CA. So no, it's not possible to have 
multiple external CA signing IPA CA. The chain is External CA > IPA CA.


On the other hand, you may want to install other external CA certs in 
IPA using ipa-cacert-manage install / ipa-certupdate. With this command 
the CA certs are appended to the trusted CAs and the clients will also 
download and install them in their trust stores.


In all the cases, the external CA and subCA keys won't be imported into 
IPA, only the public certificates.


Hope this clarifies,
flo


Thanks
Alexander
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[Rob Crittenden via FreeIPA-users]

dmitriys via FreeIPA-users wrote:
> Hi!
> I rebuild my server now I use Centos 8
> I installed freeipa   :
> # ipa-server-install
> and try to change self sign certificate on Comodo.
> My steps:
> - get root CA from gogetssl.com 
> - ipa-cacert-manage -p password -n ARAX -t C,, install /root/ca.crt
> - ipa-certupdate
> - ipa-server-certinstall -w -d /root/httpd_arax.key /root/httpd_arax.crt
> and here i get an error 
> Directory Manager password:
> 
> Enter private key unlock password:
> 
> Peer's certificate issuer is not trusted (certutil: certificate is invalid: 
> Peer's Certificate issuer is not recognized.
> ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
> certificate.
> The ipa-server-certinstall command failed.
> 
> How i can fix it ?

You need the entire CA chain and not just the root. You're likely
missing one or more subordinates. Find those and install them the same
way using ipa-cacert-manage.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[dmitriys via FreeIPA-users]

Hi!
I rebuild my server now I use Centos 8
I installed freeipa   :
# ipa-server-install
and try to change self sign certificate on Comodo.
My steps:
- get root CA from gogetssl.com 
- ipa-cacert-manage -p password -n ARAX -t C,, install /root/ca.crt
- ipa-certupdate
- ipa-server-certinstall -w -d /root/httpd_arax.key /root/httpd_arax.crt
and here i get an error 
Directory Manager password:

Enter private key unlock password:

Peer's certificate issuer is not trusted (certutil: certificate is invalid: 
Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
The ipa-server-certinstall command failed.

How i can fix it ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Managing different Sub CAs in FreeIPA without their shared Root CA

[Alexander Petrenz via FreeIPA-users]

Hi, 
I'm new to FreeIPA and I have a conceptual question. 

I have an existing PKI-Infrastructure with one root CA and three derived 
Sub-CAs. 
Now I want to change the PKI-Management to FreeIPA without replacing the 
already existing Sub-CAs.

My first question is: Is it possible to have more then one external CAs (by the 
installation with "external-ca") in FreeIPA? The goal is to import the three 
existing external Sub-CAs with their keys in FreeIPA. I have found various 
sources from around 2015 that such a feature will be implemented later but I 
didn't found any information if it is implemented yet - or not.
Furthermore I don't want to import the root CA with its key into FreeIPA. As 
far I understood this would be a security benefit if the ipa server would be 
compromised. If that idea is wrong, I would be happy to get some advice on this.

Thanks
Alexander
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

[Faraz Younus via FreeIPA-users]

I have added freeipa users list as well to this thread

On Wed, Mar 11, 2020 at 6:31 PM Rob Crittenden  wrote:

> Faraz Younus wrote:
> > Thanks pasted the text instead of screenshots.
>
> This will work. Can you post this to the freeipa-users list?
>
> rob
>
> >
> > First failed then successful but after that LDAP broken.
> >
> > palib.install.certmonger: DEBUG: certmonger request is in state
> > dbus.String(u'CA_UNREACHABLE', variant_level=1)
> >
> > ipapython.admintool: DEBUG:   File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> > execute
> >
> > return_value = self.run()
> >
> >   File
> > "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py",
> > line 62, in run
> >
> > run_with_args(api)
> >
> >   File
> > "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py",
> > line 112, in run_with_args
> >
> > update_server(certs)
> >
> >   File
> > "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py",
> > line 192, in update_server
> >
> > "please check the request manually" % request_id)
> >
> >
> > ipapython.admintool: DEBUG: The ipa-certupdate command failed,
> > exception: ScriptError: Error resubmitting certmonger request
> > '20200311065837', please check the request manually
> >
> > ipapython.admintool: ERROR: Error resubmitting certmonger request
> > '20200311065837', please check the request manually
> >
> > ipapython.admintool: ERROR: The ipa-certupdate command failed.
> >
> > [root@sg ansible]# kinit admin
> >
> > Password for ad...@fixedandmobile.com  >:
> >
> >
> > [root@sg ansible]# klist -kt /etc/krb5.keytab
> >
> > Keytab name: FILE:/etc/krb5.keytab
> >
> > KVNO Timestamp Principal
> >
> >  -
> > 
> >
> >3 03/11/20 07:15:51 host/sg.fixedandmobile@fixedandmobile.com
> > 
> >
> >3 03/11/20 07:15:51 host/sg.fixedandmobile@fixedandmobile.com
> > 
> >
> > [root@sg ansible]# ipa-certupdate -v
> >
> > ipapython.admintool: DEBUG: Not logging to a file
> >
> > ipalib.plugable: DEBUG: importing all plugin modules in
> > ipaclient.remote_plugins.schema$79e69edd...
> >
> > ipalib.plugable: DEBUG: importing plugin module
> > ipaclient.remote_plugins.schema$79e69edd.plugins
> >
> > ipalib.plugable: DEBUG: importing all plugin modules in
> ipaclient.plugins...
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.automember
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.automount
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
> > 
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
> >
> > ipalib.plugable: DEBUG: importing plugin module
> > ipaclient.plugins.certprofile
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.hbacrule
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.hbactest
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.internal
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.location
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.migration
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.otptoken
> >
> > ipalib.plugable: DEBUG: importing plugin module
> > ipaclient.plugins.otptoken_yubikey
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.permission
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.rpcclient
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.sudorule
> >
> > ipalib.plugable: DEBUG: importing plugin module
> ipaclient.plugins.topology
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
> >
> > ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
> >
> > ipalib.rpc: DEBUG: failed to find session_cookie in persistent storage
> > for principal 

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

[Rob Crittenden via FreeIPA-users]

Alexander Bokovoy via FreeIPA-users wrote:
> On ke, 11 maalis 2020, Rob Crittenden wrote:
>> Alexander Bokovoy wrote:
>>> On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
> Makes me look at this a different way. Perhaps change the certstore to
> only return valid CA certs. That way they are stored if anyone ever
> wants them but they won't get pulled down for ipa-certupdate or
> ipaclilent-install.
>
> Or to try the ipa-cacert-manage route, it was mostly the UI part
> for why
> I didn't do it. I wasn't sure if the best way would be to
> interactively
> show each cert and do a delete Y/N or what. Perhaps a delete with
> --expired-only to do the cleanup. I'm open to suggestions.
>
> rob
>

 I think it's fine to change ipa-certupdate so it skips expired /
 not-yet-valid certs.

 IMO we should never automatically prune expired certs from the LDAP
 trust store, so that if customer needs to do time travel to fix an
 issue, the old CA certs will still be there and an ipa-certupdate
 will "restore" them to the various certificate DBs.

 And for the same reason, I'd be hesitant to offer a UI to prune
 expired certs from the trust store.
>>>
>>> I agree. So, we still need a ticket for ipa-certupdate to gain an
>>> explicit option to ignore expired certs.
>>>
>>>
>>
>> IMHO it should be the default for certstore.get_ca_certs(). I opened
>> https://pagure.io/freeipa/issue/8223
>>
>> I don't know of a case where we would want to fetch non-valid CA
>> certificates, please update the ticket if you know of any.
> 
> Valid from which point of view? A system we run on? E.g. based on the
> local time setup?
> 

Correct, local time.

Francois updated the issue to indicate that the expired CA first causes
issues. I wonder if we should test sorting by expiration date instead.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

[White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users]

Sad.

https://puppet.com/docs/pe/2019.2/rbac_ldap_intro.html#connect_to_an_external_directory_service

It has

Example Active Directory settings

and

Example OpenLDAP settings

I tried using the OpenLDAP side, but the queries I see in the access logs are 
looking for objectClasses like ipaNTTrustedDomain and other names starting with 
ipaNT*

Anyone out there using FreeIPA for authentication to Puppet Enterprise ?
__

Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

[Alexander Bokovoy via FreeIPA-users]

On ke, 11 maalis 2020, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:

Makes me look at this a different way. Perhaps change the certstore to
only return valid CA certs. That way they are stored if anyone ever
wants them but they won't get pulled down for ipa-certupdate or
ipaclilent-install.

Or to try the ipa-cacert-manage route, it was mostly the UI part for why
I didn't do it. I wasn't sure if the best way would be to interactively
show each cert and do a delete Y/N or what. Perhaps a delete with
--expired-only to do the cleanup. I'm open to suggestions.

rob



I think it's fine to change ipa-certupdate so it skips expired /
not-yet-valid certs.

IMO we should never automatically prune expired certs from the LDAP
trust store, so that if customer needs to do time travel to fix an
issue, the old CA certs will still be there and an ipa-certupdate
will "restore" them to the various certificate DBs.

And for the same reason, I'd be hesitant to offer a UI to prune
expired certs from the trust store.


I agree. So, we still need a ticket for ipa-certupdate to gain an
explicit option to ignore expired certs.




IMHO it should be the default for certstore.get_ca_certs(). I opened
https://pagure.io/freeipa/issue/8223

I don't know of a case where we would want to fetch non-valid CA
certificates, please update the ticket if you know of any.


Valid from which point of view? A system we run on? E.g. based on the
local time setup?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

[Rob Crittenden via FreeIPA-users]

Alexander Bokovoy wrote:
> On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
>>> Makes me look at this a different way. Perhaps change the certstore to
>>> only return valid CA certs. That way they are stored if anyone ever
>>> wants them but they won't get pulled down for ipa-certupdate or
>>> ipaclilent-install.
>>>
>>> Or to try the ipa-cacert-manage route, it was mostly the UI part for why
>>> I didn't do it. I wasn't sure if the best way would be to interactively
>>> show each cert and do a delete Y/N or what. Perhaps a delete with
>>> --expired-only to do the cleanup. I'm open to suggestions.
>>>
>>> rob
>>>
>>
>> I think it's fine to change ipa-certupdate so it skips expired /
>> not-yet-valid certs.
>>
>> IMO we should never automatically prune expired certs from the LDAP
>> trust store, so that if customer needs to do time travel to fix an
>> issue, the old CA certs will still be there and an ipa-certupdate
>> will "restore" them to the various certificate DBs.
>>
>> And for the same reason, I'd be hesitant to offer a UI to prune
>> expired certs from the trust store.
> 
> I agree. So, we still need a ticket for ipa-certupdate to gain an
> explicit option to ignore expired certs.
> 
> 

IMHO it should be the default for certstore.get_ca_certs(). I opened
https://pagure.io/freeipa/issue/8223

I don't know of a case where we would want to fetch non-valid CA
certificates, please update the ticket if you know of any.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Server stop to response after a period of time

[鐳鍶 via FreeIPA-users]

Ok, thanks.

Alexander Bokovoy  於 2020年3月11日 週三 下午3:37 寫道：

> On ke, 11 maalis 2020, Lays Dragon via FreeIPA-users wrote:
> >Just as record: It looks like replica lost dnarange on my two servers
> >somehow,not sure if it is caused by update or it is already happen
> >before.since I notice that via trying to add a user after update and
> >failed with: Allocation of a new value for range cn=posix
> >ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
> >failed! Unable to proceed.  I'll trying to recover dnarange via
> >https://www.freeipa.org/page/V3/Recover_DNA_Ranges
>
> This is certainly unrelated to slapi-nis itself.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

[François Cami via FreeIPA-users]

On Wed, Mar 11, 2020 at 9:12 AM Fraser Tweedale via FreeIPA-users
 wrote:
>
> On Wed, Mar 11, 2020 at 09:26:54AM +0200, Alexander Bokovoy wrote:
> > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
> > > > Makes me look at this a different way. Perhaps change the certstore to
> > > > only return valid CA certs. That way they are stored if anyone ever
> > > > wants them but they won't get pulled down for ipa-certupdate or
> > > > ipaclilent-install.
> > > >
> > > > Or to try the ipa-cacert-manage route, it was mostly the UI part for why
> > > > I didn't do it. I wasn't sure if the best way would be to interactively
> > > > show each cert and do a delete Y/N or what. Perhaps a delete with
> > > > --expired-only to do the cleanup. I'm open to suggestions.
> > > >
> > > > rob
> > > >
> > >
> > > I think it's fine to change ipa-certupdate so it skips expired /
> > > not-yet-valid certs.
> > >
> > > IMO we should never automatically prune expired certs from the LDAP
> > > trust store, so that if customer needs to do time travel to fix an
> > > issue, the old CA certs will still be there and an ipa-certupdate
> > > will "restore" them to the various certificate DBs.
> > >
> > > And for the same reason, I'd be hesitant to offer a UI to prune
> > > expired certs from the trust store.
> >
> > I agree. So, we still need a ticket for ipa-certupdate to gain an
> > explicit option to ignore expired certs.
> >
> I think we can ignore (i.e. not install) expired certs by default.
> And maybe have option to install all certs even if expired.

Yes. While the current behavior does not lead to any malfunctioning
service, various useful tools cease to function when the first cert in
ca.crt is expired.

> What would customers expect?  It is not the first time a customer
> was surprised to see expired certs there and asked about it.

My guess: not having the tools above fail in the first place.

Cheers
François

> Cheers,
> Fraser
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

[Fraser Tweedale via FreeIPA-users]

On Wed, Mar 11, 2020 at 09:26:54AM +0200, Alexander Bokovoy wrote:
> On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
> > > Makes me look at this a different way. Perhaps change the certstore to
> > > only return valid CA certs. That way they are stored if anyone ever
> > > wants them but they won't get pulled down for ipa-certupdate or
> > > ipaclilent-install.
> > > 
> > > Or to try the ipa-cacert-manage route, it was mostly the UI part for why
> > > I didn't do it. I wasn't sure if the best way would be to interactively
> > > show each cert and do a delete Y/N or what. Perhaps a delete with
> > > --expired-only to do the cleanup. I'm open to suggestions.
> > > 
> > > rob
> > > 
> > 
> > I think it's fine to change ipa-certupdate so it skips expired /
> > not-yet-valid certs.
> > 
> > IMO we should never automatically prune expired certs from the LDAP
> > trust store, so that if customer needs to do time travel to fix an
> > issue, the old CA certs will still be there and an ipa-certupdate
> > will "restore" them to the various certificate DBs.
> > 
> > And for the same reason, I'd be hesitant to offer a UI to prune
> > expired certs from the trust store.
> 
> I agree. So, we still need a ticket for ipa-certupdate to gain an
> explicit option to ignore expired certs.
> 
I think we can ignore (i.e. not install) expired certs by default.
And maybe have option to install all certs even if expired.

What would customers expect?  It is not the first time a customer
was surprised to see expired certs there and asked about it.

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Server stop to response after a period of time

[Alexander Bokovoy via FreeIPA-users]

On ke, 11 maalis 2020, Lays Dragon via FreeIPA-users wrote:

Just as record: It looks like replica lost dnarange on my two servers
somehow,not sure if it is caused by update or it is already happen
before.since I notice that via trying to add a user after update and
failed with: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
failed! Unable to proceed.  I'll trying to recover dnarange via
https://www.freeipa.org/page/V3/Recover_DNA_Ranges


This is certainly unrelated to slapi-nis itself.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

[Alexander Bokovoy via FreeIPA-users]

On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:

Makes me look at this a different way. Perhaps change the certstore to
only return valid CA certs. That way they are stored if anyone ever
wants them but they won't get pulled down for ipa-certupdate or
ipaclilent-install.

Or to try the ipa-cacert-manage route, it was mostly the UI part for why
I didn't do it. I wasn't sure if the best way would be to interactively
show each cert and do a delete Y/N or what. Perhaps a delete with
--expired-only to do the cleanup. I'm open to suggestions.

rob



I think it's fine to change ipa-certupdate so it skips expired /
not-yet-valid certs.

IMO we should never automatically prune expired certs from the LDAP
trust store, so that if customer needs to do time travel to fix an
issue, the old CA certs will still be there and an ipa-certupdate
will "restore" them to the various certificate DBs.

And for the same reason, I'd be hesitant to offer a UI to prune
expired certs from the trust store.


I agree. So, we still need a ticket for ipa-certupdate to gain an
explicit option to ignore expired certs.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org