[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. Is it possible to have `migrated_to_authselect = True` for backup restore also? I come to realize that FreeIPA will modify authselect configuration during: 1. Install 2. Upgrade 3. Restore -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA replicas introducing third replica - only one CA
I'm trying to setup a third replica server using the ansible_freeipa.ipareplica role. The role fails on the following step: "[freeipa.ansible_freeipa.ipaclient : Install - Join IPA]": "servers": [ "192.168.1.100", (replica1.example.com "192.168.1.101" (replica2.example.com ] "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force" Following playbook: roles: - role: freeipa.ansible_freeipa.ipareplica vars: ipareplica_servers: ["replica1.example.com", "replica1.example.com"] replica1 (master with CA) and replica2 already exists. I introduced replica2 to the ipareplica_servers variable, as seen above. If I remove replica2, I'm able to install and setup replica3, but from my understanding I'll be stuck with following topology: replica2 <---> replica1 <---> replica3 When I in reality want: replica2 <---> replica1 <---> replica3 ^--^ I've also experienced a lot of errors with Install - Setup DS, after an uninstall: /usr/sbin/ipa-getkeytab Failed to parse result: Insufficient access rights\\n\\nFailed to get keytab!. Doesn't seem like the role cleans up properly. I struggle to understand this error, since the topology shows only Domain in the UI. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA cluster, backup and restore
> Finn Fysj via FreeIPA-users wrote:
>
> I think there is some misunderstanding about the purpose of backup and
> restore. It is for catastrophic recovery only.
>
> This is why it wants all roles to be included because if you lose your
> cluster and the only backup you have is lacking a role, say the CA, that
> is less than awesome.
>
> A restore will disable all replication agreements. They can be
> re-enabled but a restore by its very nature is going back in time which
> is going to confuse the heck out of replication. At best any other
> existing servers will need to be re-initialized. Otherwise they need to
> be re-installed. Remember: catastrophic.
>
> It is not designed for recovering a single entry that was accidentally
> deleted, or an undesired edit. If periodic backups are done the data is
> available in the stored LDIFs but it is an exercise for the user to
> restore in that case.
>
> rob
I appreciate so much for your response.
I've experienced issues where I tried to uninstall the replica server and
trying to re-installing:
roles:
- role: freeipa.ansible_freeipa.ipareplica
ipaserver_ignore_topology_disconnect: true
ipaserver_ignore_last_of_role: true
state: absent
Then I try to install it again:
- role: freeipa.ansible_freeipa.ipareplica
ipaclient_force_join: true
ipareplica_install_packages: true
ipareplica_setup_firewalld: false
ipareplica_setup_dns: false
ipareplica_servers: master1.example.com
ipareplicas: ["{{ ansible_play_hosts_all | join(', ') }}"]
ipareplica_domain: "example.com"
ipaadmin_principal: "admin"
ipaadmin_password: "Secret1213"
ipadm_password: "my_password"
I run into issues such as:
"module_stdout": "Traceback (most recent call last):\r\n File
\"/usr/lib/python3.9/site-packages/ipalib/krb_utils.py\", line 182, in
get_principal\r\ncreds = get_credentials(ccache_name=ccache_name)\r\n File
\"/usr/lib/python3.9/site-packages/ipalib/krb_utils.py\", line 165, in
get_credentials\r\nreturn gssapi.Credentials(usage=\"initiate\", name=name,
store=store)\r\n File \"/usr/lib64/python3.9/site-packages/gssapi/creds.py\",
line 63, in __new__\r\nres = cls.acquire(name, lifetime, mechs, usage,\r\n
File \"/usr/lib64/python3.9/site-packages/gssapi/creds.py\", line 136, in
acquire\r\nres = rcreds.acquire_cred(name, lifetime,\r\n File
\"gssapi/raw/creds.pyx\", line 161, in
gssapi.raw.creds.acquire_cred\r\ngssapi.raw.exceptions.MissingCredentialsError:
Major (458752): No credentials were supplied, or the credentials were
unavailable or inaccessible, Minor (2529639053): No Kerberos credentials
available (default cache: )\r\n\r\nDuring handling of the above excepti
on, another exception occurred:\r\n\r\nTraceback (most recent call last):\r\n
File
\"/home/ansible/.ansible/tmp/ansible-tmp-1706882379.2962139-14800-182642519268134/AnsiballZ_ipareplica_add_to_ipaservers.py\",
line 107, in \r\n_ansiballz_main()\r\n File
\"/home/ansible/.ansible/tmp/ansible-tmp-1706882379.2962139-14800-182642519268134/AnsiballZ_ipareplica_add_to_ipaservers.py\",
line 99, in _ansiballz_main\r\ninvoke_module(zipped_mod, temp_path,
ANSIBALLZ_PARAMS)\r\n File
\"/home/ansible/.ansible/tmp/ansible-tmp-1706882379.2962139-14800-182642519268134/AnsiballZ_ipareplica_add_to_ipaservers.py\",
line 47, in invoke_module\r\n
runpy.run_module(mod_name='ansible_collections.freeipa.ansible_freeipa.plugins.modules.ipareplica_add_to_ipaservers',
init_globals=dict(_module_fqn='ansible_collections.freeipa.ansible_freeipa.plugins.modules.ipareplica_add_to_ipaservers',
_modlib_path=modlib_path),\r\n File \"/usr/lib64/python3.9/runpy.py\", line
225, in run_module\r\n
return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File
\"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\r\n
_run_code(code, mod_globals, init_globals,\r\n File
\"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\r\nexec(code,
run_globals)\r\n File
\"/tmp/ansible_freeipa.ansible_freeipa.ipareplica_add_to_ipaservers_payload_gnneon23/ansible_freeipa.ansible_freeipa.ipareplica_add_to_ipaservers_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipareplica_add_to_ipaservers.py\",
line 156, in \r\n File
\"/tmp/ansible_freeipa.ansible_freeipa.ipareplica_add_to_ipaservers_payload_gnneon23/ansible_freeipa.ansible_freeipa.ipareplica_add_to_ipaservers_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipareplica_add_to_ipaservers.py\",
line 139, in main\r\n File
\"/usr/lib/python3.9/site-packages/ipalib/backend.py\", line 69, in connect\r\n
conn = self
[Freeipa-users] Re: FreeIPA cluster, backup and restore
> Hello, > > On 1/30/24 12:56, Finn Fysj via FreeIPA-users wrote: > > With the same options, the ipabackup role should do exactly the same as the > command line tool. The role is using the command line tool internally. Yes... Would be nice if the ansible role would've been a little more verbose when doing a data restore, to include something like: The replication agreements on\nmasters running IPA 3.1 or earlier will need to be manually\nre-enabled. See the man page for details.\nDisabling all replication.\nDisabling replication agreement on... Also is there a way to make ipa skip authselect configuration when restoring backup, like upgrade? [authcfg] migrated_to_authselect = True -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA cluster, backup and restore
> Hey Finn, > > for our replications where we don't have any CA installed i'm using the > following ipabackup options to have proper backup: > > ipa-backup --disable-role-check --logs --quiet Cheers Yavor. I'll have a look at this. However it only answers a part of my problem. You'll face a issue with the RUV error with the replica having a different database generation ID. Meaning it needs to be re-initialized, right? I see the ipatopologysuffix module doesn't have a way to check for working replication between the nodes. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA cluster, backup and restore
Have a cluster setup with is setup using Ansible FreeIPA roles ipaserver & ipareplica. Running ipabackup using script as the ipabackup role doesn't work as wanted or intended, meaning not able to take backup of data. Multiple master, only one with CA installed. When I run ipabackup to backup data I get the following: Error: Local roles do not match globally used roles CA. A backup done on this host would not be complete enough to restore a fully functional, identical cluster. The ipa-backup command failed. See /var/log/ipabackup.log for more information. The error message is somewhat understandable. We don't use FreeIPA CA capabilities, so that's the reason we don't have it installed on replicas, unless you guys would recommend otherwise? I've tried to test a little using these ansible roles. What happens if my Master with the only backup goes down? Yes, I'll have a replica making sure everything works as normal, so I can scrap the master, rebuild it and restore the data backup I took. However, once the node is restored, there's still not any connection between the two nodes now, since a re-run of the ipareplica won't do anything since it's already installed. Does that mean we need to rebuild this node as well? A normal data restore of a node will stop the replication connection between the two nodes, meaning it needs to be "re-connected", this is also not something that can be done using these roles? One final question: If we have a working cluster setup, and some sausage fingers manages to delete the replica from the "CA node". How can I re-initalize this with the ansible replica role, or is rebuild the only option? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Is it possible to install FreeIPA on different disk than ('/')
Currently our installation of FreeIPA is done on root ('/').
Is it possible to install FreeIPA on different disk & mount path wihtout
causing too much issues?
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] SSSD LDAP provider fails to fetch nested groups (groups member of groups)
I'm experiencing problems on my RHEL 9 instance when looking up members of group using getent group . I can only get users which has direct access to a group, and no the "user groups" part of the group. My sssd.conf: [domain/] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps:/ipa.example.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com [sssd] services = nss, pam, sudo domains = default [nss] homedir_substring = /home [pam] [sudo] -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> I can see how you were confused but it's covered in "FreeIPA 3.3.0 or > newer" where you run yum update [free]ipa-server. We recommend updating > all packages and not just IPA. ipa-server-upgrade runs as part of the > package install process. Since it's recommended to run "yum update [free]ipa-server", why does the "FreeIPA 4.2.0 or newer" section even exists as an options? (I'm sorry to be such a 'pita'.) -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> Finn Fysj via FreeIPA-users wrote: > > If you have a custom profile then what would checking for 9.3 help? And > note, we don't recommend or support custom profiles. IPA is very > opinionated about the configuration it expects. > > > I can see how you were confused but it's covered in "FreeIPA 3.3.0 or > newer" where you run yum update [free]ipa-server. We recommend updating > all packages and not just IPA. ipa-server-upgrade runs as part of the > package install process. > > rob 1. Checking for 9.3 would know that the system is using authselect. 2. IPA could only check if the custom profile fulfill the requirements, which is sssd and sudo feature enabled. I understand that IPA is very opinionated about config specs, but some need to follow security benchmarks. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. Is it possible to prevent authselect configuration while installing FreeIPA server? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. I don't fully understand why it doesn't check which OS version it is running and based on that update the migrated_to_authselect value. Currently on 9.3, and we run authselect as mentioned with custom profile. I also seemed to have misunderstood the Upgrade steps from https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would upgrade my IPA version to the latest. Anyways, cheers Alexander. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA Upgrade - overwrites custom authselect config
I've recently tried to run an upgrade of my IPA server (4.10.2) because of some
CVE fix for 4.10.3.
At the end of upgrade the IPA server tries to run: CalledProcessError(Command
['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'], why does it
do this?
The upgrade in my case fails because I've set made following files immutable:
/etc/authselect/{password-auth,system-auth}.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ignore authselect configuration
> Finn Fysj via FreeIPA-users wrote: > > There is not currently. > > I guess I would suggest hardening after installing IPA. You're moving > into an untested/unsupported configuration so keep that in mind. There > be dragons. > > rob Thanks Rob. However, does that mean we can get surprises if we're so bold and configure e.g UMASK after IPA installation etc.? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] (no subject)
> Finn Fysj via FreeIPA-users wrote: > > There is not currently. > > I guess I would suggest hardening after installing IPA. You're moving > into an untested/unsupported configuration so keep that in mind. There > be dragons. > > rob Thanks Rob. However, does that mean we can get surprises if we're so bold and configure e.g UMASK after IPA installation etc.? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Ignore authselect configuration
Hi, First: is it possible to ignore the authselect configuration during FreeIPA server installation? Reason I'm asking is because we're hardening the OS before we run FreeIPA installation, meaning there have been issues with UMASK and authselect overwrite. FreeIPA installation does not support UMASK stricter than 022. The FreeIPA installation also changes our authselect configuration as we configure this as part of our OS hardening and setting the immutable flag on some of these config files. We don't want FreeIPA installation to configure the authselect. Unfortunately we haven't found anything in /usr/lib/python3.9/site-packages/ipaplatform/redhat/authconfig.py that let us do this. Is it possible to ignore this? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Diff between giving User direct membership vs a User Group to a Posix or NON-Posix User Group?
I have a running IPA server which has both POSIX and NON-POSIX User Groups. However, I'm not using FreeIPA in a classic manner, mostly just as a LDAP server with GUI making it easier for end users to manage their stuff. I'm curious if there's a difference between Users or Users Groups when assigning these to a POSIX or NON-POSIX user group? E.g A user was not able to SSH into a machine because the user couldn't be found as a member of the group: $ getent group test-group test-group:*:5010: In the example above, I have attached memebership to another User Group: end_users --> test-group. However, if give a user in end_users direct access to the test-group, they can successfully SSH and they're shown in the getent command: $ getent group test-group test-group:*:5010:userX Of course, with NON-POSIX group I'm not able to run any commands, but I haven't had any problems when I -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
> Finn Fysj via FreeIPA-users wrote: > > It has to do with where ACIs live in the tree. If all ACIs live in the > basedn then for every single operation, all ACIs will be evaluated. This > is slow. > > We try to locate ACIs within the "container" for each object instead of > globally (e.g. cn=users,cn=accounts). This applies the user-specific > ACIs only when user objects are managed. > > I don't know about old and new with subtree and type. From what I > remember this has always been available on the cli from my initial > implementation. The type (user,group,host,etc) is shorthand for where > the ACI will be placed so that user's don't need to understand the tree > layout. Subtree is a more manual approach to this to provide flexibility. > > As I said, I can't believe that a global aci granting access to > member/memberof would affect HBAC evaluation. HBAC doesn't bind as > anonymous so these shouldn't even apply. > > rob Hmm... Alright. I appreciate your time and effort, Rob. /Cheers ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Httpd Graceful restart - syntax error
This morning I woke up to following: [pid 18582] AH00171: Graceful restart requested, doing restart httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-nss.conf: Cannot load modules/libmodnss.so into server: /lib64/libnssutil3.so: version `NSSUTIL_3.82' not found (required by /lib64/libnss3.so) cat /etc/httpd/conf.modules.d/10-nss.conf: LoadModule nss_module modules/libmodnss.so I've verified the files exists, after a manually restart of Httpd it was back. httpd -t reports syntax OK ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
> Finn Fysj via FreeIPA-users wrote: > > Seems unlikely that anonymous ACI's would prevent HBAC from working. > Especially ACIs that don't apply to the bound dn. > > These ACIs also apply very broadly across the server. For example, the > user and group ACIs overlap with memberof. You probably want to use a > different subtree, say the user container for the first and last, and > the group container for that one. > > rob Thank you for your resposne, Rob. I manage to solve this before reading your comment, however, could you please explain to me why it didn't work and why it works now? Looking this through the eyes of the UI: The old solution was using the "Subtree" field with: Subtree: dc=example,dc=com. This was replaced with the use of "Type: User" with attribute: "memerof", and "Type: Group" with attributes: member and memberof for the anonymous group permission. How can this small thing makes such huge difference? (this is very new to me) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
> I'm setting up a server + replica and I've migrated data from an old IPA > server > using ipa migrate-ds. > I experience problems with SSH into my IPA servers, even though I have HBAC > rules to allow > this: > > > $ssh test_alice(a)ipa-test.example.com -i test_alice > Connection closed by 192.168.10.24 port 22 > > $ssh test_alice(a)ipa-test.example.com > (test_alice(a)ipa-test.example.com) Password: > > [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com > --service=ssh > > Access granted: True > > Matched rules: allow_alice > > > [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all > --- > 1 HBAC rule matched > --- > dn: > ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com > Rule name: allow_alice > Host category: all > Service category: all > Enabled: True > Users: test_alice > accessruletype: allow > > > [usr@ipa-test ~]$ ipa user-find test_alice --all > -- > 1 user matched > -- > dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com > User login: test_alice > First name: Alice > Last name: Test > Full name: Alice Test > Display name: Alice Test > Initials: AT > Home directory: /home/test_alice > GECOS: Alice Test > Login shell: /bin/sh > Principal name: test_alice(a)EXAMPLE.COM > Principal alias: test_alice(a)EXAMPLE.COM > Email address: test_alice(a)example.com > UID: 5002 > GID: 5002 > SSH public key: ssh-rsa > B3N... > test_alice > > > > Previsouly using FreeIPA I have been able to find "denying access" in log > files > because of not matching HBAC rules. Now I can't find any trace of this, even > with > debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). Turns I have Anonymous Permissions that messes up this. Removing the following permissions I can successfully SSH using test_alice $ ipa permission-find Anonymous Permission name: Anonymous Group Granted rights: read, search Effective attributes: member, memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 Permission name: Anonymous User Granted rights: read, search Effective attributes: memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 I have a third one, but that isn't causing issues: Permission name: Anonymous PubKey Granted rights: read Effective attributes: ipasshpubkey Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA server + Replica - HBAC rules not matching
I'm setting up a server + replica and I've migrated data from an old IPA server using ipa migrate-ds. I experience problems with SSH into my IPA servers, even though I have HBAC rules to allow this: $ssh test_al...@ipa-test.example.com -i test_alice Connection closed by 192.168.10.24 port 22 $ssh test_al...@ipa-test.example.com (test_al...@ipa-test.example.com) Password: [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com --service=ssh Access granted: True Matched rules: allow_alice [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all --- 1 HBAC rule matched --- dn: ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com Rule name: allow_alice Host category: all Service category: all Enabled: True Users: test_alice accessruletype: allow [usr@ipa-test ~]$ ipa user-find test_alice --all -- 1 user matched -- dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com User login: test_alice First name: Alice Last name: Test Full name: Alice Test Display name: Alice Test Initials: AT Home directory: /home/test_alice GECOS: Alice Test Login shell: /bin/sh Principal name: test_al...@example.com Principal alias: test_al...@example.com Email address: test_al...@example.com UID: 5002 GID: 5002 SSH public key: ssh-rsa B3N... test_alice Previsouly using FreeIPA I have been able to find "denying access" in log files because of not matching HBAC rules. Now I can't find any trace of this, even with debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
Whenever I've been working with FreeIPA and sssd I've able to see something like: No HBAC rules find, denying access This is not the case here. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote: > > If SSSD doesn't have the rules it can't grant access. > > > You might try enabling replication debugging on your misbehaving server. > It could tell you what is wrong. > > rob I tried to setup a another test IPA server just to verify. Here I created a dummy user "test_alice" I added a public key to this user, added a hbac rule: Rule name: allow_alice Host category: all Service category: all Enabled: True Users: test_alice accessruletype: allow systemctl status sssd Oct 25 15:18:10 ipa-test.example.com sssd_be[34484]: dereference processing failed : Invalid argument systemctl status sshd Oct 25 15:18:10 ipa-test.example.com sshd[34496]: pam_sss(sshd:account): Access denied for user test_alice: 4 (System error) Oct 25 15:18:10 ipa-test.example.com sshd[34496]: fatal: Access denied for user test_alice by PAM account configuration [preauth] /var/log/sssd/sssd_example.com.log (2023-10-25 15:18:10): [be[example.com]] [ldb] (0x1): [RID#4] commit ldb transaction (nesting: 0) (2023-10-25 15:18:10): [be[example.com]] [sysdb_set_entry_attr] (0x0200): [RID#4] Entry [name=test_al...@example.com,cn=users,cn=example.com,cn=sysdb] has set [ts_cache] attrs. (2023-10-25 15:18:10): [be[example.com]] [dp_get_account_info_initgroups_resolv_done] (0x0400): [RID#4] Ordering NSS responder to update memory cache (2023-10-25 15:18:10): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x5632f31d8560], connected[1], ops[(nil)], ldap[0x5632f31da1c0] (2023-10-25 15:18:10): [be[example.com]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method org.freedesktop.DBus.GetConnectionUnixUser on /org/freedesktop/DBus (2023-10-25 15:18:10): [be[example.com]] [sbus_issue_request_done] (0x0400): org.freedesktop.DBus.GetConnectionUnixUser: Success (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [dp_req_reply_std] (0x1000): [RID#4] DP Request [Initgroups #4]: Returning [Success]: 0,0,Success (2023-10-25 15:18:10): [be[example.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching. (2023-10-25 15:18:10): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.pamHandler on /sssd (2023-10-25 15:18:10): [be[example.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam] (2023-10-25 15:18:10): [be[example.com]] [dp_pam_handler_send] (0x0100): Got request with the following data (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): domain: example.com (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): user: test_al...@example.com (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): service: sshd (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): tty: ssh (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): ruser: (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): rhost: 192.168.10.66 (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): authtok type: 0 (No authentication token available) (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): priv: 1 (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): cli_pid: 34496 (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): child_pid: 0 (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): logon name: not set (2023-10-25 15:18:10): [be[example.com]] [pam_print_data] (0x0100): flags: 0 (2023-10-25 15:18:10): [be[example.com]] [dp_attach_req] (0x0400): [RID#5] DP Request [PAM Account #5]: REQ_TRACE: New request. [sssd.pam CID #1] Flags []. (2023-10-25 15:18:10): [be[example.com]] [dp_attach_req] (0x0400): [RID#5] Number of active DP request: 1 (2023-10-25 15:18:10): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#5] Domain example.com is Active (2023-10-25 15:18:10): [be[example.com]] [sdap_access_send] (0x0400): [RID#5] Performing access check for user [test_al...@example.com] (2023-10-25 15:18:10): [be[example.com]] [ldb] (0x1): [RID#5
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote: > > What's the use-case for this? > > I think this is likely because migration currently doesn't support > user-private groups and a default IPA user doesn't have a memberof their > private groups. > > migrate-ds was designed to migrate users who used only LDAP to use IPA. > IPA to IPA migration is possible for users and groups but its full of > pitfalls. This may be another one. > > rob Understood. When I try to delete the User Groups itself and try a new migration, the user will be member of these groups again... I'm experiencing a lot of inconsistency with my server + replica setup: - I'm not able to ssh into my IPA servers, even tho I have created an allow_all HBAC. I don't find anything relevant in the logs after settings debug_level = 9, other than: [ipa_pam_access_handler_done] (0x0020): [RID#16] Unable to fetch HBAC rules [22]: Invalid argument. - In the log file I get the service: sshd, but shouldn't the log file also include testing of HBAC rules? Now it suddenly doens't do this. - Whenever I create a HBAC rule on my server, it takes a long time for it to be synced to the replica, however, if something is created on the replica server this is synced immediately. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Works without problems. Does not migrate UPGs nor ignore kerberos data:
> ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts'
> --group-container='cn=groups,cn=accounts' ldap://ipa.example.com
>
> Migrates UPGs and other groups, but no users because of "mepOriginEntry":
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
> \
> --group-objectclass=posixgroup \
> --user-ignore-objectclass=mepOriginEntry \
>
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> \
> --with-compat \
> ldaps://ipa.example.com
>
>
> Could we experience any inconsistency by not ignoring kerberos data?
I'm experiencing inconsistency using ipa-migrate.
If a user is e.g deleted, and then I try to re-run the ipa-migrate command: The
user will be successfully migrated, however, the user will no longer be part of
any user groups.
Command:
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
--group-objectclass=ipausergroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference}
--with-compat
ldaps://ipa.example.com
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Cannot receive LDAP attributes 'memberof' and 'ipaSshPubKey' on new IPA nodes.
> On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote: > > IPA memberof access permission was always limited to authenticated LDAP > binds. > > > So this is what somebody (old admin?) addded explicitly. Correct. Thanks for your help, Alexander. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Cannot receive LDAP attributes 'memberof' and 'ipaSshPubKey' on new IPA nodes.
> On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote: > > You have to use some identity to bind to LDAP. For example, use your own > user account. > > $ ldapsearch -x -H ldap://new.ipa1 \ >-D uid=finn,cn=users,cn=accounts,dc=example,dc=com -W \ >-b cn=users,cn=accounts,dc=example,dc=com \ >'(uid=finn)' memberOf ipasshpubkey > > -D option to ldapsearch is providing LDAP DN to bind to > -W option to ldapsearch is saying 'ask for a password' > > > Perhaps somebody did set up relaxed access controls on your old IPA > servers? It is certainly not what we aim for, especially these days. That could be. Has there been any changes to permissions? The old IPA is running: 4.6.8 The new IPA is running: 4.10.1. I've also found following on the old IPA: dn: cn=Anonymous ipaSSHPubKey read,cn=permissions,cn=pbac,dc=example,dc=com Permission name: Anonymous ipaSSHPubKey read Granted rights: read Effective attributes: ipasshpubkey Included attributes: ipasshpubkey Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=example,dc=com Raw target filter: (objectclass=posixaccount) Type: user Permission flags: SYSTEM, V2 objectclass: top, groupofnames, ipapermission, ipapermissionv2 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Cannot receive LDAP attributes 'memberof' and 'ipaSshPubKey' on new IPA nodes.
> On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote: > > memberof and ipaSSHPubKey attributes are only allowed to be read, > searched and compared by authenticated LDAP connections. If your > connection is anonymous, you have no access to those attributes. > > > The configuration below does not seem to use *any* authentication, not > just Kerberos. How can I receive that information from my personal laptop which is not authenticated? Is it a setting on IPA servers? Instances: New.IPA1 New.IPA2 Old.IPA Test.server: Receives desired information from OLD IPA server Can't receive desired information from NEW IPA servers My Personal Laptop: Receives desired information from OLD IPA server Can't receive desired information from NEW IPA servers ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Cannot receive LDAP attributes 'memberof' and 'ipaSshPubKey' on new IPA nodes.
I've setup two new IPA nodes which I migrated users & groups from an old IPA server. When I do a ldapsearch -x uid=test-user on my client I'm not able to receive LDAP attributes such as memberof and ipaSshPubKey. However, this is possible if I log onto the IPA nodes and do the ldapsearch. I can confirm that by running ldapsearch -H ldaps://old.ipa.example.com uid=test-user I can receive wanted attributes. On new IPA node: dn: uid=test-user,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21- givenName: Test sn: User uid: test-user cn: Test User displayName: Test User initials: TU gecos: Test User objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh homeDirectory: /home/test-user uidNumber: 5015 gidNumber: 5015 Old IPA: dn: uid=test-user,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21- givenName: Test sn: User uid: test-user cn: Test User displayName: Test User initials: TU gecos: Test User objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh homeDirectory: /home/test-user uidNumber: 5015 gidNumber: 5015 memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com ipaSshPubKey: ssh-rsa .. It's important to note, we're not using Kerberos for authentication, nor is ipa-client being used. /etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps://ipa.example.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow cache_credentials = true [sssd] services = nss, pam, sudo domains = default [nss] homedir_substring = /home [pam] [sudo] /etc/openldap/ldap.conf: BASE dc=example,dc=com URI ldap://ipa.example.com SASL_NOCANON on TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,dc=example,dc=com /etc/sudo-ldap.conf: BASE dc=example,dc=com URI ldap://ipa.example.com SASL_NOCANON on TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,dc=example,dc=com ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote: > > UPGs cannot be migrated at all. There is no risk. Some find it annoying > to see a bunch of single-user groups in the interface, that's all. > > rob Thank you, Rob. I've seen that the UPGs that get migrated have received following attributes: ipaNTSecurityIdentifier ipantgroupattrs groupofnames nestedgroup ipausergroup If I really want to keep UPGs I can use ipa group-mod --delattr=... I'll do some more checking, but you're correct: I don't think we'll have the need for Kerberos unless on the IPA servers themselves, but if it's considered good practice too ignore krb attributes I'll do. I'll try to do some more testing. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> On Срд, 27 вер 2023, Finn Fysj via FreeIPA-users wrote: > > I would question rather why you want migration of IPA deployment instead > of just adding those two RHEL 9 servers into existing deployment and > then retiring the old (RHEL 7) server. > > Sure, this is not possible directly, only through a temporary RHEL 8 > replica first, but that would keep all your data intact. > > Please see > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > and > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... The short answer is: We consider the old IPA to be unstable and we don't want the new server to be based on some existing mess or misconfiguration. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote:
>
> It's not possible to say without seeing the whole command you used.
>
> rob
Works without problems. Does not migrate UPGs nor ignore kerberos data:
ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts'
--group-container='cn=groups,cn=accounts' ldap://ipa.example.com
Migrates UPGs and other groups, but no users because of "mepOriginEntry":
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts \
--group-objectclass=posixgroup \
--user-ignore-objectclass=mepOriginEntry \
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
\
--with-compat \
ldaps://ipa.example.com
Could we experience any inconsistency by not ignoring kerberos data?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote: > > If you migrate the Kerberos keys and principals they will be for the > original realm and will not work. > > LDAP passwords are migrated by allowing password migration in > ipa-config. When this mode is enabled, if an LDAP bind occurs and there > are no Kerberos keys then they are generated automatically if they don't > already exist. > > > Because it sounds like you aren't using Kerberos at all. > > > RHEL and Fedora have used private user groups for decades now. The > definition being that when a user is created they get a group with the > same id and no members. > > An IPA user-private group is similar in nature in that it has the same > uid/gid. It also lacks the objectclasses to allow members. > > A migrated group will retain the same GID but is a regular group. > > This is most noticeable when you have a lot of users, so therefore a lot > of private groups. Private groups are filtered out by default when > looking at the list of groups. That will not happen after migration. > > I'm really not sure what your use-case is here. Do you have an existing > broken IPA server? I have the impression you are starting out new. > > rob FIrstly thank you for taking your time, Rob. We have an existing IPA server running on RHEL7 and our goal is to create two new IPA server on RHEL9 (master & replica). We therefore want to migrate USERS & GROUPS only from the existing IPA server using ipa migrate-ds. The end goal look something like: Only to use the IPA servers as LDAP server and load balance the these two. It basically gives us LDAP servers w/ GUI. Replacing FreeIPA is not an option. I'm therefore curious what the risks may be if we're leaving out migrating UPGs, and secondly your thoughts on this approach. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
After running suggested command: https://www.freeipa.org/page/Howto/Migration
Only the "private groups" are being migrated. Users are not, because of the
--user-ignore-attribute={mepManagedEntry}
test_user: attribute \"mepManagedEntry\" not allowed".
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Finn Fysj via FreeIPA-users wrote: > > mepOriginEntry is how private groups are implemented. > > For more information on migrated private groups see > https://rcritten.wordpress.com/2018/09/05/migration-and-user-private-groups/ > > rob Thank you for answering, Rob. I've preivously looked at the source you reference to. I might need an explaination to: You just need to make sure that FreeIPA Kerberos related attributes are not migrated as they need to be generated again by the new FreeIPA server and it’s new Kerberos settings or keys. Why? What can be the challenges we face? This hasn't been any problems with the test servers I've configured. I also need to understand the use of private groups in FreeIPA. We're planning to solely use FreeIPA as LDAP for LDAP connections only. Where the IPA servers is the only servers a KINIT would make sense. Could we face issues NOT migrating private groups when using FreeIPA as an LDAP server (w/gui)? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
Having a closer look at https://www.freeipa.org/page/Howto/Migration
A ipa migrate-ds command is provided:
$ echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass=mepOriginEntry --with-compat
ldap://migrated.freeipa.server.test
I look at this site as a recommendation of how to use ipa migrate-ds, however
following error arises for multiple users:
test_user: attribute \"mepManagedEntry\" not allowed"
I have not been having any issues with "mine" ipa migrate-ds command, but I
look at the provided ipa migrate-ds command as "best practice" or at least
recommendation.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> On Thu, Sep 14, 2023 at 8:10 AM Finn Fysj via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org wrote:
>
> Most of the role variables are not replicated.
>
> In the example you show the vars as set in the role call, not in an
> inventory file.
> The same variables (ipaclient_*) should be replicated in the ipareplica
> role (and
> on ipaclient) for the settings to be the same on all hosts.
>
> How are you executing the ipareplica code?
>
> Rafael
Thank you for taking your time.
It's important to note a "Cloud" dynamic-inventory is being used to reach all
of the servers involved.
server.yml
- hosts:
- server
become: true
pre_tasks:
- name: Replace default UID/GID_MAX
ansible.builtin.replace:
dest: /etc/login.defs
regexp: "^{{ item }}.*"
replace: "{{ item }} 6999"
loop:
- "UID_MAX"
- "GID_MAX"
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
replica.yml
---
- hosts:
- replica
become: true
roles:
- role: freeipa.ansible_freeipa.ipareplica
vars:
# IPA Replica
ipareplica_servers: ["server01.example.com"]
ipareplicas: ["{{ ansible_play_hosts_all | join(', ') }}"]
ipareplica_domain: "example"
ipaadmin_principal: "admin"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipareplica_install_packages: true
ipareplica_setup_firewalld: false
ipareplica_setup_dns: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
site.yml
---
- import_playbook: server.yml
- import_playbook: replica.yml
ansible-playbook --ask-become-pass -i dynamic-inventory site.yml
Authselect output:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-sudo
Turns out now it works great.
I also then apply SUDO and HBAC rules to my MASTER server using playbooks. The
sync of rules takes a lot of time.
Could a SSSD restart trigger this?
After this is migrate existing USERS and GROUPS from an old IPA server (RHEL 7)
which is going to be destroyed.
DS migration:
ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts'
--group-container='cn=groups,cn=accounts' ldap://old.ipa.example
I've later realized private groups are not being migrated. Any way of
"regenerate" these?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
> Hello, > > On 6/22/23 16:08, Finn Fysj via FreeIPA-users wrote: > > which IPA and ansible-freeipa versions are you using? > > Please provide more information about your inventory and setup. > > Are you trying to use the ipaserver role to deploy also replicas? The > ipaserver > role is only useful to deploy the initial master only. The replicas need to > be > deployed using the ipareplica role. > > Regards, > Thomas Thank you for answer Thomas. The ansible-freeipa collection version is: 1.11.0 I've experienced a lot of "unconsistency" when installing IPAserver and IPA replica on my EL9 servers. I do indeed use separated roles for the two server roles ipaserver for the master server and ipareplica role for the replica. Even tho arguments such as: ipaclient_mkhomedir: true, is set this is one the case for my server. $ authselect current Profile ID: sssd Enabled featu ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Installing FreeIPA server + replica using Ansible Role FreeIPA
The installation of IPA server and replica does not produce desired result.
Even though the mkhomedir is set to true the feature is not enabled in the
authselect. Also the replica server does not replicate SUDO and HBAC rules from
the IPA master.
Is the only solution to re-install the whole IPA server/replicas stuff? Kinda
stupid.
Example of the IPA server role:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
There's no direct failures, however, it won't copy groups that already exists, which is probably the case here. "Admins" already exists on the installed IPA. It's understandable Rob, however, we don't use the full capabilities of FreeIPA, only the LDAP and UI aspects of it. Cheers. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
> On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote: > > I would actually address this one, not the original question. > > You are conflating two different actions into one. 'Migrating' from a > particular OS version in existing IPA deployment to another one is not a > migration, from IPA point of view. In this case, even if you are adding > new replicas using an updated OS version, the data in LDAP stays the > same and is replicated in its entirety across the topology. > > When we say that an upgrade to RHEL9 from RHEL7 deployment should be > done by adding an intermediary RHEL8 replica, this is the case. > > In the case where you are using 'ipa migrate-ds', you are creating a > totally separate environment which shares no LDAP data directly with the > old one. Here you are adding users/groups from the old setup (be that an > older IPA deployment or some OpenLDAP setup, or may be Active Directory, > or something else) to the new setup. Only a subset of information is > tranferred. > > Coming back to your question, are you passing a bind DN and password to > be able to see all information in the old IPA deployment? bind DN > defaults to 'cn=Directory Manager', so that one should see all user > and group details. Thank you for your repose, Alexander. I'm indeed creating a separate IPA servers, who're NOT intended to be part of the "old" one, at least not in a Replica setup. Yes. This line is being run in ansible so the DS password is being passed to the command, correct. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
Hi, When I try to migrate from my RHEL 7 instance RHEL 9 most of the stuff seems to work, fine. I needed to setup the new IPA servers by modifying UID/GID_MAX since in the early versions of the installation there wasn't a "check" for these attributes. I needed to do this since the existing IPA server uses UID/GIDs starting from 6000. Running: ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts ipa.example.com However, I see that all the users that used to belong to "admins" have now dissapeard, is there a way to avoid this? Or is there any attribute I should think of while migrating? PS: I'm aware that the suggested method of migrating is Rhel7 > Rhel8 > Rhel9, however, it's seems to work fine without. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9
> Hi, > > if you want to install a RHEL8 or RHEL9 server with the same domain name, > the recommended procedure would be to install a RHEL8 replica from your > RHEL7 server, then a RHEL9 replica from your RHEL8 server. > You can check this documentation: > >- Migrating your IdM environment from RHEL 7 servers to RHEL 8 servers >[1] >- Migrating your IdM environment from RHEL 8 servers to RHEL 9 servers >[2] > > ipa migrate-ds is used when the new domain name is different from the old > one and does not migrate all the data (only users and groups are migrated, > not HBAC rules, sudo rules etc...). On the contrary, installation of a > replica does not lose any data. And you don't need to worry about the SIDs. > > HTH, > flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > [2] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... > > On Tue, May 9, 2023 at 2:35 PM Finn Fysj via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org wrote: Thank you for replying to me, Florence. I'm aware that the recommneded method of migrating is: RHEL 7 > 8 > 9. However, I would like to do RHEL 7 > 9. I have tried this is a small test lab and it seems to be somewhat, OK. As I'm only interested in Users/Group. As additoinal information; We will use the same Domain Name for the new instance aswell, though we do not want to install this as a replica part of existing old one. Are there anything else we should look out for or be aware of? E.g Client already enrolled in Old Ipa instance? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] ipa migrate-ds - From EL7 to EL8/9
Planning to migrate users and groups from an old dusty IPA server running Red Hat Enterprise Linux 7 to RHEL9. I'm aware of SID issues from following thread: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/MO63NXS63KSI6QJMZRN6JK32VUGKEICH/ Should I ignore the attribute `ipaNTSecurityIdentifier` when migrating from old to new instance? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] SSSD Log stops working - Backtrafe dump ends here
I've tried to install and re-install the IPAserver on my node. Even tried to re-provision it. When I look in the SSSD log for my domain I get the following: * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_ext_step] (0x2000): [RID#16] ldap_search_ext called, msgid = 48 * (2023-05-04 6:30:59): [be[lab.local]] [sdap_op_add] (0x2000): [RID#16] New operation 48 timeout 60 * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): Trace: sh[0x560c8dff6e30], connected[1], ops[0x560c8e064050], ldap[0x560c8e0abcc0] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): Trace: end of ldap_result list * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): Trace: sh[0x560c8dff6e30], connected[1], ops[0x560c8e064050], ldap[0x560c8e0abcc0] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_message] (0x4000): [RID#16] Message type: [LDAP_RES_SEARCH_RESULT] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_op_finished] (0x0400): [RID#16] Search result: Success(0), no errmsg set * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_op_finished] (0x2000): [RID#16] Total count [0] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_op_destructor] (0x2000): [RID#16] Operation 48 finished * (2023-05-04 6:30:59): [be[lab.local]] [ipa_hbac_rule_info_done] (0x0400): [RID#16] No rules apply to this host * (2023-05-04 6:30:59): [be[lab.local]] [sdap_id_op_done] (0x4000): [RID#16] releasing operation connection * (2023-05-04 6:30:59): [be[lab.local]] [ipa_pam_access_handler_done] (0x0020): [RID#16] No HBAC rules found, denying access ** BACKTRACE DUMP ENDS HERE * (2023-05-04 6:39:00): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2023-05-04 6:39:00): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)(2023-05-04 6:39:00): [be[lab.local]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070 (2023-05-04 6:41:04): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2023-05-04 6:41:04): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)(2023-05-04 6:41:04): [be[lab.local]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070 (2023-05-04 6:43:33): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2023-05-04 6:43:33): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)(2023-05-04 6:43:33): [be[lab.local]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070 I tried to turn the debug_level = 8 and 9, without any good results. The look doesn't change when I try to login or run any "privileged" commands. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Running 'sudo su' creates kerberos ticket for user on old IPA (4.6) not on new 4.10
> Am Wed, May 03, 2023 at 12:00:16PM - schrieb Finn Fysj via FreeIPA-users: > > Hi, > > the behavior was changed due to > https://bugzilla.redhat.com/show_bug.cgi?id=1879869 > https://github.com/SSSD/sssd/issues/5660 > > To switch back to the old behavior you can add > > pam_response_filter=-ENV:KRB5CCNAME:sudo-i, -ENV:KRB5CCNAME:sudo > > to the [pam] section in sssd.conf or as snippet in /etc/sssd.d/conf.d. > > HTH > > bye, > Sumit Not able to view this Sumit, but thanks. You are not authorized to access bug #1879869. Most likely the bug has been restricted for internal development processes and we cannot grant access. If your role requires it then you may be able to use the self service Request Group Membership workflow to gain the permissions required to access this bug. If you are a Red Hat customer with an active subscription, please visit the Red Hat Customer Portal for assistance with your issue If you are a Fedora Project user and require assistance, please consider using one of the mailing lists we host for the Fedora Project. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Running 'sudo su' creates kerberos ticket for user on old IPA (4.6) not on new 4.10
I'm trying to setup new IPA server and when I run 'sudo su' I get prompted with password, which is fine. However, when I successfully type my password on a RHEL7 instance running FreeIPA version 4.6 I get a kerberos ticket as the logged-in user in "root-mode", but when I do the same in the newer IPA instance I do not get any kerberos ticket when in root. How do I get kerberos ticket when I run 'sudo su'? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: What's the proper way of creating HBAC/SUDO rules in a Primary/replica setup
Yes, tho I would expect the module would handle it the first time it is run. Ok, so the go-to method would be: Apply to "master", if master is down, apply to replicas. Fix master and it will replicate from the replicas once it's up-and-running, again? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Allow service '--servicecat=all' not visible in GUI
> Finn Fysj via FreeIPA-users wrote: > > Sooo...you see what I pointed to or not? > > rob Ah. Yes. I overlooked them. My bad , Rob! Cheers ! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Allow service '--servicecat=all' not visible in GUI
$ ipa --version VERSION: 4.10.0, API_VERSION: 2.251 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Allow service '--servicecat=all' not visible in GUI
Hi, I'm trying to set up new FreeIPA servers based on an old setup. I've only migrated users/groups to the new setup. I wasn't able to SSH into the new IPA server and after investigating it seemed to be some HBAC rules for SSHD service wans't enabled. I've intentionally not migrated the preivous HBAC rules. On the old system it had been created and included HBAC for rules using the '--servicecat=all' options, meaning I couldn't get any information from the HBAC rules looking in the GUI. Why isn't this visible? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] AWS Loadbalancer 2 FreeIPA servers
I'm aware that it exists an almost identical thread (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/STMGH64EOWIGSBFVY6ASMCHFZ3R3WN7O/#YOF35N26ZX4SFHE47VT45SNKKNGRFVEA) However, in my case I'm only using FreeIPA as an LDAP server with GUI. I'm not using it as DNS nor as CA. So, the only thing I should do is to generate certificate for master, replica and the loadbalancer, right?(To avoid the issues described in linked thread) Where the certificates contains: master: master fqdn and loadbalancer fqdn replica: replica fqdn and loadbalancer fqdn loadbalaner: master fqdn and replica fqdn. Thank you for any clarification(s). ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: BrowserMatch MSIE
Thanks. That's makes perfectly sense. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] BrowserMatch MSIE
I see that /etc/httpd/conf.d/ssl.conf for my IPA instances includes the following lines: # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is sent or allowed to be received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is sent and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Would it be a good security practice to remove this? E.g "We do not accept MSIE 2-5 clients ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
I will take a look at the documentation. However, I don't really understand why it works as soon as I get it in a static inventory, as all of the machines (including controller) are using same DNS. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
TYPO! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
Maybe I'm mistaken, however:
Playbook:
- hosts:
- master2.example.com
roles:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ inventory_hostname }}"
ipaserver_hostname: "{{ inventory_hostname }}"
ipadm_password: SuperSecret123
ipaadmin_password: SuperSecret123
ipaserver_ip_addresses: "{{
hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_idstart: 6000
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
- hosts:
- master2.example.com
become: true
roles:
- role: freeipa.ansible_freeipa.ipareplica
vars:
ipaservers: master1.example.com
ipaserver_hostname: master1.example.com
ipareplicas: master2.example.com
ipareplica_domain: example.com
ipaclient_force_join: true
ipaadmin_principal: admin
ipareplica_setup_dns: false
As mentioned when running using a cloud dynamic inventory this playbook does
not work, however, as preivously mentioned, when creating a static inventory,
it works:
[ipaservers]
master1.example.com
[ipareplicas]
master2.example.com
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
So... We're using dynamic-inventory... And when I tried creating a static inventory dividing my hosts into the groups [ipaserver] and [ipareplicas] this worked... Without using these groups specifically my vars got ignored..? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
I tried to login into both IPA servers through web ui just to "test", and noticed this diff. Seems like "idstart" isn't replicated to the replica server? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
Also... It's required to have IPA client installed on the replica?.. Would it
still be considered a "master"?
I had to manually join as I get the following error running ipareplica role:
FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"}
MANUALLY JOIN:
$ sudo ipa-client-install
--domain=EXAMPLE.COM--realm=EXAMPLE.COM--server=master.example.com
This program will set up IPA client.
Version 4.10.0
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always
access the discovered server for all operations and will not fail over to other
servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]:
The ipa-client-install command was successful
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ansible FreeIPA Server + Replica
Yes, so I managed to successfully install IPA server and replica using the two roles. They're both master? I know the replicas configuration is based on the Master, but one of my problem is that: - I use Idstart 6000 on my IPA server (master) and my replica does not follow this configuration, meaning when I try to create a user of both servers they start with different ID. On IPA server it'll have 6001 and on the replica it'll be 50001. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Ansible FreeIPA Server + Replica
Hi, I'm new to FreeIPA and the ansible-freeipa collection. I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover. As far as I know I need to install ipaserver on all of my masters/replication and then the replica role? How does the master nodes establish a relationship? Is this done using IPA client? It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA. This is because we want to have the ability to have a user interface like the web gui. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Ansible FreeIPA Server + Replica
Hi, I'm new to FreeIPA and the ansible-freeipa collection. I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover. As far as I know I need to install ipaserver on all of my masters/replication and then the replica role? How does the master nodes establish a relationship? Is this done using IPA client? It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA. This is because we want to have the ability to have a user interface like the web gui. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Ansible FreeIPA Server + Replica
Hi, I'm new to FreeIPA and the ansible-freeipa collection. I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover. As far as I know I need to install ipaserver on all of my masters/replication and then the replica role? How does the master nodes establish a relationship? Is this done using IPA client? It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA. This is because we want to have the ability to have a user interface like the web gui. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
