Has anyone looked into using U2F with freeipa? My guess is you would need
a customized ssh client to interact with the device but in theory you could
just transform the users U2F public key into an ssh key.
Marc Boorshtein
CTO, Tremolo Security, Inc.
--
Manage your subscription for the Freeipa
As of yet I haven't tried using the json rpc with a cft. freeipa is on its
own. i'll give it a try and if it doesn't work this will point me in the
right direction.
Thanks
On Sat, Mar 18, 2017 at 2:27 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:
> On pe, 17 maalis 2017, Marc B
I've got the api integrated for all local users and am looking at if
there are any differences between that and if my ipa domain is in a
CFT with an AD domain. Right now I'm using "group_add_member", should
that work for users coming from a trusted forest as well?
Thanks
Marc Boor
not with chrome.
>
> However customer is expecting the same on Chrome also.
>
> Ant modifications can be done to avoid the pop-up ?
>
> On Fri, Dec 30, 2016 at 10:05 PM, Marc Boorshtein <
> marc.boorsht...@tremolosecurity.com> wrote:
>
> it looks like you are using ch
browser end.
>
> Any suggestions ?
>
> Thanks and Regards,
> Abhinay Reddy.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Marc Boorshtein
-manager-for-red-hat-identity-management-and-freeipa/
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
> Something declarative which can be version controlled and considered a
> "source of truth" and driven from configuration management (chef,
> puppet, ansible - whatever your flavor)
>
This is generally not done with a configuration management system
because it tends to be more dynamic. Usually
? Details:
CentOS 7 - CentOS Linux release 7.2.1511 (Core)
IPA - ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
--
Manage your subscription for the Freeipa-users mailing list
> I would like to know more about RBAC. like what is RBAC and what can be
> achieved with RBAC.
>
> anyone please share some good topics about this as i am getting so many and
> the information's mentioned on those are different.
I can imagine. RBAC (Role Based Access Control) was created on the
then just LDAP.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
On Fri, May 13, 2016 at 5:46 AM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Wed, 11 May 2016, Marc Boorshtein wrote:
>>
>> I've got
to the 389 backing IPA. Kerberos wouldn't work,
but if you're interested in password or ssh key based auth it should
work, right? Then you'd still get the HBAC benefits?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
> I'd also take a look at HBAC. Was the allow_all rule recently disabled?
>
winner winner chicken dinner! I must have deleted it while trying something.
Thanks
Marc
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to
of if its the ipa client or server. Login to the console
with ipa users fails as well. Local root works fine though. I don't
see anything in messages or sssd.log. Any thoughts as to where to
look?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter
on - https://github.com/TremoloSecurity/OpenUnison
FreeIPA Provisioning Target - https://github.com/TremoloSecurity/Unison-FreeIPA
S4U2Self LastMile - https://github.com/TremoloSecurity/Unison-LastMile-Kerberos
Again, any feedback on the integration would be greatly appreciated!
Thanks
Marc Boorshtein
C
loud@AZURE.CLOUD
Mar 14 16:37:55 ipa krb5kdc[11351](info): ... PROTOCOL-TRANSITION
s4u-client=mmosley@AZURE.CLOUD
Mar 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16
23}) 10.1.0.6: BAD_ENCRYPTION_TYPE: authtime 0,
HTTP/openunison.azure.cloud@AZURE.CLOUD for
HTTP/ipaclient
in this
setup? It seems odd to run FreeIPA on a container for a server in its own
domain. My first thought is to have the FreeIPA servers running on their
own VMs.
Any insight would be appreciated.
Thanks
Marc
--
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
I do the same thing on most deployments. I usually just assign a large
random password to the service account.
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 11, 2015 12:15 PM, "Redmond, Stacy" <stacy.redm...@blueshieldca.com>
wrote:
> No, that does not even allow su – un
>
> Do you know if these options are generated by the installer or are those
> the ones included with the sssd generated file ?
>
I do not. I didn't setup any kerberos configurations other then
running the ipa client install to join the domain.
> Would you mind filing a ticket? I think this
>
> Looking into krb5/src/util/profile/prof_get.c, the code that supports
> 'yes'/'no' (y,yes,1,true,t,on and n,no,nil,off,false) was added in 2000
> with the commit 97971c69b9389be08b7e9ffb742ca35f3706b3af (it was CVS at
> the time but the commit is traceable via git after import from SVN).
>
>
. Here's a link to the issue in OpenJDK:
https://bugs.openjdk.java.net/browse/JDK-8029995
Easy enough fix on my end, just changed the options in the krb5.conf file.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
--
Manage your subscription for the Freeipa
I did an upgrade yesterday and was still at 7.1 so i don't think 7.2
has been officially released.
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
On Wed, Dec 2, 2015 at 1:57 PM, Oliver Dörr <oli...@doerr-privat.de> wrote:
> Hmm,
>
> I've m
reverse engineering the calls from the browser
to IPA Web. Looking at the API browser its clear that using batch
here is probably overkill. Based on the api browser I think I can do:
{
"method":"user_show",
"params":[
["myuser"],
{
"all":true,
&
>
> just use 'ipa -vv user-show ...' to see formatted JSON.
>
excellent
> Did you read my article?
> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>
>
I hadn't, but this is exactly what I'm looking for. Perfect, this
will help me clean up my implementation nicely.
>
> How do you acquire the user ticket ?
>
Using a keytab. Here's a link to the example code I'm using:
https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to
use IPA as the DNS server and I'm passing in mmosley as the user to
impersonate and HTTP/freeipa.rhelent.lan as the
definition of the JSON so I can build a better mapping?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info
bExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
krbLastSuccessfulAuth: 20151201175200Z
Ticket flags clearly changed. Now to see if this works with ipa-web.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote
Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 1, 2015 1:14 PM, "Simo Sorce" <s...@redhat.com> wrote:
> On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> > I can now get a ticket!
What projects (including my own) doesn't need better docs? :-) Once I
publish the work I'm doing part of that will have a step-by-step on
getting this setup. It was pretty easy really if you are comfortable
with LDAP.
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703
>
> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API
> browser.
>
has 4.2 made it into centos 7 yet? or only in fedora?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more
Great. Doesn't look like its made it into CentOS yet (still at 7.1).
OK, going to go ahead and get it running on Fedora 23.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com>
We actually tracked it down. The problem was the Authenticator was
missing the authenticatorkvno field per the RFC. Once we set that to
5 we got past this issue.
IPA 4.1 on CentOS7
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
On Mon, Nov 23, 2015 at 10:38
)
Is there a field missing?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
0b91f4ef0157b2f9ac4c351023d3...
On the IPA server I get:
Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.2.167: ISSUE: authtime 1445908277,
etypes {rep=18 tkt=18 ses=18},
HTTP/unison-freeipa.rhelent@rhelent.lan for
HTTP/unison-freeipa.rhe
>>
>> Looking at KrbKdcRep.java:73 it looks like the failure is happening
>> because java is setting the forwardable flag to true on the request
>> but the response has no options in it. Should the forwardable option
>> be false in the request?
>
>
> That's a fair guess.
> the whole point of
Thanks Simo. It wouldn't surprise me that java's implementation is
wrong. The comments in the source even ask if its necessary to check.
Thanks
Marc
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce &l
35 matches
Mail list logo