Re: [Freeipa-users] Biasing which master clients talk to first
Steven Jones wrote: Hi, We have a master at our DR site which is further way than our 2 local masters, is there a way (in DNS say) that we could encourage clients to use the closer IPA masters? eg host -t SRV _ldap._tcp.ods.vuw.ac.nz _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa3 _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa2 _ldap._tcp.ods.vuw.ac.nz has SRV record 1 100 389 serveripa1 ? or what would be the best way? You're looking for DNS site support. IPA doesn't currently support this. For details see ticket https://fedorahosted.org/freeipa/ticket/2008 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] migrating from OpenLDAP to freeIPA
Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat --user-container=ou=People,dc=sample,dc=com --group-container=ou=Group,dc=sample,dc=com --bind-dn=cn=Manager,dc=sample,dc=com ldap://openldap.sample.com ipa: ERROR: group LDAP search did not return any result (search base: ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) This is how looks a group in openldap database: dn: cn=ftp,ou=Group,dc=sample,dc=com objectClass: posixGroup objectClass: top cn: ftp userPassword: {crypt}x gidNumber: 50 I tried migrate it without compat support and I got the same error. Any clue about this problem? Thanks in advance!... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automembership not working
I don't believe that the attribute is an OU. try performing a: ipa group-show engineering --all --raw I believe that your automember rule wants to be cn=^Engineering You cannot hope to secure that which you do not first understand ~~~ Jr Aquino Manager Operation Services, Infrastructure and Application Security GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Systems, Inc | 7408 Hollister Avenue | Goleta, CA 93117 SaaS Division T: +1 805.690.3478 jr.aqu...@citrix.com http://www.citrix.com On Apr 30, 2014, at 2:10 PM, Dimitar Georgievski mitk...@gmail.com wrote: Hi, I am trying to create rules to place users in given user groups based on the value of their ou (Organization Unit) field in their profiles. For some reason it is not working, and I am trying to understand why. The rule is very simple and looks like this ipa automember-find engineering Grouping Type: group --- 1 rules matched --- Description: Add automatically Engineering users to engineering User Group Automember Rule: engineering Inclusive Regex: ou=^Engineering With this rule in place I would expect all the new users with ou=Engineering to be automatically placed in the engineering user group. I am using FreeIPA v3.0.0 on CentOS 6.5 Thanks Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrating from OpenLDAP to freeIPA
cbul...@gmail.com wrote: Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat --user-container=ou=People,dc=sample,dc=com --group-container=ou=Group,dc=sample,dc=com --bind-dn=cn=Manager,dc=sample,dc=com ldap://openldap.sample.com ipa: ERROR: group LDAP search did not return any result (search base: ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) This is how looks a group in openldap database: dn: cn=ftp,ou=Group,dc=sample,dc=com objectClass: posixGroup objectClass: top cn: ftp userPassword: {crypt}x gidNumber: 50 I tried migrate it without compat support and I got the same error. Any clue about this problem? Thanks in advance!... We look for RFC2307(bis) groups with an objectclass of either groupOfUniqueNames or groupOfNames. How does your group have any members without one of these? You should be able to pull these in with --groupobjectclass=posixgroup rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo and NIS domain name
I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from FreeIPA. Is sudo still using NIS-style netgroups? Is there still a requirement to set the NIS domain name? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] About OTP
On 04/30/2014 07:58 PM, Steven Jones wrote: Hi, We want to use 2FA tokens and cant because of a Kerberos issue. I assume if this hasnt been upgraded yet that you cant get the passthrough? What is the issue you are facing? For OTP to work you need latest Kerberos. It is not RHEL yet. RHEL7 will have the OTP foundation but we do not plan to support it until later. You can play with latest bits in Fedora - they are pretty stable though there are some known issues being worked on. And please do not reuse the existing threads. I'll we interested to know if that is now not the case or at least an idea when it will be GA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating with Smart Cards
On 04/30/2014 06:45 PM, Leigh Moulder wrote: Hi all, I'm very new to FreeIPA, so I hope this isn't answered in documentation somewhere already. I'm working to get my infrastructure DIACAP approved, and part of this process includes unique user accounts with smart card integration. I was hoping that since FreeIPA utilizes Dogtag, I'd be able to use it for essentially everything, from LDAP, to certificate store, to smart card management. Unfortunately, the only references I was able to find were a handful of emails from a few years ago. I was wondering what the status of smart card integration was, and if it was completed yet. If so, where can I find the documentation to configure it. And if it's not currently in the works, does anyone know a viable solution. I'm currently running everything on RHEL 6.5, but would really rather stay away from their directory and certificate servers. Right now, I can't justify the price they're quoting me. The short answer is: we do not have it yet, we want to build it but other things have been taking precedence so far. Are you willing to put a skin into the game and do some development? We can help you and guide you with what actually can be done short term and long term. Thanks in Advance, Leigh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo and NIS domain name
On 05/01/2014 04:07 PM, Dean Hunter wrote: I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from FreeIPA. Is sudo still using NIS-style netgroups? Is there still a requirement to set the NIS domain name? I think NIS domain is needed for netgroups. If you are not using netgroups in the sudo rules but just user groups you should be fine. Is this the case with you? If not please provide the logs and config. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrating from OpenLDAP to freeIPA
Hi Rob, Thanks so much for your help!. Our openLDAP uses memberuid attribute because we migrated the original database from NIS server. Your tip worked great. Just let me correct a typo error: --group-objectclass=posixgroup Thanks again, cbu On 05/01/2014 11:58 AM, Rob Crittenden wrote: cbul...@gmail.com wrote: Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat --user-container=ou=People,dc=sample,dc=com --group-container=ou=Group,dc=sample,dc=com --bind-dn=cn=Manager,dc=sample,dc=com ldap://openldap.sample.com ipa: ERROR: group LDAP search did not return any result (search base: ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) This is how looks a group in openldap database: dn: cn=ftp,ou=Group,dc=sample,dc=com objectClass: posixGroup objectClass: top cn: ftp userPassword: {crypt}x gidNumber: 50 I tried migrate it without compat support and I got the same error. Any clue about this problem? Thanks in advance!... We look for RFC2307(bis) groups with an objectclass of either groupOfUniqueNames or groupOfNames. How does your group have any members without one of these? You should be able to pull these in with --groupobjectclass=posixgroup rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo and NIS domain name
On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: On 05/01/2014 04:07 PM, Dean Hunter wrote: I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from FreeIPA. Is sudo still using NIS-style netgroups? Is there still a requirement to set the NIS domain name? I think NIS domain is needed for netgroups. If you are not using netgroups in the sudo rules but just user groups you should be fine. Is this the case with you? If not please provide the logs and config. I am not aware of using netgroups, either the IPA object or any other kind. I just remember that when I was first configuring sudo to retrieve rules from IPA it would not work until I set nisdomainname in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the manual: Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist. With Fedora 20 I can no longer find the emulation of rc.local that existed in Fedora 19. I did find fedora-domainname.service and started and enabled it but neglected to configure /etc/sysconfig/network. Yet IPA sudo rules appear to work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users