Re: [Freeipa-users] How grant access to userPassword for System Accounts

Hi John, let me add that preferred way is to convince your 'solution' to do it in a safe way. Also, FreeIPA does not store passwords in clear text so the userPassword attribute should show only hashes and not clear text. It depends on the 'solution' if it can deal with hashes or not. Have a nice

Re: [Freeipa-users] How grant access to userPassword for System Accounts

On Mon, 26 Oct 2015, John Duino wrote: I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA. But it appears that it wants to read-in the userPassword rather than just auth against the ldap. I know Directory Manager is the only account that has the ability to read

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

On 20.10.2015 23:25, Martin Štefany wrote: > Hello, > > did anybody manage to get FreeIPA admin user (member of admins group, > full sudo access, etc.) to be also Cockpit user with administrative > privileges? I've already figured out that it's closely related to > Polkit, but since FreeIPA and

Re: [Freeipa-users] How grant access to userPassword for System Accounts

On Tue, 27 Oct 2015, John Duino wrote: Hmmm seems I have been misinformed, then. And then why does it have a field for 'mapping' the password? Well, I think that's off-topic for the list. I'll dig more later today. My understanding is that sipxecs has several modes for verifying passwords when

Re: [Freeipa-users] FreeIPA and Samba4

On Tue, Oct 27, 2015 at 10:03 AM Troels Hansen wrote: > This might be related to the old thread > https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html > but on the other side not quite, and can't see that it have been been > solved. > > I have been spending

Re: [Freeipa-users] How grant access to userPassword for System Accounts

Hmmm seems I have been misinformed, then. And then why does it have a field for 'mapping' the password? Well, I think that's off-topic for the list. I'll dig more later today. -- John Duino - Original Message - From: "Alexander Bokovoy" To: "John Duino"

[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

All, I'm trying to create an S4u2self/proxy that will give me a ticket to log into ipa web. I have ipa installed on centos 7 and the client installed on centos 6. The client is written in Java (Java 8). When I try the following impersonation code: GSSManager manager =

Re: [Freeipa-users] Winsync

On Tue, 27 Oct 2015, Tomas Babej wrote: On 10/27/2015 05:51 PM, Srdjan Dutina wrote: Hi! Hello Srdjan, Is syncing (winsync) users and passwords from MS Active Directory deprecated in FreeIPA 4.x? If not, is there some documentation on how to use it? Winsync synchronization is not

[Freeipa-users] Winsync

Hi! Is syncing (winsync) users and passwords from MS Active Directory deprecated in FreeIPA 4.x? If not, is there some documentation on how to use it? Additionaly, when using FreeIPA - AD trust, is it possible for user from trusted domain to log on to FreeIPA web UI? Thanks! -- Manage your

Re: [Freeipa-users] Winsync

On 10/27/2015 05:51 PM, Srdjan Dutina wrote: > Hi! > Hello Srdjan, > Is syncing (winsync) users and passwords from MS Active Directory > deprecated in FreeIPA 4.x? > If not, is there some documentation on how to use it? > Winsync synchronization is not deprecated as of now, but we are

Re: [Freeipa-users] Winsync

Hi Aleksander and Tomas, thanks for quick responses! I find trust-based solution more advanced but also more complicated - two sites, one with FreeIPA and other with AD domain, limited communication from FreeIPA to AD site, FreeIPA not aware of AD sites, questionable use of RODCs and Kerberos

[Freeipa-users] Wrong time / constantly expired passwords

Hi, On a new install, I'm being forced a password reset on every login. Not sure why but this doesn't look right: # date Tue Oct 27 21:02:57 CET 2015 # ipa user-status blah1 Last successful authentication: 2015-10-27T19:34:53Z Last failed authentication: 2015-10-27T19:34:20Z Time now:

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

On 27/10/15 13:11, Marc Boorshtein wrote: All, I'm trying to create an S4u2self/proxy that will give me a ticket to log into ipa web. I have ipa installed on centos 7 and the client installed on centos 6. The client is written in Java (Java 8). When I try the following impersonation code:

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

>> >> Looking at KrbKdcRep.java:73 it looks like the failure is happening >> because java is setting the forwardable flag to true on the request >> but the response has no options in it. Should the forwardable option >> be false in the request? > > > That's a fair guess. > the whole point of

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote: > On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote: > > Hello, > > > > did anybody manage to get FreeIPA admin user (member of admins > > group, > > full sudo access, etc.) to be also Cockpit user with administrative > >

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

On 27/10/15 15:43, Marc Boorshtein wrote: Looking at KrbKdcRep.java:73 it looks like the failure is happening because java is setting the forwardable flag to true on the request but the response has no options in it. Should the forwardable option be false in the request? That's a fair

Re: [Freeipa-users] Wrong time / constantly expired passwords

urgrue wrote: > Hi, > On a new install, I'm being forced a password reset on every login. Not > sure why but this doesn't look right: > > # date > Tue Oct 27 21:02:57 CET 2015 > > # ipa user-status blah1 > > Last successful authentication: 2015-10-27T19:34:53Z > Last failed authentication:

Re: [Freeipa-users] Wrong time / constantly expired passwords

Didn't realize it was GMT, so OK that's not the issue. Any suggestions on how to debug it? Everything looks OK, but passwords are just perma-expired at all times. On Tue, Oct 27, 2015, 21:45 Rob Crittenden wrote: > urgrue wrote: > > Hi, > > On a new install, I'm being

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote: > On 20.10.2015 23:25, Martin Štefany wrote: > > Hello, > > > > did anybody manage to get FreeIPA admin user (member of admins > > group, > > full sudo access, etc.) to be also Cockpit user with administrative > > privileges? I've already

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Thanks Simo. It wouldn't surprise me that java's implementation is wrong. The comments in the source even ask if its necessary to check. Thanks Marc Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce

[Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

Hi, We have recently updated from IPA 3 to IPA 4.1 and one of the changes in security is what attributes are available for the anonymous LDAP queries. Does anyone know how to edit the anonymous LDAP settings so that the following are available? mail: cr...@example.com postalCode: 3000 street:

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

Making attributes anonymously readable is very simple. You need to look into RBAC and define the permissions/privileges you need. On 28 October 2015 at 08:02, wrote: > Hi, > > We have recently updated from IPA 3 to IPA 4.1 and one of the changes in > security is

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

​Refer this doc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls ​ On 28 October 2015 at 11:11, Prashant Bapat wrote: > Making attributes anonymously

[Freeipa-users] FreeIPA and Samba4

This might be related to the old thread https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html but on the other side not quite, and can't see that it have been been solved. I have been spending quite some time on this, but haven't been able to solve it yet. My problem is: