Re: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search
I would recommend using Kerberos for authentication, i.e. parameter -Y GSSAPI. That always worked for me... On 09/14/2011 08:59 PM, Dan Scott wrote: Hi, I'm trying to perform an authenticated LDAP search against a FreeIPA server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). When I run: [root@kelvin ~]# ldapsearch -D uid=guser,cn=users,cn=accounts,dc=example,dc=com -w 'guserpassword' -b cn=accounts,dc=example,dc=com -h kelvin.example.com -v uid=guser -ZZ -c -d1 I receive the following error: ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20 Full details shown in attachment. Can anyone help me figure out what I'm doing wrong? Thanks, Dan Scott http://danieljamesscott.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update]
I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? Rgds, Siggi -Original Message- From: Red Hat Network Alert [mailto:dev-n...@rhn.redhat.com] Sent: 15. september 2011 09:58 To: Sigbjørn Lie Subject: RHN Errata Alert: ipa-client bug fix update Red Hat Network has determined that the following advisory is applicable to one or more of the systems you have registered: Complete information about this errata can be found at the following location: https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 Bug Fix Advisory - RHBA-2011:1290-1 -- Summary: ipa-client bug fix update An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5. Description: IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials. The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. This update fixes the following bug: * Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug. (BZ#736658) Users of ipa-client are advised to upgrade to this updated package, which fixes this bug. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search
Yes, I'd rather do that, but I'm trying to authenticate a Java web application using the Glassfish application server. Glassfish has LDAP authentication built in, I'd have to write a Kerberos login module myself. Dan On Thu, Sep 15, 2011 at 03:28, Ondrej Valousek ondr...@s3group.cz wrote: I would recommend using Kerberos for authentication, i.e. parameter -Y GSSAPI. That always worked for me... On 09/14/2011 08:59 PM, Dan Scott wrote: Hi, I'm trying to perform an authenticated LDAP search against a FreeIPA server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). When I run: [root@kelvin ~]# ldapsearch -D uid=guser,cn=users,cn=accounts,dc=example,dc=com -w 'guserpassword' -b cn=accounts,dc=example,dc=com -h kelvin.example.com -v uid=guser -ZZ -c -d1 I receive the following error: ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20 Full details shown in attachment. Can anyone help me figure out what I'm doing wrong? Thanks, Dan Scott http://danieljamesscott.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update]
Sigbjorn Lie wrote: I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? It is going through testing now, I can't provide an ETA. rob Rgds, Siggi -Original Message- From: Red Hat Network Alert [mailto:dev-n...@rhn.redhat.com] Sent: 15. september 2011 09:58 To: Sigbjørn Lie Subject: RHN Errata Alert: ipa-client bug fix update Red Hat Network has determined that the following advisory is applicable to one or more of the systems you have registered: Complete information about this errata can be found at the following location: https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 Bug Fix Advisory - RHBA-2011:1290-1 -- Summary: ipa-client bug fix update An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5. Description: IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials. The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. This update fixes the following bug: * Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug. (BZ#736658) Users of ipa-client are advised to upgrade to this updated package, which fixes this bug. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update]
- Original Message - - Original Message - Sigbjorn Lie wrote: I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? It is going through testing now, I can't provide an ETA. It has finished testing and has been pushed live. It should be available soon! Sorry was mistaken it is still being tested but we are hoping to push the fix today. So stay tuned. Thanks Jenny rob Rgds, Siggi -Original Message- From: Red Hat Network Alert [mailto:dev-n...@rhn.redhat.com] Sent: 15. september 2011 09:58 To: Sigbjørn Lie Subject: RHN Errata Alert: ipa-client bug fix update Red Hat Network has determined that the following advisory is applicable to one or more of the systems you have registered: Complete information about this errata can be found at the following location: https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 Bug Fix Advisory - RHBA-2011:1290-1 -- Summary: ipa-client bug fix update An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5. Description: IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials. The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. This update fixes the following bug: * Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug. (BZ#736658) Users of ipa-client are advised to upgrade to this updated package, which fixes this bug. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Add user - custom script
Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Installation failed at configuring CA
So here's the steps I took to reproduce this (which I've done a few times now to make sure I didn't botch something up) - fresh install of F15 - fully updated from the main repos - install freeipa-server using the updates-testing repo - set SELinux to permissive (due to previous conversations about selinux stopping the ldap server from restarting) - ran ipa-server-install It dies at this stage: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd '' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=DOMAIN.COM -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DOMAIN.COM -ca_server_cert_subject_name CN=ipa.domain.com,O=DOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=DOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=DOMAIN.COM -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Attached is the last bit of the install log. -- Matthew Davis RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Thu, 15 Sep 2011 19:55:08 GMT RESPONSE HEADER: Connection: close ERROR: unable to parse xml ERROR XML = ameKey Pairs/Name/PanelPanelIdsubjectname/IdNameSubject Names/Name/PanelPanelIdcertrequest/IdNameRequests and Certificates/Name/PanelPanelIdbackupkeys/IdNameExport Keys and Certificates/Name/PanelPanelIdsavepk12/IdNameSave Keys and Certificates/Name/PanelPanelIdimportcachain/IdNameImport CA's Certificate Chain/Name/PanelPanelIdadmin/IdNameAdministrator/Name/PanelPanelIdimportadmincert/IdNameImport Administrator's Certificate/Name/PanelPanelIddone/IdNameDone/Name/Panel/Vector/panelsp17/pnameCA Setup
Re: [Freeipa-users] Installation failed at configuring CA
Matthew Davis wrote: So here's the steps I took to reproduce this (which I've done a few times now to make sure I didn't botch something up) - fresh install of F15 - fully updated from the main repos - install freeipa-server using the updates-testing repo - set SELinux to permissive (due to previous conversations about selinux stopping the ldap server from restarting) - ran ipa-server-install It dies at this stage: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd '' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=DOMAIN.COM -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DOMAIN.COM -ca_server_cert_subject_name CN=ipa.domain.com,O=DOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=DOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=DOMAIN.COM -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Attached is the last bit of the install log. Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation failed at configuring CA
On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden rcrit...@redhat.com wrote: Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. Ah, yes, there is a in there and a few other special chars. Thanks. I'll test again w/o them. -- Matthew Davis ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation failed at configuring CA
On Thu, Sep 15, 2011 at 4:47 PM, Matthew Davis matt...@familycampground.org wrote: On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden rcrit...@redhat.com wrote: Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. Ah, yes, there is a in there and a few other special chars. Thanks. I'll test again w/o them. Thanks Rob, that did it. Need me to file a bug so this doesn't get lost? -- Matthew Davis http://familycampground.org/matthew/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation failed at configuring CA
Matthew Davis wrote: On Thu, Sep 15, 2011 at 4:47 PM, Matthew Davis matt...@familycampground.org wrote: On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittendenrcrit...@redhat.com wrote: Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. Ah, yes, there is a in there and a few other special chars. Thanks. I'll test again w/o them. Thanks Rob, that did it. Need me to file a bug so this doesn't get lost? We have an upstream ticket opened on it if you want to add any details (like what characters were blowing up), https://fedorahosted.org/freeipa/ticket/1636 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I'm still working on this... I was reading this post in the archives: http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's statement There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA. should be true, but for the windows system to use authentication I have to be able to set the host password in Kerberos. There doesn't seem to be a way to do that in the FreeIPA interface. I would normally do that in kadmin if working directly in kerberos, but that's not possible either. *IS* there a way to set the host password so that machines can provide user authentication for a windows client? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote: I'm still working on this... I was reading this post in the archives: http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's statement There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA. should be true, but for the windows system to use authentication I have to be able to set the host password in Kerberos. There doesn't seem to be a way to do that in the FreeIPA interface. I would normally do that in kadmin if working directly in kerberos, but that's not possible either. *IS* there a way to set the host password so that machines can provide user authentication for a windows client? Use ipa-getkeytab with the -P option to specify a 'password' to use to generate the keys instead of letting it generate a random password. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users