Re: [Freeipa-users] passwd sync

2012-03-27 Thread Simo Sorce 
On Tue, 2012-03-27 at 19:40 -0600, Rich Megginson wrote:
> On 03/27/2012 07:36 PM, Steven Jones wrote:
> > Hi
> >
> > Until we collapse the domains into one we will have a one way sync for 
> > staff only...  I assume because a student does not exist if staff then 
> > there will be no syncthey will simply have a linux/IPA password.
> >
> > I dont need anything to go from IPA to AD, its all AD to IPA or manually 
> > created in IPA which stays there.
> ok - then you can just use the oneWaySync feature of 389.
> >
> > "What exactly are you trying to do?  Defeat password sync for"   -  Turn 
> > off password policy for everyone. Policy will be controlled by AD or 
> > Psync..so the password should come through from AD via passsync with the 
> > complexity we want..
> Not sure how you do that with IPA

passsync uses a user to save passwords in IPA, all you need to do is to
make sure that user is one of the passsync managers. When you do that
password policy is not enforced at all and the password is taken in as
is w/o any check.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rich Megginson 

On 03/27/2012 07:36 PM, Steven Jones wrote:

Hi

Until we collapse the domains into one we will have a one way sync for staff 
only...  I assume because a student does not exist if staff then there will be 
no syncthey will simply have a linux/IPA password.

I dont need anything to go from IPA to AD, its all AD to IPA or manually 
created in IPA which stays there.

ok - then you can just use the oneWaySync feature of 389.


"What exactly are you trying to do?  Defeat password sync for"   -  Turn off 
password policy for everyone. Policy will be controlled by AD or Psync..so the password 
should come through from AD via passsync with the complexity we want..

Not sure how you do that with IPA


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 28 March 2012 1:54 p.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/27/2012 05:01 PM, Dmitri Pal wrote:

On 03/27/2012 06:24 PM, Steven Jones wrote:

Hi,

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain,

can we do a one way sync?

Yes

one way sync for everything or one way sync for everything except
student passwords?  the former is easy, the latter is not possible afaik

Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?

No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).

ipa winsync cannot add users added to IPA to AD - you'll have to add
those manually to AD, then they will be in sync for modify operations.

7.4.3 talks about every password change wanting a reset.

Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

+1

So it there a way to disable this for all or some groups of users?

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

   uid=*,cn=staff,cn=accounts,dc=etc..

I will leave to Rich to explain this

It cannot be a wildcard:
  if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
  pwdata.changetype = IPA_CHANGETYPE_DSMGR;
  break;
  }
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.


?

Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most usersbut I still will need a global for 
users who are not in AD.

Correct

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:

Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are "standard"?

It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.


number 4 point 4 ou=People,dc=example,dc=com is a "standard"?

It is merely an example. I think the default location for AD users is
ou=Users.


So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones 
Hi

Until we collapse the domains into one we will have a one way sync for staff 
only...  I assume because a student does not exist if staff then there will be 
no syncthey will simply have a linux/IPA password.

I dont need anything to go from IPA to AD, its all AD to IPA or manually 
created in IPA which stays there.

"What exactly are you trying to do?  Defeat password sync for"   -  Turn off 
password policy for everyone. Policy will be controlled by AD or Psync..so the 
password should come through from AD via passsync with the complexity we 
want..

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 28 March 2012 1:54 p.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/27/2012 05:01 PM, Dmitri Pal wrote:
> On 03/27/2012 06:24 PM, Steven Jones wrote:
>> Hi,
>>
>> We want to do a one way password sync from AD to IPA for staff but not 
>> students as they are a different AD domain,
>>
>> can we do a one way sync?
> Yes
one way sync for everything or one way sync for everything except
student passwords?  the former is easy, the latter is not possible afaik
>
>> Oh wait, also while I can only do one winsync to one AD domain, can I do a 
>> password sync from 2 ADs to one IPA domain?
> No. One Domain.
> IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add
those manually to AD, then they will be in sync for modify operations.
>
>> 7.4.3 talks about every password change wanting a reset.
> Yes because you need to capture passwords and create hashes in LDAP for
> that passwords need to be reset and passsync needs to be put on the AD
> to capture the changes.
> This is ugly this is why we spending so much time and effort on building
> trusts so that IPA can just accept AD tickets without any sync.
+1
>
>> So it there a way to disable this for all or some groups of users?
>>
>> I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc
>>
>> could be,
>>
>>   uid=*,cn=staff,cn=accounts,dc=etc..
> I will leave to Rich to explain this
It cannot be a wildcard:
 if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
 pwdata.changetype = IPA_CHANGETYPE_DSMGR;
 break;
 }
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.

>
>> ?
>>
>> Since Im setting the password complexity in AD and Psync I assume that I 
>> simply do not want any policy for most usersbut I still will need a 
>> global for users who are not in AD.
> Correct
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 
>> From: Rob Crittenden [rcrit...@redhat.com]
>> Sent: Wednesday, 28 March 2012 11:16 a.m.
>> To: Steven Jones
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] passwd sync
>>
>> Steven Jones wrote:
>>> Section 7.4.2 on password sync calls for a download of a
>>> PassSync.msi...I cannot locate thisso your doc needs updating I think.
>>>
>>> For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
>>> cn=etc, then the dc= usual bits
>>>
>>> I assume the two cn='s are "standard"?
>> It isn't incorrect, if that is what you are asking. cn is a multi-valued
>> attribute.
>>
>>> number 4 point 4 ou=People,dc=example,dc=com is a "standard"?
>> It is merely an example. I think the default location for AD users is
>> ou=Users.
>>
>>> So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
>> You'd want to check with your AD administrator(s).
>>
>> rob
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rich Megginson 

On 03/27/2012 05:01 PM, Dmitri Pal wrote:

On 03/27/2012 06:24 PM, Steven Jones wrote:

Hi,

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain,

can we do a one way sync?

Yes
one way sync for everything or one way sync for everything except 
student passwords?  the former is easy, the latter is not possible afaik



Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?

No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add 
those manually to AD, then they will be in sync for modify operations.



7.4.3 talks about every password change wanting a reset.

Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

+1



So it there a way to disable this for all or some groups of users?

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

  uid=*,cn=staff,cn=accounts,dc=etc..

I will leave to Rich to explain this

It cannot be a wildcard:
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
}
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.




?

Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most usersbut I still will need a global for 
users who are not in AD.

Correct

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:

Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are "standard"?

It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.


number 4 point 4 ou=People,dc=example,dc=com is a "standard"?

It is merely an example. I think the default location for AD users is
ou=Users.


So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trying to get my head around Delegating admin permissions and groups

2012-03-27 Thread Steven Jones 
8><

Things you can't easily do are things like "Create a desktop user". You
can't easily do this because the group membership is assigned later.

8><

yep, tahst OK I think..Users will be created by our useradmins initially, 
in AD and then IPA if there is a need for a UID/linux login.  

Later after I have a one way passsync working I will do a one way winsync 
agreement such that when the useradmin crates the user in the provisioning 
system which in turn injects it inot AD that is automatically transmitted to 
IPA.  At that point I would want the  desktop admin or useradmin to assign that 
user to group(s).

At least this is how I think we will be working, hopefully that makes sense.

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Dmitri Pal 
On 03/27/2012 06:24 PM, Steven Jones wrote:
> Hi,
>
> We want to do a one way password sync from AD to IPA for staff but not 
> students as they are a different AD domain, 
>
> can we do a one way sync?

Yes

> Oh wait, also while I can only do one winsync to one AD domain, can I do a 
> password sync from 2 ADs to one IPA domain?

No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).

> 7.4.3 talks about every password change wanting a reset.

Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

> So it there a way to disable this for all or some groups of users?  
>
> I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc
>
> could be,
>
>  uid=*,cn=staff,cn=accounts,dc=etc..

I will leave to Rich to explain this

> ?
>
> Since Im setting the password complexity in AD and Psync I assume that I 
> simply do not want any policy for most usersbut I still will need a 
> global for users who are not in AD.

Correct
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Wednesday, 28 March 2012 11:16 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] passwd sync
>
> Steven Jones wrote:
>> Section 7.4.2 on password sync calls for a download of a
>> PassSync.msi...I cannot locate thisso your doc needs updating I think.
>>
>> For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
>> cn=etc, then the dc= usual bits
>>
>> I assume the two cn='s are "standard"?
> It isn't incorrect, if that is what you are asking. cn is a multi-valued
> attribute.
>
>> number 4 point 4 ou=People,dc=example,dc=com is a "standard"?
> It is merely an example. I think the default location for AD users is
> ou=Users.
>
>> So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
> You'd want to check with your AD administrator(s).
>
> rob
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones 
Hi,

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain, 

can we do a one way sync?

Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?

7.4.3 talks about every password change wanting a reset.

So it there a way to disable this for all or some groups of users?  

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

 uid=*,cn=staff,cn=accounts,dc=etc..

?

Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most usersbut I still will need a global for 
users who are not in AD.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:
> Section 7.4.2 on password sync calls for a download of a
> PassSync.msi...I cannot locate thisso your doc needs updating I think.
>
> For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
> cn=etc, then the dc= usual bits
>
> I assume the two cn='s are "standard"?

It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.

> number 4 point 4 ou=People,dc=example,dc=com is a "standard"?

It is merely an example. I think the default location for AD users is
ou=Users.

> So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones 
Hi,

Dunno, I have raised a ticket with support to clarify where it is, I am unable 
to find it, the document doesn't say which channel.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 28 March 2012 11:07 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/27/2012 05:44 PM, Steven Jones wrote:
Section 7.4.2 on password sync calls for a download of a PassSync.msi...I 
cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts cn=etc, then 
the dc= usual bits

I assume the two cn='s are "standard"?

number 4 point 4 ou=People,dc=example,dc=com  is a "standard"?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?

Isn't it in a separate channel that needs to be added?




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 28 March 2012 10:36 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something related to the 
host name resolution is likely not correct.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:


Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached



Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz 
and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab 
host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rob Crittenden 

Steven Jones wrote:

Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are "standard"?


It isn't incorrect, if that is what you are asking. cn is a multi-valued 
attribute.



number 4 point 4 ou=People,dc=example,dc=com is a "standard"?


It is merely an example. I think the default location for AD users is 
ou=Users.



So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz


You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trying to get my head around Delegating admin permissions and groups

2012-03-27 Thread Rob Crittenden 

Steven Jones wrote:

Hi,

I want to have 2 trees of user (and, or? host?) groups, one server branch and 
one desktop as the desktop admins differ from the server admins and have to be 
kept separate..so that seems to be a high level thing

So reading the delegation section its unclear if I am in the right place or what 
permission to giveso for a top level admin I give the manager attribute? to the top 
group or simply all? or what?  looking down the attributes I see things like 
"cn" so I see nothing that helps me understand.yep Im lost.

What I need to do is give the desktop admins control over desktops and desktop 
users but not any over servers and server users and the the server admins the 
opposite.

There are also going to be at least two password policies, one for staff and 
one for students.  After a bit I will have passync from AD for staff so that 
policy needs to be disabled...also the requirement to reset their password on 
first login as that's done via AD

So is the best way to make a top level group for each of the two trees,  
delegate this to each admin branch (manager?) to that? and then under that have 
two groups where I attach each of the password policies?  seems logical, but 
who knows

Say a group labeled 1 is the top for the server tree with 2 under it for staff 
server passwords and 3 for student server passwords.

Say a group labeled A  is the top for the desktop tree with B under it for 
staff server passwords and C for student server passwords...

hope my asci art works

2
  1<
   3

   b
a<
   c

So a staff password policy is attached to 2 and B and a student password policy 
is attached to 3 and C?

:/

Is this clear?

The next Q is doing the nesting, I get confused on which way it goes1 
goes into group 2 and 3 while a goes into b and c?

That way 1 has "control over" 2 and 3?  which is what I want

or do 2 and 3 go into 1?  cant see taht as 2 and 3 would have the same level as 
1?

I then have to repeat something similar for the hosts/clients?


IPA has a flat DIT, so all users are stored together, all groups, etc. 
You cannot use the IPA tools to manage users stored elsewhere in the tree.


You can grant permissions via groups and hostgroups, I think that will 
do what you need.


You'll need to craft a series of permissions granting access to modify 
attributes of members of a group. Then create privileges and roles and 
assign membership as necessary.


So for example you create a couple of groups: DesktopAdmins and 
DesktopUsers.


Assign users as appropriate. It is ok for users to be members of both.

Here is how it might look. I'm just creating a permission to modify a 
few attributes of a class of users but it should point you in the right 
direction.


Create our groups
$ ipa group-add desktopusers --desc='Desktop users'
$ ipa group-add desktopadmins --desc='Desktop admins'

Create a permission to write some user attributes
$ ipa permission-add 'Manage desktop users' --memberof=desktopusers 
--attrs='givenname,sn,telephonenumber' --type=user --permissions=write


Create some sample users (yes, one extra user)
$ echo password | ipa user-add --first=tim --last=user duser1 --password
$ echo password | ipa user-add --first=tim --last=user dadmin1 --password
$ echo password | ipa user-add --first=tim --last=user tuser1 --password

Assign members to groups
$ ipa group-add-member --users=duser1 desktopusers
$ ipa group-add-member --users=dadmin1 desktopadmins

Create privilege and role
$ ipa privilege-add 'Desktop admins' --desc='Desktop admins'
$ ipa role-add 'Desktop admins' --desc='Desktop admins'
$ ipa privilege-add-permission --permissions='Manage desktop users' 
'Desktop admins'

$ ipa role-add-privilege --privileges='Desktop admins' 'Desktop admins'

Now become a desktop admin and test

$ kinit dadmin1
$ ipa user-mod --first=Gary duser1
--
Modified user "duser1"
--
  User login: duser1
  First name: Gary
  Last name: user
  Home directory: /home/duser1
  Login shell: /bin/sh
  UID: 64384
  GID: 64384
  Account disabled: False
  Password: True
  Member of groups: ipausers, desktopusers
  Kerberos keys available: True
$ ipa user-mod --first=Gary tuser1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'givenName' attribute of entry 
'uid=tuser1,cn=users,cn=accounts,dc=example,dc=com'.


You can see that it can manage the user we added to desktopusers but not 
the other user.


Things you can't easily do are things like "Create a desktop user". You 
can't easily do this because the group membership is assigned later.


regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Dmitri Pal 
On 03/27/2012 05:44 PM, Steven Jones wrote:
> Section 7.4.2 on password sync calls for a download of a
> PassSync.msi...I cannot locate thisso your doc needs updating I think.
>
> For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
> cn=etc, then the dc= usual bits
>
> I assume the two cn='s are "standard"? 
>
> number 4 point 4 ou=People,dc=example,dc=com  is a "standard"?  
>
> So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
>
> ?

Isn't it in a separate channel that needs to be added?

>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> *From:* freeipa-users-boun...@redhat.com
> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> [d...@redhat.com]
> *Sent:* Wednesday, 28 March 2012 10:36 a.m.
> *To:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] hosts/clients joining IPA but dns
> updating not working
>
> On 03/27/2012 03:47 PM, Steven Jones wrote:
>> Hi
>>
>> Its possible the uninstall from one IPA realm didnt work properly before I 
>> joined it to another?
>>
>> Anyway I have incl both logs just in case.  There is a suggestion that the 
>> kerberos ticket isnt right?
>>
>
> Seems like the client fails to get its name properly. Something
> related to the host name resolution is likely not correct.
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 
>> From: Martin Kosek [mko...@redhat.com]
>> Sent: Tuesday, 27 March 2012 10:04 p.m.
>> To: Steven Jones
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
>> working
>>
>> On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:
>>> Hi,
>>>
>>> I just started adding hosts/clients but DNS isnt being updated for the 
>>> client(s).
>>>
>>> Screenshot of error is attached
>>>
>> Hello Steven,
>>
>> there is something wrong with your host keytab. As written in the
>> output, ipa-client-install could not get a TGT for
>> host/vuwunicorh6w...@ods.vuw.ac.nz and thus nsupdate which performs the
>> DNS update failed.
>>
>> Can you please attach a relevant portion of ipaclient-install.log so
>> that we can get more information about why it failed?
>>
>> Alternatively, you can list credentials in the keytab with this command
>> yourself:
>> # klist -kt /etc/krb5.keytab
>>
>> To test obtaining the TGT from the host keytab and thus reproducing this
>> issue, you can run this command:
>> # kinit -k -t /etc/krb5.keytab host/vuwunicorh6w...@ods.vuw.ac.nz
>>
>> The command output itself, or KRB5KDC logs in IPA server should provide
>> a hint why the kinit fails.
>>
>> Martin
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rich Megginson 

On 03/27/2012 03:44 PM, Steven Jones wrote:
Section 7.4.2 on password sync calls for a download of a 
PassSync.msi...I cannot locate thisso your doc needs updating I think.
There is a version here  http://port389.org/wiki/Download -Windows 
Password Synchronization


For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts 
cn=etc, then the dc= usual bits


I assume the two cn='s are "standard"?

number 4 point 4 ou=People,dc=example,dc=com  is a "standard"?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal 
[d...@redhat.com]

*Sent:* Wednesday, 28 March 2012 10:36 a.m.
*To:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] hosts/clients joining IPA but dns 
updating not working


On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something 
related to the host name resolution is likely not correct.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:

Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached


Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz  and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytabhost/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones 
Or maybe its on the AD so its,

ou=People,dc=vuw,dc=ac,dc=nz

?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Wednesday, 28 March 2012 10:44 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] passwd sync

Section 7.4.2 on password sync calls for a download of a PassSync.msi...I 
cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts cn=etc, then 
the dc= usual bits

I assume the two cn='s are "standard"?

number 4 point 4 ou=People,dc=example,dc=com  is a "standard"?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 28 March 2012 10:36 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something related to the 
host name resolution is likely not correct.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:


Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached



Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz 
and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab 
host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones 
Section 7.4.2 on password sync calls for a download of a PassSync.msi...I 
cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts cn=etc, then 
the dc= usual bits

I assume the two cn='s are "standard"?

number 4 point 4 ou=People,dc=example,dc=com  is a "standard"?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 28 March 2012 10:36 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something related to the 
host name resolution is likely not correct.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:


Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached



Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz 
and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab 
host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working

2012-03-27 Thread Dmitri Pal 
On 03/27/2012 03:47 PM, Steven Jones wrote:
> Hi
>
> Its possible the uninstall from one IPA realm didnt work properly before I 
> joined it to another?
>
> Anyway I have incl both logs just in case.  There is a suggestion that the 
> kerberos ticket isnt right?
>

Seems like the client fails to get its name properly. Something related
to the host name resolution is likely not correct.

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: Martin Kosek [mko...@redhat.com]
> Sent: Tuesday, 27 March 2012 10:04 p.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
> working
>
> On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:
>> Hi,
>>
>> I just started adding hosts/clients but DNS isnt being updated for the 
>> client(s).
>>
>> Screenshot of error is attached
>>
> Hello Steven,
>
> there is something wrong with your host keytab. As written in the
> output, ipa-client-install could not get a TGT for
> host/vuwunicorh6w...@ods.vuw.ac.nz and thus nsupdate which performs the
> DNS update failed.
>
> Can you please attach a relevant portion of ipaclient-install.log so
> that we can get more information about why it failed?
>
> Alternatively, you can list credentials in the keytab with this command
> yourself:
> # klist -kt /etc/krb5.keytab
>
> To test obtaining the TGT from the host keytab and thus reproducing this
> issue, you can run this command:
> # kinit -k -t /etc/krb5.keytab host/vuwunicorh6w...@ods.vuw.ac.nz
>
> The command output itself, or KRB5KDC logs in IPA server should provide
> a hint why the kinit fails.
>
> Martin
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Trying to get my head around Delegating admin permissions and groups

2012-03-27 Thread Steven Jones 
Hi,

I want to have 2 trees of user (and, or? host?) groups, one server branch and 
one desktop as the desktop admins differ from the server admins and have to be 
kept separate..so that seems to be a high level thing

So reading the delegation section its unclear if I am in the right place or 
what permission to giveso for a top level admin I give the manager 
attribute? to the top group or simply all? or what?  looking down the 
attributes I see things like "cn" so I see nothing that helps me 
understand.yep Im lost.

What I need to do is give the desktop admins control over desktops and desktop 
users but not any over servers and server users and the the server admins the 
opposite.

There are also going to be at least two password policies, one for staff and 
one for students.  After a bit I will have passync from AD for staff so that 
policy needs to be disabled...also the requirement to reset their password on 
first login as that's done via AD

So is the best way to make a top level group for each of the two trees,  
delegate this to each admin branch (manager?) to that? and then under that have 
two groups where I attach each of the password policies?  seems logical, but 
who knows

Say a group labeled 1 is the top for the server tree with 2 under it for staff 
server passwords and 3 for student server passwords.

Say a group labeled A  is the top for the desktop tree with B under it for 
staff server passwords and C for student server passwords...

hope my asci art works

   2
 1<
  3

  b
a<
  c

So a staff password policy is attached to 2 and B and a student password policy 
is attached to 3 and C?

:/

Is this clear?  

The next Q is doing the nesting, I get confused on which way it goes1 
goes into group 2 and 3 while a goes into b and c?

That way 1 has "control over" 2 and 3?  which is what I want

or do 2 and 3 go into 1?  cant see taht as 2 and 3 would have the same level as 
1?

I then have to repeat something similar for the hosts/clients?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working

2012-03-27 Thread Steven Jones 
Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:
> Hi,
>
> I just started adding hosts/clients but DNS isnt being updated for the 
> client(s).
>
> Screenshot of error is attached
>

Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin



ipaclient-install.log
Description: ipaclient-install.log


ipaclient-uninstall.log
Description: ipaclient-uninstall.log
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting a new directory manager password

2012-03-27 Thread Simo Sorce 
On Mon, 2012-03-26 at 23:03 +, Steven Jones wrote:
> Hi,
> 
> No I was confused, I thought you meant there were some function that
> the DM held that could be delegated.  I expect that the admin user
> will be deleted as that's an attack vector (however obscure/indirect).

If you delete the admin user you will completely break your FreeIPA
server. Just FYI.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Assessment of FreeIPA for local central authentication and user management service for a single server with multiple services in need for AA

2012-03-27 Thread Dmitri Pal 
On 03/27/2012 04:32 AM, Oguz Yilmaz wrote:
> Hello,
>
> I plan to implement a common authentication and authorization system
> for several Linux applications. My research has redirected me to
> FreeIPA, and I am happy to know about such a good project.
>
> However, I dont have any purpose of managing non-windows computers and
> users. This is a one gateway box, single machine system.
>
> My planned system has several services, Some examples to use that AA
> system is: xl2tpd, pptpd, openvpn, squid and some custom made web
> applications.
>
> I need the following functions for those services and applications:
>
> - User authentication
> - User roles and authorization (vpnuser, manager, webuser...)
> - User, role and credentials management (creating users by admin,
> passsword changes by users,...)
> - AD and radius sync or proxying AA.
>
> The services can be connected to the AA system through an
> authenticator system binary. Binary is called with user credentials
> and service requesting AA; and results in grant or reject. System
> services may use this binary  for checking authentication and
> authorization.
>
> Do you think FreeIPA is a good choice? What would you suggest, otherwise?
>

>From the high level yes it seems like a good choice but devil is in details.
IPA does everything you listed but it might do it in a different way
from how you envision it.
You might find that a pure DS server would be more flexible for you. But
it would not be clear up until you give it a try.
I suggest you give it a try and make your mind based on the experience
and quick evaluation.
Looking at your requirements I would bet that IPA would work for you
just fine.


This authenticator system binary that you mention is it a custom code or
something off the shelf? Is it ldap based or uses PAM? Is it something
like kinit?

> Best Regards,
>
>
> --
> Oguz YILMAZ
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working

2012-03-27 Thread Martin Kosek 
On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:
> Hi,
> 
> I just started adding hosts/clients but DNS isnt being updated for the 
> client(s).
> 
> Screenshot of error is attached
> 

Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Assessment of FreeIPA for local central authentication and user management service for a single server with multiple services in need for AA

2012-03-27 Thread Oguz Yilmaz 
Hello,

I plan to implement a common authentication and authorization system
for several Linux applications. My research has redirected me to
FreeIPA, and I am happy to know about such a good project.

However, I dont have any purpose of managing non-windows computers and
users. This is a one gateway box, single machine system.

My planned system has several services, Some examples to use that AA
system is: xl2tpd, pptpd, openvpn, squid and some custom made web
applications.

I need the following functions for those services and applications:

- User authentication
- User roles and authorization (vpnuser, manager, webuser...)
- User, role and credentials management (creating users by admin,
passsword changes by users,...)
- AD and radius sync or proxying AA.

The services can be connected to the AA system through an
authenticator system binary. Binary is called with user credentials
and service requesting AA; and results in grant or reject. System
services may use this binary  for checking authentication and
authorization.

Do you think FreeIPA is a good choice? What would you suggest, otherwise?

Best Regards,


--
Oguz YILMAZ

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users