Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
On 03/07/2013 11:47 PM, Tim Hildred wrote: > Hello, > > I have been using IPA for authentication with a RHEV environment. > > Quite a while ago, I got help from this list in making it so that my users > could access the WebUI with their login and passwords, no Kerberos ticket > required. I also had it working that when their passwords expired, they would > ssh to the IPA server as themselves, get challenged for their current > password, and then the opportunity to provide a new one. > > The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the > WebUI with just a login and password (see attached screenshot) and that users > who try and update expired passwords get: > > You must change your password now and login again! > Changing password for user juwu. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Password not changed. It seems that password might have not matched the server policy. Have you tried different users and different passwords? What does kerberos log on the server show? It will give you some hint about the reason why the password was rejected. It might be that the password you are trying to use already in the history of passwords. AFAIR there was a bug that we did not handle history of passwords properly in some cases. Now as it is fixed you might see a proper policy enforcement. > Insufficient access to perform requested operation while trying to change > password. > passwd: Authentication token manipulation error > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > Can anyone help me restore that functionality? Please? > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thild...@redhat.com > Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
Thanks for getting back to me!
I don't think the problem has anything to do with DNS. I (finally) ran an ipa
command with the verbose flags -vv and found that it IS trying to contact
aurora.esci.millersville.edu, it fails then tries to contact
cyclone.esci.millersville.edu (still don't know where that comes from). I am
getting an 'Internal Server Error' in the output when connecting to aurora.
Here is the output:
% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost:
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/
The apache error log gives this:
Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
I have no idea what that means. Can you help?
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
>
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a
>> year.
>> Yesterday I started not being able to run any "ipa-" commands.
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming
>> from, as that used to be a Windows Domain server that was
>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
>> I even grep -R all of the files in /etc and none refer to cyclone. I
>> checked the ipa config and krb5.conf files and they are pointing at the
>> proper ipa server.
>>
>>
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>
>>
>> /var/log/httpd/error log:
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request
>> environment
>>
>>
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
>> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
>> authtime 0, admin@LINUX.DIRSRV.LOCAL for
>> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
>> found in Kerberos database
>>
>>
>>
>> I Googled these error messages, but none of the results seemed to
>> apply to my situation or didn't solve the problem Can anyone point
>> me in the right direction? Any help is greatly appreciated.
>>
>>
>>
>> For what they are worth, here are my /etc/krb5.conf and
>> /etc/ipa/default.conf
>> files:
>>
>>
>>
>> /etc/krb5.conf:
>>
>>
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>
>>
>> [libdefaults]
>>
>> default_realm = LINUX.DIRSRV.LOCAL
>>
>> dns_looku
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 02:34 PM, Anthony Messina wrote: > On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: >>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for >>> authenticated SSO mail sending >> >> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". >> On the mail server you should obtain the keytab with ipa-getkeytab and >> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : >> >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options >> broken_sasl_auth_clients = yes >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination >> >> Lastly, add to /etc/sasl2/smtpd.conf: >> pwcheck_method: saslauthd >> mech_list: GSSAPI PLAIN LOGIN >> >> Restart postfix and saslauthd and it should work. > > You *may* also need to update Postfix's environment: > > # Import environment for Kerberos v5 GSSAPI > import_environment = > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C > KRB5_KTNAME=/etc/postfix/smtp.keytab > > -A Thanks Anthony, that was actually going to be my next question as I prefer to keep service specific keytabs. Dale > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJROfyPAAoJEAJsWS61tB+qG8MP/2MMt+BQWcOKe4jvxeQJrOBi xYzPnh5OtrUoEMtgvKdghQHdI/okxDjxgoZwCzThupGnzyZ+bQa08m+l7njcPCwo byQJwyab19PY4qXQxx6yledRd0qG5+854YYXBZ35ZslTd7eOalIPwczW0qyb4Qv6 OqOe6a9H9xGt+cKzAWE/B8TXiWR7Td2hlRdX7hUWh1/0ghRRR0lFR9HQsCHx6fm5 EFTpIqKqxksO+7hk17ZyOoyOo0aV51l8Ns3QzK3d7GMKZ89uuBQEBI6ChNdAG942 ncSKgAgshgrVzozhX4qhIDqOiQc52D9X8EU03OSRcniEDNsNz2yz0ZtQiLQYDiwT 41re5rmq/yu7PmOK+AGKCZA5MQjwf9yMz2GJz5vwIhcjcLIYO2vftI+luKCylVXt p5c/UcEcaNKyIjOMBM8GlBSGt3KXW/XAMD2kpq6sPjHDsjvPlLa1AvJFPl5tMJrd hMKGs+YTwr96TOlbN/8a3WCTZWL61WqXAAlO192xJKsXavadmSIODXXUCkeVfK9i Um1WhQmg7fCAvIq7/zDzdDuB2BQ2B01dVCSCdMNmpChV8h2XYIEQ+J7ZoYvfwD+Q pubvgNwe4+z+OR6d9rf2ZUujHJodmjkojdzDfV2+QQAUelkdWyYzHwHXdjuQpzwi hVujreS8h7MA6LJVdj3Y =TVUW -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: > > 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for > > authenticated SSO mail sending > > Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". > On the mail server you should obtain the keytab with ipa-getkeytab and > save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : > > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > broken_sasl_auth_clients = yes > smtpd_recipient_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination > > Lastly, add to /etc/sasl2/smtpd.conf: > pwcheck_method: saslauthd > mech_list: GSSAPI PLAIN LOGIN > > Restart postfix and saslauthd and it should work. You *may* also need to update Postfix's environment: # Import environment for Kerberos v5 GSSAPI import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 12:39 PM, Loris Santamaria wrote: > I can help you with items #1 and #2: > > El vie, 08-03-2013 a las 08:56 +, Dale Macartney escribió: >> Hi all >> >> I've been reading through threads and threads of mailing lists and >> google search results on this but most of the documentation isn't very >> specific and is just vague enough for me not to make any progress. >> >> Would anyone be able to assist with the following setup of Postfix? >> >> Criteria is as follows >> >> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user >> (specific attribute or group membership might be required here as all >> ipa users now have an email address value.) > > There are many ways to solve this, this is using the virtual transport. > In /etc/postfix/main.cf: > > virtual_alias_domains = mydomain.com > virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf > > In /etc/postfix/ldap_aliases.cf: > > server_host = myipa1, myipa2 > search_base = cn=accounts,dc=mydomain,dc=com > query_filter = (mail=%s) > result_attribute = uid > bind = no > > After editing /etc/postfix/ldap_aliases.cf you should run > "postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you > should be able to reading "man 5 ldap_table" Now that worked like a charm, thanks very much. Will work on ldaps support and see if its possible. > >> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for >> authenticated SSO mail sending > > Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". > On the mail server you should obtain the keytab with ipa-getkeytab and > save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : > > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > broken_sasl_auth_clients = yes > smtpd_recipient_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination > > Lastly, add to /etc/sasl2/smtpd.conf: > pwcheck_method: saslauthd > mech_list: GSSAPI PLAIN LOGIN > > Restart postfix and saslauthd and it should work. Getting the below output in logs when attempting to auth via gssapi on port 25 (is gssapi supported on port 25? could this be the cause?) Is there any way to verify sasl auth remotely from a client other than in postfix? I am using an ipa workstation and SSO with dovecot works fine so I know the users tickets are valid. ==> /var/log/maillog <== Mar 8 14:15:02 mail03 postfix/smtpd[6226]: connect from unknown[10.0.1.101] Mar 8 14:15:02 mail03 postfix/smtpd[6226]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () Mar 8 14:15:02 mail03 postfix/smtpd[6226]: warning: unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure Mar 8 14:15:02 mail03 postfix/smtpd[6226]: disconnect from unknown[10.0.1.101] > > >> 3. Mail sending permission based on an LDAPS group membership, to >> prevent unauthorised sending of mail from unknown users. > > Never done that but there is the definitive documentation: > http://www.postfix.org/RESTRICTION_CLASS_README.html > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJROfNMAAoJEAJsWS61tB+qPHUQAMFbaCnEJEfIwU7znQkM6Wvc LKGnra14CZ9Xq1kAWD4xGdzGVwBjOJ4bZ/DqCSvEBY6lRP7a/fh66TiU+DGBIxTX SpIFN2oKz/iuFOTMK1GQQRx99mYZuHGlB5vE0ibxW0J7U/y6A+mCvraRYhhvYA4a RzVH0wi5OZhyBhwHjbS5GtI/pzMutyV/vpElUQLT7X1YpwyuxUWgGX5Zbuuj60F6 KB56cXcpiMmbB8LAgQBPcYqz4co2KRurZ4pZxabGIH0RLI3Luy2gUnbmBgz/sFMv tlCSYr/QrZlZY4imSm7jLe5KP9/EILJ+FJPZnzzFDJ71Hgq45jWtjDO/BqV4gM4E aY26lZXfjtpuSBY2BLUqZC/o9mrvDPCCNLUF/dcCVM9++pvDObxjAxbNcydhknvA KC9IwMsbwZnDnXGratn/mv8MlHzQc2Stf2UEhXzDdXq+9rQBNg+LdPZCqJMCwuGf +WepTmCCrr53eUoCsb4acE5RVV7Tn+UV9jAZ/aHoc8zvPtSn5ZMEEIMEKqC9ISAK NVG/iWKunisf433IvBqcNgKwKg/tGdik9wOyjWEb1YaTMurHGGz/bHaEuh4PBQjF BqC7yuMMXbJjR27o8Trjr65cwRVPZqYaz/8LdalS7s5XLm3YsE++n/DDp2MDveCB 6SmL3vbCXJxNfiktJhAV =C+Xz -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
I can help you with items #1 and #2: El vie, 08-03-2013 a las 08:56 +, Dale Macartney escribió: > Hi all > > I've been reading through threads and threads of mailing lists and > google search results on this but most of the documentation isn't very > specific and is just vague enough for me not to make any progress. > > Would anyone be able to assist with the following setup of Postfix? > > Criteria is as follows > > 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user > (specific attribute or group membership might be required here as all > ipa users now have an email address value.) There are many ways to solve this, this is using the virtual transport. In /etc/postfix/main.cf: virtual_alias_domains = mydomain.com virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf In /etc/postfix/ldap_aliases.cf: server_host = myipa1, myipa2 search_base = cn=accounts,dc=mydomain,dc=com query_filter = (mail=%s) result_attribute = uid bind = no After editing /etc/postfix/ldap_aliases.cf you should run "postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you should be able to reading "man 5 ldap_table" > 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for > authenticated SSO mail sending Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". On the mail server you should obtain the keytab with ipa-getkeytab and save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination Lastly, add to /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN Restart postfix and saslauthd and it should work. > 3. Mail sending permission based on an LDAPS group membership, to > prevent unauthorised sending of mail from unknown users. Never done that but there is the definitive documentation: http://www.postfix.org/RESTRICTION_CLASS_README.html -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 09:38 AM, Petr Spacek wrote: > On 7.3.2013 18:06, Dale Macartney wrote: >> >> I have just updated the article to have dovecot automatically creating a >> maildir in a custom location. >> >> http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On >> >> Its not NFS based in the homedir, but technically if you're using a mail >> client with offline support, the mail in the homedir would be available if the >> imap server became unavailable anyway. Just a thought. > > Thank you for nice article! > > Please, could you add some notes like "Don't use NFS" etc.? What you tried and what failed? It would be beneficial for other users to not waste time again :-) > > Thank you again! > New section added to top of article covering automounted home dirs. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRObaTAAoJEAJsWS61tB+qXx0QAIDuUkej72FG7OSxEr7Z9nV2 jb2CWK0C6SSHwVplBRCqO8gc+vYsYyx3cKtdt3HbkVibCPT/SxC7vIKNMl1uhPWe dwZAWDoq8YOD+FktdZa6VMBDZoZ/6OnUCrDs6l8bA7fBivUMwPzyIGGpVpclD/vM 5Qc8TJwiKDkb7NjIPrJPiwPvYSYaPFYHMj/RO1lxvfzJdEqSj6RnPxwmbImkdTVA J/l5nbtP19ULo/cXyuYdTw/5h08yl+Ja7thCN2Fk823nFObdA6xBj9u7rQVcRMsf 8MOAHCMcJoLnZXieqahm7KoGt6MiTQsTNf6TBfg+9V5yQK24q0qPuXhYW6xoftGx JQ3l4upJ22KDvqosxJ3zvs8PA0vbyr7cTcj6y1weUX/JX3VJiZQIGbAsAzIVo56W LvqcKkWtnhTW2pDwVWBZK2pWBsA5/8alMUf5q01WfISws5dbykFFnqtpaDhSuhIR Ue1vdm47vXkcHCTbUvLUoXBPO8ipOsSxw/3YZW2SYMT6dSaepO2PTMWKqjllhj0F m/ow2u5pPDO/Ed1KHudDwB8B9YdLqngmTBRqrM0/kF6r8Zs8xVisVvc8b/jHi/eZ KMgS1duAcXq8og2LwffE4CDsNiplmG1MPOHV75JkIK+4fIPr8tinI6TwZWW56gw7 3aF7N6FAkVwBrtd9eYkB =UoX1 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.
On 7.3.2013 18:06, Dale Macartney wrote: I have just updated the article to have dovecot automatically creating a maildir in a custom location. http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On Its not NFS based in the homedir, but technically if you're using a mail client with offline support, the mail in the homedir would be available if the imap server became unavailable anyway. Just a thought. Thank you for nice article! Please, could you add some notes like "Don't use NFS" etc.? What you tried and what failed? It would be beneficial for other users to not waste time again :-) Thank you again! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I've been reading through threads and threads of mailing lists and google search results on this but most of the documentation isn't very specific and is just vague enough for me not to make any progress. Would anyone be able to assist with the following setup of Postfix? Criteria is as follows 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user (specific attribute or group membership might be required here as all ipa users now have an email address value.) 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for authenticated SSO mail sending 3. Mail sending permission based on an LDAPS group membership, to prevent unauthorised sending of mail from unknown users. I know a few list members have deployments of postfix and IPA already up and running so if you could share your experience here that would be fantastic. Many thanks. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJROaerAAoJEAJsWS61tB+qaRoP/35C1po2tDzx2dMxXA8fmW6Q 8luyy6suHeGaLhzc5L0P3gelUSnxBQlBElRrysvVjQ0yfNHX7qzvUaDem84FGE7c aWEwmWhw6SjKUbtLKjPLKMJdgCSdwbaNIvdDp3ok4Qk7gWAl9XXJFCeh+puKgcml u8rwuye3pS5mlnBmkVSESEeHD8T6uFO8UuzjdgxjXp7eXfQkyvWUXD5B11p1Xj8w 8BvPMYb0l5UHwaIMuUhc8SWBTRZKV9wQXw0nd1T4VeoC51Ze9jib/VZbDHrOrufB Wy3dXgej3mlckw/T0mcSezPFZiLOwAI6g0hmeoxboMEwtvHhFu+wCHdWJn+dDFR/ IkWovKZYyg0alIezVkBOZVLYn2YiUpsoCM5lqRTOdgfCzK+NQ4mq1kuBJrVpAtcE 18FX9gBkRFEBHtHhT4Xz7z/79QO3kGW/aAkza5Tq02HpU4+lAyBgrzFgMUqh/n1d TdFrVgxsc4q6M3B8mLGdQQcIHFcybvqTl8cZJxZb7YE29vclvBvNT5j1VeLchiFq BS3mUwHO4PHGZA09fqMIxajvgvFsNqyimvaxZMAYDxGdWYRcEISGwPhsTGx3c2tR hAh3qylSmifC42OIk19tgG1kUt1AOoFpbWziwdVkwuqkLakuXdB4+qWUcyg6hyrW k5zBEHzRMdz/h9+OGKpZ =hlNj -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
