Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
Hi Alexander, This doc is really great. I have added the delegation target but we still get an err=50 on when running our add_user script on the webserver. On the IPA server we see a keytab file configured in the php.ini and on the webserver we don't. Configs are quite the same here actually. Something simple must be wrong I guess. Thanks so far for the effort! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) You can find my blog post here: http://vda.li/en/posts/2013/**07/29/Setting-up-S4U2Proxy-** with-FreeIPA/index.htmlhttp://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html Hope it helps. I've tested the scenario on Fedora 19. Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering to this topic: https://www.redhat.com/archives/freeipa-users/2013- July/msg00318.htmlhttps://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html https://**www.redhat.com/archives/**freeipa-users/2013-July/** msg00318.htmlhttps://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html We are no able to do a show_user from a webserver on an IPA server, but user_add gives a problem in rights. On the IPA server there is added to the services: HTTP/test-webserver.dev.domain.local@DEV.DOMAIN.LOCAL https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCALhtt** ps://test-zip.dev.msp.cullie.**local/ipa/ui/#HTTP/test-zip-2.** dev.msp.cullie.lo...@dev.msp.**CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL We installed mod_auth_kerb on the webserver and the IPA-server and created a keytab also on both servers. https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCALhtt** ps://test-zip.dev.msp.cullie.**local/ipa/ui/#HTTP/test-zip-2.** dev.msp.cullie.lo...@dev.msp.**CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL With our script we still get the following error because the rights that the user has: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute When we add a user apache to the IPA server and give it admin rights and set it to the User Administrator Role we still don't have the right privileges to do so. We need to setup a S4U2Proxy where we thought of that we did by installing the mod_auth_kerb on the webserver, but this seems to be on the IPA servers. The same question for the keytab, where do we use it when we use a simple webserver form to add a user ? It's the same as in the topic here where there is spoken about the User privileges: http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244 http://comments.**gmane.org/gmane.linux.redhat.**freeipa.user/8244http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244 What do we have to do on which server ? We have put a lot of time into the user_show part and that works, now westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? As I said on IRC, I'm working on the article which explains all that. Stay tuned. -- / Alexander Bokovoy -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
On Tue, 30 Jul 2013, Matt . wrote: Hi Alexander, This doc is really great. I have added the delegation target but we still get an err=50 on when running our add_user script on the webserver. On the IPA server we see a keytab file configured in the php.ini and on the webserver we don't. Configs are quite the same here actually. Something simple must be wrong I guess. As I said on IRC, please first make sure you have working environment with a simple shell script like in the article. This is to ensure the basic flow is working correctly -- delegation records are in place and FreeIPA is indeed allowing HTTP/web.server principal to impersonate the user. Next, you need to look into your use of LDAP bindings for PHP and make sure you are authenticating with SASL GSSAPI method. The last comment at http://php.net/manual/en/function.ldap-sasl-bind.php describes how this can (and should) be done, using both SASL GSSAPI and TLS encryption. There are four parts involved here: 1. IPA master should have delegation targets. 2. Web server should be set up as described. 3. Your web script should use SASL GSSAPI (or you should know what your are doing;) 4. Your client should negotiate Kerberos to the server when talking. When all four are in place, it should work with whatever language you have used to write your web application. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) You can find my blog post here: http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html Hope it helps. I've tested the scenario on Fedora 19. I added it to the HOWTO section on wiki. http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering to this topic: https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.htmlhttps://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html We are no able to do a show_user from a webserver on an IPA server, but user_add gives a problem in rights. On the IPA server there is added to the services: HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL** https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL We installed mod_auth_kerb on the webserver and the IPA-server and created a keytab also on both servers. https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL With our script we still get the following error because the rights that the user has: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute When we add a user apache to the IPA server and give it admin rights and set it to the User Administrator Role we still don't have the right privileges to do so. We need to setup a S4U2Proxy where we thought of that we did by installing the mod_auth_kerb on the webserver, but this seems to be on the IPA servers. The same question for the keytab, where do we use it when we use a simple webserver form to add a user ? It's the same as in the topic here where there is spoken about the User privileges: http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244 What do we have to do on which server ? We have put a lot of time into the user_show part and that works, now westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? As I said on IRC, I'm working on the article which explains all that. Stay tuned. -- / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
Hi Dimitri, It's a good tuturial but I'm kinda stuck (and new to that part) What we seem to need is: A - B - C - D A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver I thought we didn't need the C - D part because this is what IPA does. We actually need the A - B - C part exectured from a php script to add a user with user_add. More details about that are welcome. Thanks! Cheers, Matt 2013/7/30 Dmitri Pal d...@redhat.com On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) You can find my blog post here: http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html Hope it helps. I've tested the scenario on Fedora 19. I added it to the HOWTO section on wiki. http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering to this topic: https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html We are no able to do a show_user from a webserver on an IPA server, but user_add gives a problem in rights. On the IPA server there is added to the services: HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL** https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL We installed mod_auth_kerb on the webserver and the IPA-server and created a keytab also on both servers. https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL With our script we still get the following error because the rights that the user has: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute When we add a user apache to the IPA server and give it admin rights and set it to the User Administrator Role we still don't have the right privileges to do so. We need to setup a S4U2Proxy where we thought of that we did by installing the mod_auth_kerb on the webserver, but this seems to be on the IPA servers. The same question for the keytab, where do we use it when we use a simple webserver form to add a user ? It's the same as in the topic here where there is spoken about the User privileges: http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244 What do we have to do on which server ? We have put a lot of time into the user_show part and that works, now westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? As I said on IRC, I'm working on the article which explains all that. Stay tuned. -- / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to communicate IPA with PHP
Hi all, We have found something out. When you add a user (like cmdtestuser) to FreeIPA and add it to group: - admins - trust admins - editors And you add this same useraccount to a Linux box and do a su cmdtestuser you are able to do a kinit abd give your password that user has in FreeIPA. After this you can run a curl script from the commandline with a add_user and actually add that user to IPA. So that works. That is what we actually want to do from PHP but testing this with a HTTP/HTTPD user in IPA doesn't work. Shouldn't that be possible ? I hope so! Cheers, Matt 2013/7/26 Petr Vobornik pvobo...@redhat.com On 07/26/2013 04:37 PM, Rob Crittenden wrote: Zip Ly wrote: Normally if IPA has a well documented API then my approach would be: user -- (internet) -- webserver -- lPA API -- IPA server But since there isn't much info about the API then my approach would be: user -- (internet) -- webserver -- a PHP script which acts as an custom API -- IPA server The problem is I don't know which commands are available en which values/params I should send. For example: http://www.freeipa.org/docs/1.**2/Administrators_Reference/en-** US/html/chap-Administration_**Reference-XML_RPC_Application_** Programming_Interface_API_**Documentation.html#http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html# These are commands for xml rpc. Without examples it's difficult to find out how to use it. The API changed between v1 and v2/3, so these docs are not right for your purposes. We haven't formally documented the API (either json or xml-rpc) yet because it is still somewhat in flux. The API is baked into the ipa client, so any command you can run from there is the equivalent of a json/xml-rpc command, just substituting underscore for dash. About the closest we have is API.txt in the source tree. This is really designed to be read by a computer but it outlines each command and the options it takes, and the output it returns. But they are different from this example: http://adam.younglogic.com/**2010/07/talking-to-freeipa-** json-web-api-via-curl/http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ In this example a user_find command is used, but this command cannot be found in the official xml rpc document above. In ssh I can display a list of commands with ipa help commands I don't know if they are all supported in /ipa/json I probably need to replace all dashes with underscores (correct me if I'm wrong). The same commands and options are available over json as xml-rpc. If I want to display all the supported params from one certain command for example ipa help user-find. Then, are all the double dashed params also the supported params which I can send with JSON? Yes. Note that for some LDAP attributes dash param names may be different than API option names. It those cases the correct one is LDAP attribute name. Use `ipa show-mappings command-name` to find the correct names. I prefer using the native API if there is one (hidden somewhere), because I don't want to reinvent the wheel with security leaks which I'm not aware of. Especially when I need to execute CLI commands from the PHP scripts. The native API is json/xml-rpc. They are currently equivalent. In the near future we are going to mark xml-rpc as deprecated and it will start to fall behind in features, and eventually we may drop it altogether. rob -- Petr Vobornik __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
On 07/30/2013 08:17 AM, Matt . wrote: Hi Dimitri, It's a good tuturial but I'm kinda stuck (and new to that part) What we seem to need is: A - B - C - D A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver I thought we didn't need the C - D part because this is what IPA does. We actually need the A - B - C part exectured from a php script to add a user with user_add. More details about that are welcome. You use the article but instead of accessing LDAP directly you need to access ipa web sever because you will be running IPA commands and not LDAP queries. So you instead of using |ldap/ipa.example.com| principal as outlined in the article you configure aquision of tickets for |http/ipa.example.com|. Makes sense? Thanks! Cheers, Matt 2013/7/30 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) You can find my blog post here: http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html Hope it helps. I've tested the scenario on Fedora 19. I added it to the HOWTO section on wiki. http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering to this topic: https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.htmlhttps://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html We are no able to do a show_user from a webserver on an IPA server, but user_add gives a problem in rights. On the IPA server there is added to the services: HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL** https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL We installed mod_auth_kerb on the webserver and the IPA-server and created a keytab also on both servers. https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL With our script we still get the following error because the rights that the user has: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute When we add a user apache to the IPA server and give it admin rights and set it to the User Administrator Role we still don't have the right privileges to do so. We need to setup a S4U2Proxy where we thought of that we did by installing the mod_auth_kerb on the webserver, but this seems to be on the IPA servers. The same question for the keytab, where do we use it when we use a simple webserver form to add a user ? It's the same as in the topic here where there is spoken about the User privileges: http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244 What do we have to do on which server ? We have put a lot of time into the user_show part and that works, now westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? As I said on IRC, I'm working on the article which explains all that. Stay tuned. -- / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com
Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
On Tue, 30 Jul 2013, Dmitri Pal wrote: On 07/30/2013 08:17 AM, Matt . wrote: Hi Dimitri, It's a good tuturial but I'm kinda stuck (and new to that part) What we seem to need is: A - B - C - D A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver I thought we didn't need the C - D part because this is what IPA does. We actually need the A - B - C part exectured from a php script to add a user with user_add. More details about that are welcome. You use the article but instead of accessing LDAP directly you need to access ipa web sever because you will be running IPA commands and not LDAP queries. So you instead of using |ldap/ipa.example.com| principal as outlined in the article you configure aquision of tickets for |http/ipa.example.com|. Makes sense? Yes and Matt actually solved his problem on IRC and now is happily deploying his servers. :) I'll extend the article to cover the case when you need to talk to both LDAP and IPA server XML-RPC/JSON API. Ideally we need to introduce some commands to manage delegations between services. An RFE ticket for CLI? Thanks! Cheers, Matt 2013/7/30 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) You can find my blog post here: http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html Hope it helps. I've tested the scenario on Fedora 19. I added it to the HOWTO section on wiki. http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering to this topic: https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.htmlhttps://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html We are no able to do a show_user from a webserver on an IPA server, but user_add gives a problem in rights. On the IPA server there is added to the services: HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL** https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL We installed mod_auth_kerb on the webserver and the IPA-server and created a keytab also on both servers. https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCALhttps://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL With our script we still get the following error because the rights that the user has: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute When we add a user apache to the IPA server and give it admin rights and set it to the User Administrator Role we still don't have the right privileges to do so. We need to setup a S4U2Proxy where we thought of that we did by installing the mod_auth_kerb on the webserver, but this seems to be on the IPA servers. The same question for the keytab, where do we use it when we use a simple webserver form to add a user ? It's the same as in the topic here where there is spoken about the User privileges: http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244 What do we have to do on which server ? We have put a lot of time into the user_show part and that works, now westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? As I said on IRC, I'm working on the article which explains all that. Stay tuned. -- / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
On 07/30/2013 05:52 PM, Alexander Bokovoy wrote: On Tue, 30 Jul 2013, Dmitri Pal wrote: On 07/30/2013 08:17 AM, Matt . wrote: Hi Dimitri, It's a good tuturial but I'm kinda stuck (and new to that part) What we seem to need is: A - B - C - D A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver I thought we didn't need the C - D part because this is what IPA does. We actually need the A - B - C part exectured from a php script to add a user with user_add. More details about that are welcome. You use the article but instead of accessing LDAP directly you need to access ipa web sever because you will be running IPA commands and not LDAP queries. So you instead of using |ldap/ipa.example.com| principal as outlined in the article you configure aquision of tickets for |http/ipa.example.com|. Makes sense? Yes and Matt actually solved his problem on IRC and now is happily deploying his servers. :) I'll extend the article to cover the case when you need to talk to both LDAP and IPA server XML-RPC/JSON API. Ideally we need to introduce some commands to manage delegations between services. An RFE ticket for CLI? Already filed :-) https://fedorahosted.org/freeipa/ticket/3644 Contributions are very welcome. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to communicate IPA with PHP
On 07/30/2013 09:11 AM, Matt . wrote: Hi all, We have found something out. When you add a user (like cmdtestuser) to FreeIPA and add it to group: - admins - trust admins - editors This does not matter really if you just trying to do authentication. This would matter if you start to execute administrative commands with the user. As a starting point putting user into admins group would enable him to do everything. However in general we suggest that you Identify operations that your application would perform Identify permissions and privileges needed for those operations Create a role that grants those privileges Associate the user to the role (directly) or via a new group that you would create. Bottom line after you sort out the authentication and ticket delegation you would need to think about access control and reduce the privileges of your PHP application to only operations it really needs to perform. And you add this same useraccount to a Linux box and do a su cmdtestuser you are able to do a kinit abd give your password that user has in FreeIPA. How do you add it? Do you actually define a local user? That would be wrong. After this you can run a curl script from the commandline with a add_user and actually add that user to IPA. So that works. Yes because you effectively ran a ipa user-add command just yourselves using curl. That is what we actually want to do from PHP but testing this with a HTTP/HTTPD user in IPA doesn't work. Are you talking about local HTTP user that was added to the local /etc/passwd file? Of cause it would not work. You need to run your application using a user (principal) that IPA (Kerberos) recognizes. Shouldn't that be possible ? It is possible. And you can do it two ways: you can use end user identity to perform operations against IPA or you can give privileges to the PHP application to perform operation using its own identity. The former is preferable. In the latter case you sort of hand keys to the kingdom to the PHP application and even if you confine its privileges as I described above you would have to build access control into your PHP application if you want to allow different admins to perform different operations via your PHP application. So the best would be to use user identity so please use Alexander's article and make your PHP application acquire ticket on user behalf. Make your users members of the admin group for testing purposes to sort the authentication issues but once done define the right privileges for them so that they can execute only the commands that they are entitled to execute. HTH I hope so! Cheers, Matt 2013/7/26 Petr Vobornik pvobo...@redhat.com mailto:pvobo...@redhat.com On 07/26/2013 04:37 PM, Rob Crittenden wrote: Zip Ly wrote: Normally if IPA has a well documented API then my approach would be: user -- (internet) -- webserver -- lPA API -- IPA server But since there isn't much info about the API then my approach would be: user -- (internet) -- webserver -- a PHP script which acts as an custom API -- IPA serve The problem is I don't know which commands are available en which values/params I should send. For example: http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html# These are commands for xml rpc. Without examples it's difficult to find out how to use it. The API changed between v1 and v2/3, so these docs are not right for your purposes. We haven't formally documented the API (either json or xml-rpc) yet because it is still somewhat in flux. The API is baked into the ipa client, so any command you can run from there is the equivalent of a json/xml-rpc command, just substituting underscore for dash. About the closest we have is API.txt in the source tree. This is really designed to be read by a computer but it outlines each command and the options it takes, and the output it returns. But they are different from this example: http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ In this example a user_find command is used, but this command cannot be found in the official xml rpc document above. In ssh I can display a list of commands with ipa help commands I don't know if they are all supported in /ipa/json I probably need to replace all dashes with underscores (correct me if I'm wrong). The same commands and options are available over json as xml-rpc. If I want
[Freeipa-users] authenticate with base domain name?
I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances? Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote: Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] password resetting into IPA
Has anybody tried this? http://code.google.com/p/pwm/ Would it work is is it advised not to use it, if so reasons please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] password resetting into IPA
On Tue, Jul 30, 2013 at 6:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Has anybody tried this? http://code.google.com/p/pwm/ Would it work is is it advised not to use it, if so reasons please? It's been talked about a bit in this mailing list. I had issues, and I know of another person who was setting it up (but I never heard any success reports.) Give it a shot and see where you can go with it. I used this: http://ltb-project.org/wiki/documentation/self-service-password But it's much simpler and feature-poor than PWM seems to be. (But works for what I need.) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
