[Freeipa-users] Integrate bio-metric authentication with FreeIPA
Hello, I'm interested in using FreeIPA but I can not find a way to integrate bio-metric authentication. Is there a way to do this? Could you direct me to some text or tutorial? Thanks and Best Regards, Danijel Maksic ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Hi Lukas, Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user? In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server. Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon. I wonder if there is a better way to refresh the cache on demand. Thanks, Dimitar On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik lsleb...@redhat.comwrote: On (20/12/13 18:42), Dimitar Georgievski wrote: Hi Dmitri, One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug. thanks Dimitar sss_cache does not remove users from cache (sss_cache -U) This utility sets expiration of account to the past (unix time with value 1), because user needs to be able authenticate offline. Entry will be removed from cache if user try to authenticate online and entry is removed from LDAP. LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA Server Install - Why --no-ntp?
Section 2.1.4.5. NTP in the Fedora 18 / 3.1.5 Guide states: If a server is being installed on a virtual machine, that server *should not* run an NTP server. To disable NTP for FreeIPA, use the *--no-ntp*option. There is no further explanation. I would like to install FreeIPA Server on a vSphere VM where NTP is recommended as part of their timekeeping best practices for Linux guests. Please advise. Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
On (23/12/13 10:16), Dimitar Georgievski wrote: Hi Lukas, Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user? sudo rules are special case, I didn't noticed anything about sudo rules in the previous mail. There is periodical task in the sssd for refreshing sudo rules because of current ldap schema. In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server. Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon. I wonder if there is a better way to refresh the cache on demand. sss_cache does not work with sudo rules. If you are testing something, you can manually remove sssd cache (rm /var/lib/sss/db/cache_*.ldb). If you don't like behaviour in production, you can decrease interval of refresh update. man sssd-sudo - THE SUDO RULE CACHING MECHANISM and for sudo configuration options: man sssd-ldap - SUDO OPTIONS LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Server Install - Why --no-ntp?
On Mon, 2013-12-23 at 12:57 -0700, Jason Becker wrote: Section 2.1.4.5. NTP in the Fedora 18 / 3.1.5 Guide states: If a server is being installed on a virtual machine, that server *should not* run an NTP server. To disable NTP for FreeIPA, use the *--no-ntp*option. There is no further explanation. I would like to install FreeIPA Server on a vSphere VM where NTP is recommended as part of their timekeeping best practices for Linux guests. Often happens that VMs do not do very good time keeping, so using a VM as the central NTP server is not really advised, you should instead get a good source for NTP external to the virtualized environment and you that one as the time source for your network. Of course if your virtualization environment guarantees a good clock, go for it. The recommendation is in the spirit of avoiding issues in the common case, that up to the time of the writing was not very good :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users