Re: [Freeipa-users] user question

[Rob Crittenden]

Ainsworth, Thomas wrote:
> Question:
> 
> How can you set the password policy to require at least four (4) new
> characters when the user is setting their password?

I assume you mean 4 new characters as compared to the current password?
I don't know of a way to do that. I don't believe the current cleartext
password is always available to do such a comparison.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

[Rob Crittenden]

zhiyong xue wrote:
> The problem still exist after update from 4.1 to  4.2.3.

Because the problem is not in IPA, it is in how you are manually adding
entries.

Since you are now running 4.2 I'd suggest you look into using staged
users, http://www.freeipa.org/page/V4/User_Life-Cycle_Management

> Rob, how to check the missed manage entry?

A managed group needs the attribute mepManagedBy with a value of the dn
that is managing it and the objectclass mepManagedEntry.

rob

> 
> 2015-11-20 0:11 GMT+08:00 Rob Crittenden  >:
> 
> zhiyong xue wrote:
> > Rob, where can I get more error information beside the log?
> > [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
> > failed to delete managed entry
> > (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
> 
> I can still only assume what you're doing: manually adding the entries
> directly by LDAP. To do this you need to follow IPA conventions, or use
> the new user lifecycle framework added in 4.2.
> 
> I'm guessing it can't delete the managed entry because either it doesn't
> exist or it is missing an objectclass/attribute marking it as managed.
> 
> rob
> 
> >
> > 2015-11-16 13:43 GMT+08:00 zhiyong xue  
> > >>:
> >
> > I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> > syncopex5", maybe it's cache problem.
> >
> > 2015-11-16 11:24 GMT+08:00 Rob Crittenden  
> > >>:
> >
> > zhiyong xue wrote:
> > > We integrated the Apache Syncope server with FreeIPA
> server. So user can
> > > self register ID from Apache Syncope then synchronize to
> FreeIPA. The
> > > problems are:
> > > *1) User created from Apache Syncope can't login to
> linux. The
> > user
> > > created from FreeIPA web gui works well.*
> >
> > For login issues see
> > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > This is unlikely to fix things but it will help with later
> > debugging.
> >
> > This likely revolves around how you are creating these
> accounts.
> > We'll
> > need information on what you're doing. The more details
> the better.
> >
> > > *2) The user also can't be deleted from web UI and CLI.
> It said
> > > "syncopex5: user not found".*
> >
> > Again, you probably aren't creating the users correctly.
> >
> > I can only assume that you are creating the users directly via
> > an LDAP
> > add. This is working around the IPA framework which does
> > additional work.
> >
> > Knowing what version of IPA this is would help too.
> >
> > You'll probably also want to read this:
> > http://www.freeipa.org/page/V4/User_Life-Cycle_Management
> . This
> > is in
> > IPA 4.2.
> >
> > rob
> > rob
> >
> >
> >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.2 released in RHEL-7.2!

[Martin Kosek]

Hello,

As some of you noticed already, RHEL-7.2 with FreeIPA rebased to version 4.2 
was released yesterday! Let me just paste couple information sources if you 
want to know more:


RHEL respective release notes chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/authentication_and_interoperability.html

Knowledge Base with brief summary of new features
https://access.redhat.com/solutions/1986213

Related documentation books:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/index.html


Also, CentOS project already announced that CentOS-7.2 is in works:
http://seven.centos.org/2015/11/rhel-7-2-released-today/

Enjoy!

--
Martin Kosek 
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.2 Packages for RHEL/CentOS 7.1

[Martin Kosek]

On 11/20/2015 04:10 AM, Baird, Josh wrote:

RHEL 7.2 went GA today.


Surprise! I posted more information to new thread:
https://www.redhat.com/archives/freeipa-users/2015-November/msg00309.html




On Nov 19, 2015, at 7:59 PM, Christopher Young  wrote:

I recall that original message about the packaging before RHEL 7.2 and
how few of us expressed interest.  I believe I did respond to the
positive that I could use these packages, but I certainly understand
additional effort.  I just hate to be waiting on RH's cycle to get
updates to one of the pieces of my infrastructure where features are
in-demand and getting added more often.  I prefer my base server OS's
to stay as stable as possible, but FreeIPA is an exception for me.  In
any case, I appreciate the effort and the response.

Just so that I'm clear, this basically means that we should wait until
the RHEL 7.2 release (and the following CentOS 7.2 release) before
this will generally available?  I want to make sure I pay attention to
that as it gets released.

Thanks,

Chris


On Thu, Nov 12, 2015 at 3:45 AM, Alexander Bokovoy  wrote:

On Wed, 11 Nov 2015, Christopher Young wrote:

Do we know what the status of getting these packages prepped and into the
mainstream repos (like EPEL, I suppose)?

I'm just curious as I try and keep my repos minimal on servers (for
obvious
reasons), but I would really like to begin testing/using the functionality
in 4.2.


I believe EPEL's policy prevents you from packaging software which
exists in RHEL proper. FreeIPA 4.2 is coming with RHEL 7.2, it is
already published as part of RHEL 7.2 beta in September.

I want to remind  that during this summer I ran few queries here
(freeipa-users@) and elsewhere to solicit opinions whether people want
to have FreeIPA 4.2 packages available for CentOS before RHEL 7.2
release. Very few responses came back and there wasn't any convincing
feedback that would have justified additional effort to make the
repository and maintenance reasonable.

https://www.redhat.com/archives/freeipa-users/2015-July/msg00243.html

--
/ Alexander Bokovoy


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] user question

[Ainsworth, Thomas]

Question:

How can you set the password policy to require at least four (4) new
characters when the user is setting their password?

Tom
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

[Martin Kosek]

On 11/19/2015 11:03 PM, Ash Alam wrote:

Hello All

I am looking for some advice on upgrading. Currently our FreeIPA servers are
3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This upgrade path
is not possible per IPA documentation. Minimum version required is 3.3.x. I
have also found that cenos6 does not provide anything past 3.0.0.


And it won't. There are no plans in updating FreeIPA version in 
RHEL/CentOS-6.x, we encourage people who want the new features to migrate to 
RHEL-7.x:


http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

If you want to wait on CentOS-7.2, it should be in works now:
http://seven.centos.org/2015/11/rhel-7-2-released-today/


One idea is to upgrade to 3.3.x first and then upgrade to 4.2.3 on centos7.
This is harder since centos does not provide this. The other issue is if
3.0/3.3 client will be supported with 4.2.3 server.


The right way is to migrate via creating replicas in RHEL/CentOS-7.x and slowly 
deprecating RHEL/CentOS-6 ones. Detailed procedure in the links above.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa harware appliance

[Karl Forner]

Hello,

Could you recommend me a mini appliance/server to use as a freeIPA server ?
I guess the main points are an ethernet port, minimal consumption,
robustness.

Thanks,
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

[Karl Forner]

Hello,

My server runs ubuntu 14.04 and uses sssd 1.12.5-1~trusty1.
The freeipa server runs inside a docker (an adelton/freeipa-server), and
the docker host pretends to be the freeIPA server by forwarding the
appropriate ports.

This works very fine.
But when I reboot my server (which is in a locked server room. r), I
struggle to connect to it.

I'm unable to connect using ssh onto it, using any kind of local or freeIPA
accounts onto it.
The DNS server (provided by freeIPA) works kine though (i.e. nslookup
server server works).

Fortunately, I have the monit web app running on the server that allows to
restart the ssh service.

After restarting ssh remotely. I am now able to connect to the server.
It seems that all works fine again once I restart sssd on the server.

I know this is a pretty complex setup, but do you have hints that could
help me have a usable server after reboot ?

Thanks,
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

[Ash Alam]

Most of the clients in my env are centos 6.6 with ipa 3.0.0 client
installed. I if bring up a replica on centos 7.2 with ipa 4.2.3 server and
then start phasing out the older 3.0.0 servers. Will the client that are
still running the older client software still work?

On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek  wrote:

> On 11/19/2015 11:03 PM, Ash Alam wrote:
>
>> Hello All
>>
>> I am looking for some advice on upgrading. Currently our FreeIPA servers
>> are
>> 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This upgrade
>> path
>> is not possible per IPA documentation. Minimum version required is 3.3.x.
>> I
>> have also found that cenos6 does not provide anything past 3.0.0.
>>
>
> And it won't. There are no plans in updating FreeIPA version in
> RHEL/CentOS-6.x, we encourage people who want the new features to migrate
> to RHEL-7.x:
>
>
> http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
>
> If you want to wait on CentOS-7.2, it should be in works now:
> http://seven.centos.org/2015/11/rhel-7-2-released-today/
>
> One idea is to upgrade to 3.3.x first and then upgrade to 4.2.3 on centos7.
>> This is harder since centos does not provide this. The other issue is if
>> 3.0/3.3 client will be supported with 4.2.3 server.
>>
>
> The right way is to migrate via creating replicas in RHEL/CentOS-7.x and
> slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the links
> above.
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

[Martin Babinsky]

On 11/20/2015 04:08 PM, Ash Alam wrote:

Most of the clients in my env are centos 6.6 with ipa 3.0.0 client
installed. I if bring up a replica on centos 7.2 with ipa 4.2.3 server
and then start phasing out the older 3.0.0 servers. Will the client that
are still running the older client software still work?


Yes older clients should be able to talk to newer masters.


On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek > wrote:

On 11/19/2015 11:03 PM, Ash Alam wrote:

Hello All

I am looking for some advice on upgrading. Currently our FreeIPA
servers are
3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This
upgrade path
is not possible per IPA documentation. Minimum version required
is 3.3.x. I
have also found that cenos6 does not provide anything past 3.0.0.


And it won't. There are no plans in updating FreeIPA version in
RHEL/CentOS-6.x, we encourage people who want the new features to
migrate to RHEL-7.x:


http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

If you want to wait on CentOS-7.2, it should be in works now:
http://seven.centos.org/2015/11/rhel-7-2-released-today/

One idea is to upgrade to 3.3.x first and then upgrade to 4.2.3
on centos7.
This is harder since centos does not provide this. The other
issue is if
3.0/3.3 client will be supported with 4.2.3 server.


The right way is to migrate via creating replicas in RHEL/CentOS-7.x
and slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the
links above.







--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

[Martin Kosek]

On 11/20/2015 04:08 PM, Ash Alam wrote:

Most of the clients in my env are centos 6.6 with ipa 3.0.0 client installed. I
if bring up a replica on centos 7.2 with ipa 4.2.3 server and then start
phasing out the older 3.0.0 servers. Will the client that are still running the
older client software still work?


It should, yes. It is expected that there are RHEL/CentOS-6 clients with RHEL-7 
FreeIPA servers. The older clients just won't be able to use the newest features.




On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek > wrote:

On 11/19/2015 11:03 PM, Ash Alam wrote:

Hello All

I am looking for some advice on upgrading. Currently our FreeIPA
servers are
3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This
upgrade path
is not possible per IPA documentation. Minimum version required is 
3.3.x. I
have also found that cenos6 does not provide anything past 3.0.0.


And it won't. There are no plans in updating FreeIPA version in
RHEL/CentOS-6.x, we encourage people who want the new features to migrate
to RHEL-7.x:


http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

If you want to wait on CentOS-7.2, it should be in works now:
http://seven.centos.org/2015/11/rhel-7-2-released-today/

One idea is to upgrade to 3.3.x first and then upgrade to 4.2.3 on 
centos7.
This is harder since centos does not provide this. The other issue is if
3.0/3.3 client will be supported with 4.2.3 server.


The right way is to migrate via creating replicas in RHEL/CentOS-7.x and
slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the links 
above.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa harware appliance

[Karl Forner]

Thanks Martin.
My expected numbers: users ~ 50 max, concurrent clients/sessions < 20,
hosts < 20.
I was thinking about a server with an old intel cpu, 4Gb RAM and smal HDD
or USB key-based storage + an ethernet port.
I have no idea if it is a common use in IT to run such (critical)
application on its own dedicated appliance.



On Fri, Nov 20, 2015 at 6:29 PM, Martin Basti  wrote:

>
>
> On 20.11.2015 16:47, Karl Forner wrote:
>
> Hello,
>
> Could you recommend me a mini appliance/server to use as a freeIPA server
> ?
> I guess the main points are an ethernet port, minimal consumption,
> robustness.
>
> Thanks,
> Karl Forner
>
>
> Hello,
>
> I would say that minimal amount of RAM is 2GB with IPA 4.2, of course
> amount of resources depends on many things.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Preparing_for_an_IPA_Installation-Hardware_Requirements.html
>
> Disk space at least 500MB for basic installation + baseOS + stored data
>
> I do not know if IPA is limited by a CPU in somehow, but with very slow
> CPU you may need to increase timeouts (I saw the posts on this lists that
> it is possible to run IPA on raspberry pi with increased timeouts)
>
> Maybe would be better if you write what do you need this minimal
> configuration for and how many clients, users and connections should IPA
> handle.
>
> Martin
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa harware appliance

[Martin Basti]

On 20.11.2015 16:47, Karl Forner wrote:

Hello,

Could you recommend me a mini appliance/server to use as a freeIPA 
server ?
I guess the main points are an ethernet port, minimal consumption, 
robustness.


Thanks,
Karl Forner



Hello,

I would say that minimal amount of RAM is 2GB with IPA 4.2, of course 
amount of resources depends on many things.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Preparing_for_an_IPA_Installation-Hardware_Requirements.html

Disk space at least 500MB for basic installation + baseOS + stored data

I do not know if IPA is limited by a CPU in somehow, but with very slow 
CPU you may need to increase timeouts (I saw the posts on this lists 
that it is possible to run IPA on raspberry pi with increased timeouts)


Maybe would be better if you write what do you need this minimal 
configuration for and how many clients, users and connections should IPA 
handle.


Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

[Jeffrey Stormshak]

Rob -
Thank you for the suggestions as I finally have them implemented.  However, the 
twist to this saga, is that it only works when I bind to LDAP as "anonymous" 
vs. setting an actual "binddn" and "bindpw".  I truly do not want to keep it 
this way.  With that being said, may I ask what should be the proper binddn 
account to use so that auth and sudo will work?

Once again, thank you for the help getting me further down the configuration 
trail.  !!

-Original Message-
From: Jeffrey Stormshak 
Sent: Tuesday, November 17, 2015 10:49 AM
To: Jeffrey Stormshak; Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

I meant "did" forget.  Silly typo on my behalf...

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeffrey Stormshak
Sent: Tuesday, November 17, 2015 10:44 AM
To: Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Thanks Rob!  Sorry, I didn't forget to mention what was the message.  It 
basically stated the message listed below.

Sorry, user plmoss may not run sudo on client_server

Let me try your suggestions and see if that helps lead me down the right path.  
Once again, thanks for this feedback.  Oh how I miss using the "ipa-client" I 
used on all of my higher Linux versions.  Talk about saving time cycles and 
deployment timeframes.  Oh well.  

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, November 17, 2015 9:51 AM
To: Jeffrey Stormshak; Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Jeffrey Stormshak wrote:
> Thank you for the response.  If I may, can you expand more on the sudoers 
> response?
>
> More details from my configuration ...
> The current setup for me is that all my sudoers rules/commands and groups are 
> defined and stored in the RHEL 7.1 IDM LDAP.  When I create the 
> /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on 
> these 5.5 Linux clients.
>
> uri ldap://ldap-server-name/
> sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn 
> uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM
> bindpw secret_pass
> bind_timelimit 5
> timelimit 15
>
> In your experience, am I missing some other component?  PAM Modules?  
> Reference in the /etc/nsswitch.conf?

It's hard to know what to recommend since you haven't said what isn't working.

Your nssswitch.conf should have:

sudoers: files ldap

You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too while 
debugging.

You almost certainly want to use TLS here:

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

You also need your nisdomainname set to your domain to do group or host-based 
sudo.

You also need to add this to your sssd.conf:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com

Stick it after ipa_server in the config file.

Use sudo -l to test.

rob
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Tuesday, November 17, 2015 2:56 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
>
> On Mon, Nov 16, 2015 at 08:58:37PM +, Jeffrey Stormshak wrote:
>> Greetings ---
>> I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we 
>> have a great number of Oracle Linux 5.5 servers.  Upon research from Oracle 
>> (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then 
>> upstream.  I went ahead and configured the PAM/LDAP authentication method 
>> for 5.5 and so far its working as expected.  With that history being said ...
>>
>> I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL 
>> IDM to these 5.5 clients.  Can anyone share some insight or documentation 
>> details on how to solve these two problems prior to my mass deployment?  Any 
>> insight is greatly appreciated.  Thanks!
>
> Not sure about TLS but sudoers should be managed with their ldap 
> config (there's no sssd, hence to sssd sudo integration..)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service account for ovirt

[Rob Verduijn]

Hello,

I've tested the solution you suggested it doesnt work
I think ovirt-engine looks for the other users in the same context as
the bind user, it will ofcourse find not many there,


I can't get the seconf option with the keytab to work.
So I'm stuck with the full blown user account for this.

Here's what I did :

The ovirt os is centos 6 x86_64
All the latest patches have been applied.
It can be a member of the freeipa domain but this is not required for
the ovirt-freeipa authentication to work.
personally I think its nice to have the ovirt machine under freeipa
supervision as wel.

the freeipa os is centos7 x*6_64
All the latest patches have been applied.

The ovirt environment is configured, up and running.

There are two ways of single sign on for ovirt.
see 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html

This howto is for the first option
you require a search account in the freeipa domain.
add a user account to the freeipa domain
login with that account so it asks you to set a new password for it
then reset the experation date for the password to somewhere in the
far future with the procedure below

#
# Add the search account for ovirt to the freeipa domain.
#
# executed these commands on the freeipa server as root.
#

# first set the variables
export SUFFIX='dc=example,dc=com'
export OVIRT_SERVER=ovirt.example.com
export FREEIPA_DOMAIN=EXAMPLE.COM
export USERNAME=ovirt
export YOUR_PASSWORD='top_secret_random_very_long_password'

# create an ldif file
cat > resetexperation.ldif << EOF
dn: uid=$USERNAME,cn=users,cn=accounts,$SUFFIX
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20380119031407Z
EOF

# apply the ldif file
# the password requested is the directory admin password, this is NOT
the same account as the freeipa admin
ldapmodify -x -D "cn=directory manager" -W -vv -f resetexperation.ldif

# for the second option also :
# add the service for http to freeipa
kinit admin
ipa service-add HTTP/$OVIRT_SERVER@$FREEIPA_DOMAIN

#
# The following commands are executed as root on the ovirt-engine machine.
# This is the example that allows single sign on from the portal to the vm's
# Assuming the forementioned bindaccount exists in the freeipa domain
#

#
# first install the required package :
#

yum install -y ovirt-engine-extension-aaa-ldap

#
# create the ovirt configuration files
# examples can be found here :
# /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/.
#

mkdir /etc/ovirt-engine/aaa
mkdir /etc/ovirt-engine/extenstions.d

#
# set the vars again ( exports do not work between vm's)
#

export SUFFIX='dc=example,dc=com'
export YOUR_PASSWORD='top_secret_random_very_long_password'
export FREEIPA_SERVER=freeipa.example.com
export PROFILE_NAME=profile1

#
# create the config files
#
cat > /etc/ovirt-engine/aaa/$PROFILE_NAME.properties << EOF
include = 
vars.server = $FREEIPA_SERVER
vars.user = uid=ovirt,cn=users,cn=accounts,$SUFFIX
vars.password = $YOUR_PASSWORD
pool.default.serverset.single.server = \${global:vars.server}
pool.default.auth.simple.bindDN = \${global:vars.user}
pool.default.auth.simple.password = \${global:vars.password}
EOF

cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authz.properties << EOF
ovirt.engine.extension.name = $PROFILE_NAME-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/$PROFILE_NAME.properties
EOF

cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties << EOF
ovirt.engine.extension.name = $PROFILE_NAME-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = $PROFILE_NAME
ovirt.engine.aaa.authn.authz.plugin = $PROFILE_NAME-authz
config.profile.file.1 = ../aaa/$PROFILE_NAME.properties
EOF

#
# change owner and permissions of the profile file
#
chown ovirt:ovirt /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties
chmod 400 /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties

#
#  restart the ovirt engine
#
service ovirt-engine restart

#
#  done you can now add freeipa users to the rhevm portal in the users menu
#  after the users have been added you can assign permissions for them
on the vm's
#


Cheers
Rob Verduijn

2015-11-18 20:34 GMT+01:00 Martin Kosek :
> On 11/18/2015 04:27 PM, Rob Verduijn wrote:
>>
>> 2015-11-18 15:51 GMT+01:00 Martin Kosek :
>>>
>>> On 

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

[Rob Crittenden]

Jeffrey Stormshak wrote:
> Rob -
> Thank you for the suggestions as I finally have them implemented.  However, 
> the twist to this saga, is that it only works when I bind to LDAP as 
> "anonymous" vs. setting an actual "binddn" and "bindpw".  I truly do not want 
> to keep it this way.  With that being said, may I ask what should be the 
> proper binddn account to use so that auth and sudo will work?

I'm not sure how it works at all anonymously as it should return nothing
in that case.

IIRC a sudo system account user is pre-created you just need to set the
password:

$ ldappasswd -x -S -W -h ipaserver.ipadocs.org -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

rob

> 
> Once again, thank you for the help getting me further down the configuration 
> trail.  !!
> 
> -Original Message-
> From: Jeffrey Stormshak 
> Sent: Tuesday, November 17, 2015 10:49 AM
> To: Jeffrey Stormshak; Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
> Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> 
> I meant "did" forget.  Silly typo on my behalf...
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeffrey Stormshak
> Sent: Tuesday, November 17, 2015 10:44 AM
> To: Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> 
> Thanks Rob!  Sorry, I didn't forget to mention what was the message.  It 
> basically stated the message listed below.
> 
> Sorry, user plmoss may not run sudo on client_server
> 
> Let me try your suggestions and see if that helps lead me down the right 
> path.  Once again, thanks for this feedback.  Oh how I miss using the 
> "ipa-client" I used on all of my higher Linux versions.  Talk about saving 
> time cycles and deployment timeframes.  Oh well.  
> 
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Tuesday, November 17, 2015 9:51 AM
> To: Jeffrey Stormshak; Jakub Hrozek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> 
> Jeffrey Stormshak wrote:
>> Thank you for the response.  If I may, can you expand more on the sudoers 
>> response?
>>
>> More details from my configuration ...
>> The current setup for me is that all my sudoers rules/commands and groups 
>> are defined and stored in the RHEL 7.1 IDM LDAP.  When I create the 
>> /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on 
>> these 5.5 Linux clients.
>>
>> uri ldap://ldap-server-name/
>> sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn 
>> uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM
>> bindpw secret_pass
>> bind_timelimit 5
>> timelimit 15
>>
>> In your experience, am I missing some other component?  PAM Modules?  
>> Reference in the /etc/nsswitch.conf?
> 
> It's hard to know what to recommend since you haven't said what isn't working.
> 
> Your nssswitch.conf should have:
> 
> sudoers: files ldap
> 
> You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too 
> while debugging.
> 
> You almost certainly want to use TLS here:
> 
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
> 
> You also need your nisdomainname set to your domain to do group or host-based 
> sudo.
> 
> You also need to add this to your sssd.conf:
> 
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> 
> Stick it after ipa_server in the config file.
> 
> Use sudo -l to test.
> 
> rob
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com 
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
>> Sent: Tuesday, November 17, 2015 2:56 AM
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
>>
>> On Mon, Nov 16, 2015 at 08:58:37PM +, Jeffrey Stormshak wrote:
>>> Greetings ---
>>> I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we 
>>> have a great number of Oracle Linux 5.5 servers.  Upon research from Oracle 
>>> (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then 
>>> upstream.  I went ahead and configured the PAM/LDAP authentication method 
>>> for 5.5 and so far its working as expected.  With that history being said 
>>> ...
>>>
>>> I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL 
>>> IDM to these 5.5 clients.  Can anyone share some insight or documentation 
>>> details on how to solve these two problems prior to my mass deployment?  
>>> Any insight is greatly appreciated.  Thanks!
>>
>> Not sure about TLS but sudoers should be managed with their ldap 
>> config (there's no sssd, hence to sssd sudo integration..)
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> 
> 
> --
> Manage your subscription for the 

Re: [Freeipa-users] Squid authentication in FreeIPA

[Loris Santamaria]

El vie, 20-11-2015 a las 22:24 +0100, holo escribió:
> Hello
> 
> I configured Squid to use kerberos authentication according to that
> howto: http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_usi
> ng_Single_Sign_On but I'm not getting any popup when im trying to use
> proxy, instead I'm just getting information that I'm not
> authenticated.
> 
> Anyone is using FreeIPA in such configuration?
Yes and it works perfectly. 
First check the basic stuff: the pc accessing squid should be part of
the ipa domain or a trusted domain, the browser should be configured to
access squid by its full name (accessing by IP won't work), browser
must support negotiate auth, client and server clocks must be in sync.
If everything seems ok, restart squid, try connection from a client,
and check for any error messages in squid's cache.log file
Best regards
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> 
https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Go to http://freeipa.org for more info on the project
-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford



smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Password Policy Inquiry

[Ainsworth, Thomas]

Greetings,

How in FreeIPA would one set the password policy equivalent to the* pam.d*
paramater *difok*?
This paramater ensures the new password has at least N number of characters
different than
the current password.

Thanks in advance,

Tom
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Squid authentication in FreeIPA

[holo]

Hello

I configured Squid to use kerberos authentication according to that
howto: http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using
_Single_Sign_On but I'm not getting any popup when im trying to use
proxy, instead I'm just getting information that I'm not authenticated.

Anyone is using FreeIPA in such configuration?-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] LDAP creditentials for Squid

[holo]

Hello

How can i find FreeIPA ldap creditentials? I want to try to configure
Squid in similar way like it is described here for ejabberd:

http://www.freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDA
P_Group_memberships

//holo-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

[zhiyong xue]

The problem still exist after update from 4.1 to  4.2.3.

Rob, how to check the missed manage entry?

2015-11-20 0:11 GMT+08:00 Rob Crittenden :

> zhiyong xue wrote:
> > Rob, where can I get more error information beside the log?
> > [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
> > failed to delete managed entry
> > (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
>
> I can still only assume what you're doing: manually adding the entries
> directly by LDAP. To do this you need to follow IPA conventions, or use
> the new user lifecycle framework added in 4.2.
>
> I'm guessing it can't delete the managed entry because either it doesn't
> exist or it is missing an objectclass/attribute marking it as managed.
>
> rob
>
> >
> > 2015-11-16 13:43 GMT+08:00 zhiyong xue  > >:
> >
> > I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> > syncopex5", maybe it's cache problem.
> >
> > 2015-11-16 11:24 GMT+08:00 Rob Crittenden  > >:
> >
> > zhiyong xue wrote:
> > > We integrated the Apache Syncope server with FreeIPA server.
> So user can
> > > self register ID from Apache Syncope then synchronize to
> FreeIPA. The
> > > problems are:
> > > *1) User created from Apache Syncope can't login to linux. The
> > user
> > > created from FreeIPA web gui works well.*
> >
> > For login issues see
> > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > This is unlikely to fix things but it will help with later
> > debugging.
> >
> > This likely revolves around how you are creating these accounts.
> > We'll
> > need information on what you're doing. The more details the
> better.
> >
> > > *2) The user also can't be deleted from web UI and CLI. It said
> > > "syncopex5: user not found".*
> >
> > Again, you probably aren't creating the users correctly.
> >
> > I can only assume that you are creating the users directly via
> > an LDAP
> > add. This is working around the IPA framework which does
> > additional work.
> >
> > Knowing what version of IPA this is would help too.
> >
> > You'll probably also want to read this:
> > http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This
> > is in
> > IPA 4.2.
> >
> > rob
> > rob
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password Policy Inquiry

[Rob Crittenden]

Ainsworth, Thomas wrote:
> Greetings,
> 
> How in FreeIPA would one set the password policy equivalent
> to**the*pam.d* paramater *difok*?
> This paramater ensures the new password has at least N number of
> characters different than
> the current password.
> 

https://www.redhat.com/archives/freeipa-users/2015-November/msg00312.html

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa harware appliance

[Ainsworth, Thomas]

You could buy a couple of NUC's (or equivalent) with a SSD (or not) and run
a replica.  Extremely small footprint.  IPA itself is light weight; that is
part of the beauty of it.



On Fri, Nov 20, 2015 at 12:37 PM, Karl Forner  wrote:

> Thanks Martin.
> My expected numbers: users ~ 50 max, concurrent clients/sessions < 20,
> hosts < 20.
> I was thinking about a server with an old intel cpu, 4Gb RAM and smal HDD
> or USB key-based storage + an ethernet port.
> I have no idea if it is a common use in IT to run such (critical)
> application on its own dedicated appliance.
>
>
>
> On Fri, Nov 20, 2015 at 6:29 PM, Martin Basti  wrote:
>
>>
>>
>> On 20.11.2015 16:47, Karl Forner wrote:
>>
>> Hello,
>>
>> Could you recommend me a mini appliance/server to use as a freeIPA server
>> ?
>> I guess the main points are an ethernet port, minimal consumption,
>> robustness.
>>
>> Thanks,
>> Karl Forner
>>
>>
>> Hello,
>>
>> I would say that minimal amount of RAM is 2GB with IPA 4.2, of course
>> amount of resources depends on many things.
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Preparing_for_an_IPA_Installation-Hardware_Requirements.html
>>
>> Disk space at least 500MB for basic installation + baseOS + stored data
>>
>> I do not know if IPA is limited by a CPU in somehow, but with very slow
>> CPU you may need to increase timeouts (I saw the posts on this lists that
>> it is possible to run IPA on raspberry pi with increased timeouts)
>>
>> Maybe would be better if you write what do you need this minimal
>> configuration for and how many clients, users and connections should IPA
>> handle.
>>
>> Martin
>>
>>
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Squid authentication in FreeIPA

[Natxo Asenjo]

hi holo,


On Fri, Nov 20, 2015 at 11:21 PM, holo  wrote:

> Thank you for your reply.
>
> I think i wasnt clear enough. Clients of proxy server are not kerberized.
> I want to just authenticate them for proxy use in kerberos DB when they are
> trying to use it (just by popup like in NTLM). Is such thing possible with
> kerberos? I saw on yt such thing wasa posible with AD.
>
> //holo
>

did you ask this question in serverfault as well :-) ?

http://serverfault.com/questions/737902/squid-kerberos-authentication-no-popup/737909#737909

If you require ntlm, then you should joing the squid host to an AD realm, I
do not think this will work with freeipa because it does not do ntlm as far
as I know.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Squid authentication in FreeIPA

[holo]

Thank you for your reply. 
I think i wasnt clear enough. Clients of proxy server are not
kerberized. I want to just authenticate them for proxy use in kerberos
DB when they are trying to use it (just by popup like in NTLM). Is such
thing possible with kerberos? I saw on yt such thing wasa posible with
AD.
//holo
On Fri, 2015-11-20 at 17:11 -0430, Loris Santamaria wrote:
> El vie, 20-11-2015 a las 22:24 +0100, holo escribió:
> > Hello
> > 
> > I configured Squid to use kerberos authentication according to that
> > howto: http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_u
> > sing_Single_Sign_On but I'm not getting any popup when im trying to
> > use proxy, instead I'm just getting information that I'm not
> > authenticated.
> > 
> > Anyone is using FreeIPA in such configuration?
> Yes and it works perfectly. 
> 
> First check the basic stuff: the pc accessing squid should be part of
> the ipa domain or a trusted domain, the browser should be configured
> to access squid by its full name (accessing by IP won't work),
> browser must support negotiate auth, client and server clocks must be
> in sync.
> 
> If everything seems ok, restart squid, try connection from a client,
> and check for any error messages in squid's cache.log file
> 
> Best regards
> 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> -- 
> Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
> Links Global Services, C.A.http://www.lgs.com.ve
> Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
> 
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

[Jeffrey Stormshak]

Rob -
Here’s the test configurations/data when I manipulate the BINDDN/BINDPW fields 
to get get both AUTH and SUDO to work in Linux 5.5.  I have three questions 
below that I would like to get your comments on or see what you may recommend 
on this.  I’m seriously perplexed on this as to why its working this way …  
Please advise.  Thanks!

**
AUTH successful on login; SUDO fails with the message listed
below !!
**
[mjsmith@chi-infra-idm-client2 ~]$ sudo -l
sudo: ldap_sasl_bind_s(): Server is unwilling to perform
[sudo] password for mjsmith:
Sorry, user mjsmith may not run sudo on chi-infra-idm-client2.
*

*
# grep -iv ‘#’ /etc/ldap.conf
*
base dc=linuxcccis,dc=com
uri ldap://chi-infra-idm-p1.linuxcccis.com/
binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com
bindpw secret_pass
timelimit 15
bind_timelimit 5
idle_timelimit 3600
nss_initgroups_ignoreusers 
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
pam_password md5
sudoers_base ou=SUDOers,dc=linuxcccis,dc=com

*
User Account AUTH and SUDO works when
commenting both the binddn and bindpw fields !!
*
vi /etc/ldap.conf … Comment these two fields …
#binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com
#bindpw secret_pass


This file unchanged during the above testing !!

/etc/sudo-ldap.conf:
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=linuxcccis,dc=com
bindpw secret_pass
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://chi-infra-idm-p1.linuxcccis.com
sudoers_base ou=SUDOers,dc=linuxcccis,dc=com

QUESTIONS:
1) What BINDN account needs to be specified to allow the BINDDN/BINDPW to work 
for SUDO?
2) Why does the AUTH work when setting values in the BINDDN/BINDPW, but SUDO 
then fails?
3) If I leave BINDDN/BINDPW blank, what security risks are being introduced by 
leaving it that way?


From: Rob Crittenden >
Date: Friday, November 20, 2015 at 1:42 PM
To: Jeffrey Stormshak >, 
Jakub Hrozek >, 
"freeipa-users@redhat.com" 
>
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Jeffrey Stormshak wrote:
Rob -
Thank you for the suggestions as I finally have them implemented.  However, the 
twist to this saga, is that it only works when I bind to LDAP as "anonymous" 
vs. setting an actual "binddn" and "bindpw".  I truly do not want to keep it 
this way.  With that being said, may I ask what should be the proper binddn 
account to use so that auth and sudo will work?

I'm not sure how it works at all anonymously as it should return nothing
in that case.

IIRC a sudo system account user is pre-created you just need to set the
password:

$ ldappasswd -x -S -W -h ipaserver.ipadocs.org -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

rob

Once again, thank you for the help getting me further down the configuration 
trail.  !!
-Original Message-
From: Jeffrey Stormshak
Sent: Tuesday, November 17, 2015 10:49 AM
To: Jeffrey Stormshak; Rob Crittenden; Jakub Hrozek; 
freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
I meant "did" forget.  Silly typo on my behalf...
-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeffrey Stormshak
Sent: Tuesday, November 17, 2015 10:44 AM
To: Rob Crittenden; Jakub Hrozek; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
Thanks Rob!  Sorry, I didn't forget to mention what was the message.  It 
basically stated the message listed below.
Sorry, user plmoss may not run sudo on client_server
Let me try your suggestions and see if that helps lead me down the right path.  
Once again, thanks for this feedback.  Oh how I miss using the "ipa-client" I 
used on all of my higher Linux versions.  Talk about saving time cycles and 
deployment timeframes.  Oh well.
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, November 17, 2015 9:51 AM
To: Jeffrey Stormshak; Jakub Hrozek; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
Jeffrey Stormshak wrote:
Thank 

Re: [Freeipa-users] LDAP creditentials for Squid

[Natxo Asenjo]

hi,

On Fri, Nov 20, 2015 at 10:47 PM, holo  wrote:

> Hello
>
> How can i find FreeIPA ldap creditentials? I want to try to configure
> Squid in similar way like it is described here for ejabberd:
>
>
> http://www.freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships
>
>
I do not understand the question. Do you want to user ldap with squid?

Then you need to configure an authentication helper in squid. You will find
how to do that in the squid wiki:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap

And for squid acls dependeing on ldap group membership take a look at the
examples here:

https://workaround.org/squid-ldap/

If you have trouble configuring squid, then you should ask on the squid
mailing list (very active, very helpful).
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project