Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

[Günther J . Niederwimmer]

Hello All,

Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale:
> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
> > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
> > >Hello ,
> > >
> > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new
> > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
> > 
> > We have plans to support issuing certificates via Let's Encrypt.
> 
> Günther, what are your specific wishes - to automatically acquire LE
> certs for FreeIPA server's HTTP and LDAP?  Arbitrary hosts or
> services that are managed by FreeIPA?

My wishes :-)).

when I can have wishes, I mean all ;-) 

But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream.

Now I make a test with FreeIPA and "DANE" I hope this is working ?.

 
> > However, right now Let's encrypt only issues server certificates, not
> > CA roots, so you cannot use them to bootstrap IPA CA.
> 
> This will probably always be the case.
> 
> Cheers,
> Fraser

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] backup/restore best practices

[Andy Thompson]

What does everyone do for backup/restore of their IPA infrastructure?  I've 
read over the backup and restore on freeipa.org just want some real world 
application out there.

Right now all of our backups are done at the SAN level.  We snap the SAN 
aggregate containing the VMs and have those snaps available to roll back to.  
I'm not sure how consistent those backups might end up being at the end of the 
day and I've never had to roll back in the environment to test or have an 
environment to test on that level.

-andy



*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Oliver Dörr]

Hmm,

I've made a few tests against  JSON API and the API browser was 
available. I've used RHEL 7.2 and so I expect CentOS 7.2 contaning the 
API browser.


Oliver

Am 01.12.2015 um 19:41 schrieb Marc Boorshtein:

IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API
browser.


has 4.2 made it into centos 7 yet?  or only in fedora?



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Marc Boorshtein]

I did an upgrade yesterday and was still at 7.1 so i don't think 7.2
has been officially released.
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Wed, Dec 2, 2015 at 1:57 PM, Oliver Dörr  wrote:
> Hmm,
>
> I've made a few tests against  JSON API and the API browser was available.
> I've used RHEL 7.2 and so I expect CentOS 7.2 contaning the API browser.
>
> Oliver
>
>
> Am 01.12.2015 um 19:41 schrieb Marc Boorshtein:
>>>
>>> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API
>>> browser.
>>>
>> has 4.2 made it into centos 7 yet?  or only in fedora?
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo question

[Sean Hogan]

Hi All,

  I have a significant amount of time on this and hoping some of you might
have an idea.  I want to limit user bob from getting to a root prompt on
this test box.
It seems to work until bob is able to run a command he is allowed via sudo
such as cat.  Sudo -i is on the deny command list in IPA and root is local
(not in IPA) with
nsswitch pointing to files first then sss.

So logged on as user bob, first thing attempted was sudo -i which produces
wrong pw message even though it is the correct pw but it is denying so
fine.  Then I issue sudo cat /etc/sysconfig/iptables
and it allows it after I enter bob's pw which is fine.  However right after
that I try sudo -i again and get root prompt which is not good.  I am
thinking since root is local and files first then once I sudo up root is
avail.
Any suggestions are welcome



[me@mine ~]$ ssh bob@server
bob@servers password:
Last login:  Time: from IP
Internal systems must only be used for conducting company business or for
purposes authorized by company management
Use is subject to audit at any time by company management
[bob@server ~]$ sudo -i
[sudo] password for bob:
Sorry, try again.
[bob@server ~]$ sudo -i
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
sudo: 2 incorrect password attempts
[bob@server ~]$ sudo cat /etc/sysconfig/iptables
[sudo] password for bob:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
[bob@server ~]$ sudo -i
server.example.local:/root# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter



  ipa sudorule-show bob
  Rule name: bob
  Description: test sudo rule for user bob
  Enabled: TRUE
  Host category: all
  Users: bob
  Sudo Allow Commands: /sbin/iptables, /sbin/service,  /bin/view,
   /bin/bash, /bin/netstat, /usr/bin/sudo -u user
-i, /bin/cat
  Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u
root -i

Is it just me or is white space ignored as well with sudo commands much
like the sudo options?






Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Martin Babinsky]

On 12/01/2015 07:56 PM, Marc Boorshtein wrote:

Great.  Doesn't look like its made it into CentOS yet (still at 7.1).
OK, going to go ahead and get it running on Fedora 23.

Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden  wrote:

Marc Boorshtein wrote:


IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API
browser.



has 4.2 made it into centos 7 yet?  or only in fedora?



It is in RHEL 7.2 and Fedora 23.

rob




Hi Marc,

the FreeIPA public demo also features an API browser for you to inspect. 
See http://www.freeipa.org/page/Demo and then go to 
https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/type=command


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

[Fraser Tweedale]

On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
> >Hello ,
> >
> >I have the question, know any from the FreeIPA "Gurus" ;-), are the new
> >upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
> We have plans to support issuing certificates via Let's Encrypt.
> 
Günther, what are your specific wishes - to automatically acquire LE
certs for FreeIPA server's HTTP and LDAP?  Arbitrary hosts or
services that are managed by FreeIPA?

> However, right now Let's encrypt only issues server certificates, not
> CA roots, so you cannot use them to bootstrap IPA CA.
>
This will probably always be the case.

Cheers,
Fraser

> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

[Prasun Gera]

Have a look at a recent thread that I had started. You might be able to do
it manually for http/ldap certs. However, there were some issues which I
haven't figured out yet. You might have better luck. Anyone should be able
to try it out given that LE enters public beta in a couple of days.

On Mon, Nov 30, 2015 at 4:46 AM, Alexander Bokovoy 
wrote:

> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
>
>> Hello ,
>>
>> I have the question, know any from the FreeIPA "Gurus" ;-), are the new
>> upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
>>
> We have plans to support issuing certificates via Let's Encrypt.
>
> However, right now Let's encrypt only issues server certificates, not
> CA roots, so you cannot use them to bootstrap IPA CA.
> --
> / Alexander Bokovoy
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Marc Boorshtein]

Rob & Martin,

Thanks.  This is a great resource.  Is there a way to generate sample
JSONs for each command?  For instance, when I make a call to
user_search, I use the following:

String lookupjson =
"{\"method\":\"batch\",\"params\":[[{\"method\":\"user_show\",\"params\":[[\""
+ userID + 
"\"],{\"all\":true,\"rights\":true}]},{\"method\":\"pwpolicy_show\",\"params\":[[],{\"user\":\""
+ userID + 
"\",\"all\":true,\"rights\":true}]},{\"method\":\"krbtpolicy_show\",\"params\":[[\""
+ userID + "\"],{\"all\":true,\"rights\":true}]}],{\"version\":\"2.112\"}]}";

This was figured out by reverse engineering the calls from the browser
to IPA Web.  Looking at the API browser its clear that using batch
here is probably overkill.  Based on the api browser I think I can do:

{
  "method":"user_show",
 "params":[
["myuser"],
{
  "all":true,
  "rights":true
}
 ]
}

Is that accurate?  For the result object, is there something documented?

Thanks

Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Wed, Dec 2, 2015 at 2:53 AM, Martin Babinsky  wrote:
> On 12/01/2015 07:56 PM, Marc Boorshtein wrote:
>>
>> Great.  Doesn't look like its made it into CentOS yet (still at 7.1).
>> OK, going to go ahead and get it running on Fedora 23.
>>
>> Thanks
>> Marc Boorshtein
>> CTO Tremolo Security
>> marc.boorsht...@tremolosecurity.com
>> (703) 828-4902
>>
>>
>> On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden 
>> wrote:
>>>
>>> Marc Boorshtein wrote:
>
>
> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API
> browser.
>

 has 4.2 made it into centos 7 yet?  or only in fedora?

>>>
>>> It is in RHEL 7.2 and Fedora 23.
>>>
>>> rob
>>
>>
>
> Hi Marc,
>
> the FreeIPA public demo also features an API browser for you to inspect. See
> http://www.freeipa.org/page/Demo and then go to
> https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/type=command
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Alexander Bokovoy]

On Wed, 02 Dec 2015, Marc Boorshtein wrote:

Rob & Martin,

Thanks.  This is a great resource.  Is there a way to generate sample
JSONs for each command?  For instance, when I make a call to
user_search, I use the following:

String lookupjson =
"{\"method\":\"batch\",\"params\":[[{\"method\":\"user_show\",\"params\":[[\""
+ userID + 
"\"],{\"all\":true,\"rights\":true}]},{\"method\":\"pwpolicy_show\",\"params\":[[],{\"user\":\""
+ userID + 
"\",\"all\":true,\"rights\":true}]},{\"method\":\"krbtpolicy_show\",\"params\":[[\""
+ userID + "\"],{\"all\":true,\"rights\":true}]}],{\"version\":\"2.112\"}]}";

This was figured out by reverse engineering the calls from the browser
to IPA Web.  Looking at the API browser its clear that using batch
here is probably overkill.  Based on the api browser I think I can do:

{
 "method":"user_show",
"params":[
   ["myuser"],
   {
 "all":true,
 "rights":true
   }
]
}

Is that accurate?  For the result object, is there something documented?

just use 'ipa -vv user-show ...' to see formatted JSON.

Did you read my article?
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Marc Boorshtein]

>
> just use 'ipa -vv user-show ...' to see formatted JSON.
>

excellent

> Did you read my article?
> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>
>

I hadn't, but this is exactly what I'm looking for.  Perfect, this
will help me clean up my implementation nicely.

Thanks
Marc

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project