Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
Hello All, Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale: > On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: > > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > > >Hello , > > > > > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new > > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA? > > > > We have plans to support issuing certificates via Let's Encrypt. > > Günther, what are your specific wishes - to automatically acquire LE > certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or > services that are managed by FreeIPA? My wishes :-)). when I can have wishes, I mean all ;-) But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream. Now I make a test with FreeIPA and "DANE" I hope this is working ?. > > However, right now Let's encrypt only issues server certificates, not > > CA roots, so you cannot use them to bootstrap IPA CA. > > This will probably always be the case. > > Cheers, > Fraser -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] backup/restore best practices
What does everyone do for backup/restore of their IPA infrastructure? I've read over the backup and restore on freeipa.org just want some real world application out there. Right now all of our backups are done at the SAN level. We snap the SAN aggregate containing the VMs and have those snaps available to roll back to. I'm not sure how consistent those backups might end up being at the end of the day and I've never had to roll back in the environment to test or have an environment to test on that level. -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
Hmm, I've made a few tests against JSON API and the API browser was available. I've used RHEL 7.2 and so I expect CentOS 7.2 contaning the API browser. Oliver Am 01.12.2015 um 19:41 schrieb Marc Boorshtein: IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API browser. has 4.2 made it into centos 7 yet? or only in fedora? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
I did an upgrade yesterday and was still at 7.1 so i don't think 7.2 has been officially released. Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Wed, Dec 2, 2015 at 1:57 PM, Oliver Dörrwrote: > Hmm, > > I've made a few tests against JSON API and the API browser was available. > I've used RHEL 7.2 and so I expect CentOS 7.2 contaning the API browser. > > Oliver > > > Am 01.12.2015 um 19:41 schrieb Marc Boorshtein: >>> >>> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API >>> browser. >>> >> has 4.2 made it into centos 7 yet? or only in fedora? >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo question
Hi All, I have a significant amount of time on this and hoping some of you might have an idea. I want to limit user bob from getting to a root prompt on this test box. It seems to work until bob is able to run a command he is allowed via sudo such as cat. Sudo -i is on the deny command list in IPA and root is local (not in IPA) with nsswitch pointing to files first then sss. So logged on as user bob, first thing attempted was sudo -i which produces wrong pw message even though it is the correct pw but it is denying so fine. Then I issue sudo cat /etc/sysconfig/iptables and it allows it after I enter bob's pw which is fine. However right after that I try sudo -i again and get root prompt which is not good. I am thinking since root is local and files first then once I sudo up root is avail. Any suggestions are welcome [me@mine ~]$ ssh bob@server bob@servers password: Last login: Time: from IP Internal systems must only be used for conducting company business or for purposes authorized by company management Use is subject to audit at any time by company management [bob@server ~]$ sudo -i [sudo] password for bob: Sorry, try again. [bob@server ~]$ sudo -i [sudo] password for bob: Sorry, try again. [sudo] password for bob: Sorry, try again. [sudo] password for bob: sudo: 2 incorrect password attempts [bob@server ~]$ sudo cat /etc/sysconfig/iptables [sudo] password for bob: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter [bob@server ~]$ sudo -i server.example.local:/root# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter ipa sudorule-show bob Rule name: bob Description: test sudo rule for user bob Enabled: TRUE Host category: all Users: bob Sudo Allow Commands: /sbin/iptables, /sbin/service, /bin/view, /bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u root -i Is it just me or is white space ignored as well with sudo commands much like the sudo options? Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: scho...@us.ibm.com | Tel 919 486 1397 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
On 12/01/2015 07:56 PM, Marc Boorshtein wrote: Great. Doesn't look like its made it into CentOS yet (still at 7.1). OK, going to go ahead and get it running on Fedora 23. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittendenwrote: Marc Boorshtein wrote: IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API browser. has 4.2 made it into centos 7 yet? or only in fedora? It is in RHEL 7.2 and Fedora 23. rob Hi Marc, the FreeIPA public demo also features an API browser for you to inspect. See http://www.freeipa.org/page/Demo and then go to https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/type=command -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > >Hello , > > > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA? > We have plans to support issuing certificates via Let's Encrypt. > Günther, what are your specific wishes - to automatically acquire LE certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or services that are managed by FreeIPA? > However, right now Let's encrypt only issues server certificates, not > CA roots, so you cannot use them to bootstrap IPA CA. > This will probably always be the case. Cheers, Fraser > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
Have a look at a recent thread that I had started. You might be able to do it manually for http/ldap certs. However, there were some issues which I haven't figured out yet. You might have better luck. Anyone should be able to try it out given that LE enters public beta in a couple of days. On Mon, Nov 30, 2015 at 4:46 AM, Alexander Bokovoywrote: > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > >> Hello , >> >> I have the question, know any from the FreeIPA "Gurus" ;-), are the new >> upcoming LetsEncrypt Certificates compatible and working with FreeIPA? >> > We have plans to support issuing certificates via Let's Encrypt. > > However, right now Let's encrypt only issues server certificates, not > CA roots, so you cannot use them to bootstrap IPA CA. > -- > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
Rob & Martin, Thanks. This is a great resource. Is there a way to generate sample JSONs for each command? For instance, when I make a call to user_search, I use the following: String lookupjson = "{\"method\":\"batch\",\"params\":[[{\"method\":\"user_show\",\"params\":[[\"" + userID + "\"],{\"all\":true,\"rights\":true}]},{\"method\":\"pwpolicy_show\",\"params\":[[],{\"user\":\"" + userID + "\",\"all\":true,\"rights\":true}]},{\"method\":\"krbtpolicy_show\",\"params\":[[\"" + userID + "\"],{\"all\":true,\"rights\":true}]}],{\"version\":\"2.112\"}]}"; This was figured out by reverse engineering the calls from the browser to IPA Web. Looking at the API browser its clear that using batch here is probably overkill. Based on the api browser I think I can do: { "method":"user_show", "params":[ ["myuser"], { "all":true, "rights":true } ] } Is that accurate? For the result object, is there something documented? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Wed, Dec 2, 2015 at 2:53 AM, Martin Babinskywrote: > On 12/01/2015 07:56 PM, Marc Boorshtein wrote: >> >> Great. Doesn't look like its made it into CentOS yet (still at 7.1). >> OK, going to go ahead and get it running on Fedora 23. >> >> Thanks >> Marc Boorshtein >> CTO Tremolo Security >> marc.boorsht...@tremolosecurity.com >> (703) 828-4902 >> >> >> On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden >> wrote: >>> >>> Marc Boorshtein wrote: > > > IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API > browser. > has 4.2 made it into centos 7 yet? or only in fedora? >>> >>> It is in RHEL 7.2 and Fedora 23. >>> >>> rob >> >> > > Hi Marc, > > the FreeIPA public demo also features an API browser for you to inspect. See > http://www.freeipa.org/page/Demo and then go to > https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/type=command > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
On Wed, 02 Dec 2015, Marc Boorshtein wrote: Rob & Martin, Thanks. This is a great resource. Is there a way to generate sample JSONs for each command? For instance, when I make a call to user_search, I use the following: String lookupjson = "{\"method\":\"batch\",\"params\":[[{\"method\":\"user_show\",\"params\":[[\"" + userID + "\"],{\"all\":true,\"rights\":true}]},{\"method\":\"pwpolicy_show\",\"params\":[[],{\"user\":\"" + userID + "\",\"all\":true,\"rights\":true}]},{\"method\":\"krbtpolicy_show\",\"params\":[[\"" + userID + "\"],{\"all\":true,\"rights\":true}]}],{\"version\":\"2.112\"}]}"; This was figured out by reverse engineering the calls from the browser to IPA Web. Looking at the API browser its clear that using batch here is probably overkill. Based on the api browser I think I can do: { "method":"user_show", "params":[ ["myuser"], { "all":true, "rights":true } ] } Is that accurate? For the result object, is there something documented? just use 'ipa -vv user-show ...' to see formatted JSON. Did you read my article? https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
> > just use 'ipa -vv user-show ...' to see formatted JSON. > excellent > Did you read my article? > https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > > I hadn't, but this is exactly what I'm looking for. Perfect, this will help me clean up my implementation nicely. Thanks Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project