from:"Klíma David"

[Freeipa-users] FreeIPA JSON API does not work behind Load Balancer because Services4User

2016-10-20 Thread Klíma David

Hi all, I need advice or help with freeIPA implementation behind F5 bigip 
loadbalancer. My goal is to have all freeIPA services (including json/xml API) 
behind loadbalancer for freeIPA clients.

>> Because RHEL support says me IPA behind loadbalancer is not supported I was 
>> coming out of these articles (I recommend you read and I thank the people 
>> who wrote them):

https://www.redhat.com/archives/freeipa-users/2015-March/msg00965.html
http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html
https://ssimo.org/blog/id_019.html
https://access.redhat.com/solutions/547723
http://firstyear.id.au/blog/html/2015/12/11/Load_balanced_389_instance_with_freeipa_kerberos_domain..html
http://www.freeipa.org/page/V4/Keytab_Retrieval#Use_Case:_A_load_balancing_cluster_of_HTTP_server_that_allow_GSSAPI.2FKrb5_negotiation_.28TBD.29
https://www.freeipa.org/page/V4/Service_Constraint_Delegation
http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy

>> Now I have one pool with one freeIPA node (for easy debugging):
hostname: ipa-01.internal.services

>> And VIP hostname for clients:
hostname: hub.internal.services

hub.internal.services
+--+
|  |
|  |
++  | Loadbalancer |  ipa-01.internal.services
|| TLS  |  | TLS  +--+
|Client  +->+  +->+  |
||  |  |  | freeIPA node |
++  |  |  |  |
|  |  +--+
+--+


>> After ipa-server-install   first, I created a fake host that I assign 
>> services. This is fake host for the load balancer:

ipa host-add hub.internal.services --force --random
ipa host-allow-retrieve-keytab hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p host/hub.internal.services -k 
/etc/krb5.keytab \
-e 
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac

>> Second I created LDAP service - because I need keytab for 
>> ldap/hub.internal.services (after retrieved merged into 
>> /etc/dirsrv/ds.keytab):

ipa service-add --force ldap/hub.internal.services
ipa service-add-host ldap/hub.internal.services --hosts=ipa-01.internal.services
ipa service-allow-retrieve-keytab ldap/hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p ldap/hub.internal.services -k 
/etc/dirsrv/ds.keytab \
-e 
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
chown dirsrv:dirsrv /etc/dirsrv/ds.keytab

>> Next I created HTTP service - I need keytab for HTTP/hub.internal.services 
>> (after retrieved merged into /etc/httpd/conf/ipa.keytab):

ipa service-add --force HTTP/hub.internal.services
ipa service-add-host HTTP/hub.internal.services 
--hosts={ipa-01.internal.services,ipa-02.internal.services,ipa-03.internal.services}
ipa service-allow-retrieve-keytab HTTP/hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p HTTP/hub.internal.services -k 
/etc/httpd/conf/ipa.keytab \
-e 
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
chown apache:apache /etc/httpd/conf/ipa.keytab

>> Check keytabs:

klist -Kket /etc/krb5.keytab
klist -Kket /etc/dirsrv/ds.keytab
klist -Kket /etc/httpd/conf/ipa.keytab

All keytabs looks like this:
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp  Principal
 -- ---
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(aes256-cts-hmac-sha1-96)  
(0x0b8140ce7a7a521cbacecda8902e7c7a6b61fd21758997fb2f2721d9f2d3c8e5)
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(aes128-cts-hmac-sha1-96)  (0x4247b97e7b2b62a49094105b86740537)
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(des3-cbc-sha1)  (0x67851f1a16f8df45b30b1a89fe677ad03eaeae6ba2940e4a)
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(arcfour-hmac)  (0xed6d8caba385fdd8b5775e2f17303fb6)
   1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES 
(aes256-cts-hmac-sha1-96)  
(0x439341b1848dc91f02f6b38f2e04446e9f7f8547d8251a708dce99d1526e961a)
   1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES 
(aes128-cts-hmac-sha1-96)  (0x11e1c820db6b49bb9290c0c9e2888914)
   1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES 
(des3-cbc-sha1)  (0xbad3cb89fbf132abbcad29bcfd79fb4532cedfe90bf1078f)
   1 13.5.2016 23:00:43

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-12-08 Thread Klíma David

Hi Simo, I think this is not true, because part of IPA web UI is IPA JSON API 
also - and there is problem with loadbalancing, as you can see there 
https://www.redhat.com/archives/freeipa-users/2016-October/msg00223.html.

David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Extending FreeIPA with custom atribute (ipa-server-4.4.0)

2017-03-29 Thread Klíma David

Hi, can anybody help me with extending the FreeIPA Server? I have few custom 
attributes in DS schema. I would like to be able to change the new attributes 
added via the JSON API and thus via the CLI tool.

Today I updated from version ipa-server-4.2.0 to ipa-server-4.4.0 from standart 
RHEL repo and I see plugin directory is on another location 
/usr/lib/python2.7/site-packages/ipaclient/plugins (old location was in version 
4.2.0 /usr/lib/python2.7/site-packages/ipalib/plugins/) and my old CLI 
extension stopped working with this error message:

ipa: ERROR: ImportError: No module named plugins

There is no documentation about that, or some examples. Can you anybody help me 
rewrite this simple code to working with new API version?

from ipalib.plugins import user
from ipalib.parameters import Int
from ipalib.parameters import Str
from ipalib import _
 
user.user.takes_params = user.user.takes_params + (
Str('mailroutingaddress?',
cli_name='mailroutingaddress',
label=_('Mail routing address'),
),  
)


[root@ipa-03 plugins]# rpm -qa | grep ipa-server
ipa-server-4.4.0-12.el7.x86_64
ipa-server-common-4.4.0-12.el7.noarch
ipa-server-dns-4.4.0-12.el7.noarch

https://serverfault.com/questions/809810/minimal-example-of-extending-already-existing-api-and-cli-call-in-freeipa-4


Thank you a lot!
David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA JSON API does not work behind Load Balancer because Services4User

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

[Freeipa-users] Extending FreeIPA with custom atribute (ipa-server-4.4.0)

3 matches

Site Navigation

Mail list logo

Footer information