[Freeipa-users] FreeIPA, Ipsilon, Duo Security integration

[Mike Jacobacci]

Hi,

As of now, we have FreeIPA/FreeRadius with OTP and Ipsilon working
perfectly.  Now, I am looking at possibly integrating Duo security instead
of FreeIPA's 2FA.  I am concerned about how it will fit in with Ipsilon and
FreeIPA... Has anyone else tried this before?  If so, are there any
pitfalls or problems you have encountered or any general advise?

Cheers,
Mike
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Host with Multiple hostnames

[Mike Jacobacci]

Hello,

I am sorry for the simple question, but I am using FreeIPA as our DNS
server and I am trying to figure out how to map a second hostname to a
host... I am unsure how the best way to go do it. I am just trying to give
a server a user friendly name for access and I don't want to change the
system hostname.

I thought I could just add a CNAME entry for the host record, but it fails
with the following error:

invalid 'cnamerecord': CNAME record is not allowed to coexist with any
other record (RFC 1034, section 3.6.2)

Is there an easy way I can do this?

Cheers,
Mike
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] pfSense/FreeIPA LDAP Extended Query Fails

[Mike Jacobacci]

Hi,

I have just got authentication against my FreeIPA system working by following 
this:
https://ask.fedoraproject.org/en/que...uthentication/ 


The only change I had to make was to set the Search Scope level to "entire 
subtree" and I also left the extended query unchecked... With that setup I am 
able to authenticate using "Diagnostics->Authentication".

I really want to restrict access so I can use FreeIPA for our VPN auth so I 
tried using the following extended query but it fails:
&(memberOf=cn=admins,cn=groups,cn=accounts,dc=doma in,dc=com)

Looking in pfSense logs, using the extended query (fails):

[24/Aug/2016:11:07:16 -0700] conn=1396 fd=116 slot=116 SSL connection from * to 
*
[24/Aug/2016:11:07:16 -0700] conn=1396 TLS1.2 256-bit AES-GCM
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 BIND dn="" method=128 version=3
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 SRCH 
base="cn=accounts,dc=domain,dc=com" scope=2 
filter="(&(uid=user)(&(memberOf=cn=admins,cn=group 
s,cn=accounts,dc=domain,dc=com)))" attrs=ALL
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 RESULT err=0 tag=101 nentries=0 
etime=0
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 UNBIND
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 fd=116 closed - U1

Without the query (success):
[30/Aug/2016:10:23:25 -0700] conn=6432 fd=110 slot=110 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 SRCH 
base="cn=compat,dc=domain,dc=com" scope=2 filter="(uid=user1)” attrs=ALL
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 BIND 
dn="uid=user1,cn=users,cn=compat,dc=domain,dc=com " method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=user1,cn=users,cn=accounts,dc=domain,dc=co m"
[30/Aug/2016:10:23:25 -0700] conn=6433 fd=118 slot=118 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 fd=110 closed - U1
[30/Aug/2016:10:23:25 -0700] conn=6433 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 SRCH 
base="uid=user1,cn=users,cn=compat,dc=domain,dc=co m" scope=2 
filter="(uid=user1)” attrs="memberOf"
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 fd=118 closed - U1

I changed the cn from accounts to compat for the auth container, but that 
doesn't make a difference. The last search shows attrs="memberOf", but anytime 
I add an extended query the logs show attrs="all", not sure if that means 
anything. I tried adding the full memberOf path under the group member 
attribute, but that didn't restrict access although the auth is still success.

[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 SRCH 
base="uid=user3,cn=users,cn=compat,dc=domain,dc=co m" scope=2 
filter="(uid=user3)" attrs="memberof=cn=admins,cn=groups,cn=compat,dc=d 
omain,dc=com"
[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 RESULT err=0 tag=101 nentries=1 
etime=0

When doing an ldapsearch, I can see the group:

# admins, groups, compat, domain.com
dn: cn=admins,cn=groups,cn=compat,dc=domain,dc=com
ipaAnchorUUID:: 
gidNumber: 5
memberUid: admin
memberUid: user1
memberUid: user2
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
cn: admins

Any help would be greatly appreciated.

Cheers,
Mike-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project