from:"Prashant Bapat"

[Freeipa-users] Read Only LDAP Replicas

2014-12-26 Thread Prashant Bapat

Hi All,

I'm trying to implement FreeIPA for Users and SSH pub keys management in
our infra. We have a setup that spans multiple geographies. What we are
thinking is something like below.

1. Have 2 full FreeIPA servers with multi master replicas in one region.
2. In other regions just have a LDAP read-only replica.
3. Use the AuthorizedKeysCommand in SSH to look for a users pub key in the
respective region's LDAP.

Has anyone tried something on these lines?

Please share your experiences.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client configuration to point to Replica server once master service failed

2014-12-31 Thread Prashant Bapat

You could use DNS based failover for this.

Configure DNS with a low TTL value like 60 secs. When the primary fails,
update the dns with the secondary.

Services like dynect offer tihs.

On 1 January 2015 at 11:05, Sanju A sanj...@tcs.com wrote:

 Hi All,

 I have configured Master - Master replication and replication (bi
 direction) is working fine.
 Can I get the configuration that has to be added/modified in server/client
 machine so as to point to the replica server once the master failed. Right
 now it is not working.


 Regards
 Sanju Abraham
 IS - Network/System Administrator
 Tata Consultancy Services
 TCS Centre SEZ Unit,
 Infopark PO,
 Kochi - 682042,Kerala
 India
 Ph:-   +91 484 6187490
 Mailto: sanj...@tcs.com
 Website: http://www.tcs.com
 
 Experience certainty.IT Services
Business Solutions
Consulting
 

 =-=-=
 Notice: The information contained in this e-mail
 message and/or attachments to it may contain
 confidential or privileged information. If you are
 not the intended recipient, any dissemination, use,
 review, distribution, printing or copying of the
 information contained in this e-mail message
 and/or attachments to it are strictly prohibited. If
 you have received this communication in error,
 please notify us by reply e-mail or telephone and
 immediately and permanently delete the message
 and any attachments. Thank you


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Prashant Bapat

Hi,

I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
balancer, specifically Amazon ELB.

I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks
like there is more to it than just this file.

Any suggestions ?

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] nsAccountLock attribute

2015-03-31 Thread Prashant Bapat

Hi ,

Is there a way of making the nsAccountLock attribute (User enable/disable)
to be anonymously readable ?

I'm trying to implement a SSH key lookup sshd authorized key command
script. Based on this attribute the user will be allowed to login. I need
this to be anonymously readable.

Tried setting the permissions but it does not work.

Any other ideas on this ?

Thanks for your help.

--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Prashant Bapat

Just the web UI.

Thanks.
--Prashant
On Mar 31, 2015 5:32 PM, Matt . yamakasi@gmail.com wrote:

 HI Phasant,

 Check my mailings about it, it's not easy at least the kerberos part
 not, SRV records are used for that normally.

 Are you talking about the webgui or the ldap part ?

 Cheers,

 Matt

 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com:
  Hi,
 
  I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
  balancer, specifically Amazon ELB.
 
  I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks
 like
  there is more to it than just this file.
 
  Any suggestions ?
 
  Thanks.
  --Prashant
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nsAccountLock attribute

2015-04-01 Thread Prashant Bapat

Hi Jan,

Thanks for your response. But my problem is AmazonLinux does not support
ipa-client or sssd. No binaries available, lots of dependency issues
compiling from source.

So the route I have taken is to use FreeIPA on Fedora21. And use authconfig
to enumerate users/groups. And have a SSH command to lookup the keys.

Thanks.
--Prashant

On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote:

 Hi,

 Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a):

  Hi ,

 Is there a way of making the nsAccountLock attribute (User
 enable/disable) to be anonymously readable ?

 I'm trying to implement a SSH key lookup sshd authorized key command
 script. Based on this attribute the user will be allowed to login. I
 need this to be anonymously readable.

 Tried setting the permissions but it does not work.

 Any other ideas on this ?


 If your SSH server is a properly configured IPA host (i.e. you had run
 ipa-client-install or ipa-server-install on it), rejecting locked user
 login should work automatically, without having to configure anything.



 Thanks for your help.

 --Prashant



 --
 Jan Cholasta

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding a custom attribute to user object

2015-03-23 Thread Prashant Bapat

Martin,

Thanks!

Let me double check.

Yes I was referring to the exact same pdf.

Regards.
--Prashant

On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote:

 On 03/23/2015 10:19 AM, Prashant Bapat wrote:
  Hi,
 
  I'm trying to add a custom attribute to user object. Below is the ldif
 i'm
  using.
 
  dn: cn=schema
  changetype: modify
  add: attributeTypes
  attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
  DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION'
 )
  -
  add: objectclasses
  objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
  top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
 
  This gets added successfully using the ldapmodify command as directory
  manager. But both the UI and the ipa config-mod commands refuse to add
 the
  new attribute to ipaUserObjectClasses with error objectclass not found.
 
  What I'm I doing wrong ?

 Not sure yet, the schema above looks OK (except some typos). I tried it on
 my
 VM, and it just worked:

 # ldapmodify -D cn=Directory Manager -x -w Secret123
 ...
 modifying entry cn=schema

 # ipa config-mod

 --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
 ...
   Default user objectclasses: ipaobject, person, top, ipasshuser,
 inetorgperson, organizationalperson,
   krbticketpolicyaux, krbprincipalaux,
 ApigeeUserAttr, inetuser,
   posixaccount


 # ipa user-add apigee --first Foo --last Bar --setattr
 ipaSshSigTimestamp=barbar
 ---
 Added user apigee
 ---
   User login: apigee
   First name: Foo
   Last name: Bar
   Full name: Foo Bar
   Display name: Foo Bar
   Initials: FB
   Home directory: /home/apigee
   GECOS: Foo Bar
   Login shell: /bin/sh
   Kerberos principal: apigee@F21
   Email address: api...@f21.test
   UID: 1889400080
   GID: 1889400080
   Password: False
   Member of groups: ipausers
   Kerberos keys available: False


 # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
 ipaSshSigTimestamp
 SASL/GSSAPI authentication started
 SASL username: admin@F21
 SASL SSF: 56
 SASL data security layer installed.
 # extended LDIF
 #
 # LDAPv3
 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree
 # filter: (objectclass=*)
 # requesting: uid ipaSshSigTimestamp
 #

 # apigee, users, accounts, f21
 dn: uid=apigee,cn=users,cn=accounts,dc=f21
 uid: apigee
 ipaSshSigTimestamp: barbar

 # search result
 search: 4
 result: 0 Success

 # numResponses: 2
 # numEntries: 1



 BTW, did you read one of the very relevant upstream guides how to add
 custom
 attributes to LDAP? It pretty much covers the procedure you are working on:

 http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf

 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding a custom attribute to user object

2015-03-23 Thread Prashant Bapat

Ok the command you gave me worked. But I was following the PDF and below
command never worked.

ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr

Is that expected ?

Thanks.
--Prashant

On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com wrote:

 Martin,

 Thanks!

 Let me double check.

 Yes I was referring to the exact same pdf.

 Regards.
 --Prashant

 On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote:

 On 03/23/2015 10:19 AM, Prashant Bapat wrote:
  Hi,
 
  I'm trying to add a custom attribute to user object. Below is the ldif
 i'm
  using.
 
  dn: cn=schema
  changetype: modify
  add: attributeTypes
  attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
  DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
 EXTENTION' )
  -
  add: objectclasses
  objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
  top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
 
  This gets added successfully using the ldapmodify command as directory
  manager. But both the UI and the ipa config-mod commands refuse to add
 the
  new attribute to ipaUserObjectClasses with error objectclass not found.
 
  What I'm I doing wrong ?

 Not sure yet, the schema above looks OK (except some typos). I tried it
 on my
 VM, and it just worked:

 # ldapmodify -D cn=Directory Manager -x -w Secret123
 ...
 modifying entry cn=schema

 # ipa config-mod

 --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
 ...
   Default user objectclasses: ipaobject, person, top, ipasshuser,
 inetorgperson, organizationalperson,
   krbticketpolicyaux, krbprincipalaux,
 ApigeeUserAttr, inetuser,
   posixaccount


 # ipa user-add apigee --first Foo --last Bar --setattr
 ipaSshSigTimestamp=barbar
 ---
 Added user apigee
 ---
   User login: apigee
   First name: Foo
   Last name: Bar
   Full name: Foo Bar
   Display name: Foo Bar
   Initials: FB
   Home directory: /home/apigee
   GECOS: Foo Bar
   Login shell: /bin/sh
   Kerberos principal: apigee@F21
   Email address: api...@f21.test
   UID: 1889400080
   GID: 1889400080
   Password: False
   Member of groups: ipausers
   Kerberos keys available: False


 # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
 ipaSshSigTimestamp
 SASL/GSSAPI authentication started
 SASL username: admin@F21
 SASL SSF: 56
 SASL data security layer installed.
 # extended LDIF
 #
 # LDAPv3
 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree
 # filter: (objectclass=*)
 # requesting: uid ipaSshSigTimestamp
 #

 # apigee, users, accounts, f21
 dn: uid=apigee,cn=users,cn=accounts,dc=f21
 uid: apigee
 ipaSshSigTimestamp: barbar

 # search result
 search: 4
 result: 0 Success

 # numResponses: 2
 # numEntries: 1



 BTW, did you read one of the very relevant upstream guides how to add
 custom
 attributes to LDAP? It pretty much covers the procedure you are working
 on:

 http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf

 Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding a custom attribute to user object

2015-03-23 Thread Prashant Bapat

Hi Rob,

Yes I did restart it.

Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?

Thanks.
--Prashant

On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote:

 Prashant Bapat wrote:
  Ok the command you gave me worked. But I was following the PDF and below
  command never worked.
 
  ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
 
  Is that expected ?

 Did you restart httpd after adding the schema? A cached copy is used and
 restarting will cause it to re-read the schema.

 rob

 
  Thanks.
  --Prashant
 
 
  On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
  mailto:prash...@apigee.com wrote:
 
  Martin,
 
  Thanks!
 
  Let me double check.
 
  Yes I was referring to the exact same pdf.
 
  Regards.
  --Prashant
 
  On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
 
  On 03/23/2015 10:19 AM, Prashant Bapat wrote:
   Hi,
  
   I'm trying to add a custom attribute to user object. Below is
  the ldif i'm
   using.
  
   dn: cn=schema
   changetype: modify
   add: attributeTypes
   attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
  'ipaSshSigTimestamp'
   DESC 'SSH public key signature and timestamp' EQUALITY
  octetStringMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
  EXTENTION' )
   -
   add: objectclasses
   objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
  'ApigeeUserAttr' SUP
   top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
  ipaSshSigTimestamp )
  
   This gets added successfully using the ldapmodify command as
  directory
   manager. But both the UI and the ipa config-mod commands
  refuse to add the
   new attribute to ipaUserObjectClasses with error objectclass
  not found.
  
   What I'm I doing wrong ?
 
  Not sure yet, the schema above looks OK (except some typos). I
  tried it on my
  VM, and it just worked:
 
  # ldapmodify -D cn=Directory Manager -x -w Secret123
  ...
  modifying entry cn=schema
 
  # ipa config-mod
 
  
 --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
  ...
Default user objectclasses: ipaobject, person, top, ipasshuser,
  inetorgperson, organizationalperson,
krbticketpolicyaux,
 krbprincipalaux,
  ApigeeUserAttr, inetuser,
posixaccount
 
 
  # ipa user-add apigee --first Foo --last Bar --setattr
  ipaSshSigTimestamp=barbar
  ---
  Added user apigee
  ---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
 
 
  # ldapsearch -Y GSSAPI -b
  'uid=apigee,cn=users,cn=accounts,dc=f21' uid
  ipaSshSigTimestamp
  SASL/GSSAPI authentication started
  SASL username: admin@F21
  SASL SSF: 56
  SASL data security layer installed.
  # extended LDIF
  #
  # LDAPv3
  # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope
 subtree
  # filter: (objectclass=*)
  # requesting: uid ipaSshSigTimestamp
  #
 
  # apigee, users, accounts, f21
  dn: uid=apigee,cn=users,cn=accounts,dc=f21
  uid: apigee
  ipaSshSigTimestamp: barbar
 
  # search result
  search: 4
  result: 0 Success
 
  # numResponses: 2
  # numEntries: 1
 
 
 
  BTW, did you read one of the very relevant upstream guides how
  to add custom
  attributes to LDAP? It pretty much covers the procedure you are
  working on:
 
 
 http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
 
  Martin
 
 
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding a custom attribute to user object

2015-03-23 Thread Prashant Bapat

Thanks. I will take a look. However will using this attr only on new users
from the time it was added have any issues ?

Also, will replication include this new attr ?

On 23 March 2015 at 21:57, Martin Kosek mko...@redhat.com wrote:

You would need to extend user-mod to add this objectclass to existing
modified
users. There is an example of such plugin in the PDF I mentioned.

On 03/23/2015 05:22 PM, Prashant Bapat wrote:
Hi Rob,

Yes I did restart it.

Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?

Thanks.
--Prashant

On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote:

Prashant Bapat wrote:
Ok the command you gave me worked. But I was following the PDF and
below
command never worked.

ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr

Is that expected ?

Did you restart httpd after adding the schema? A cached copy is used and
restarting will cause it to re-read the schema.

rob

Thanks.
--Prashant

On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
mailto:prash...@apigee.com wrote:

Martin,

Thanks!

Let me double check.

Yes I was referring to the exact same pdf.

Regards.
--Prashant

On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,

I'm trying to add a custom attribute to user object. Below is
the ldif i'm
using.

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY
octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
ipaSshSigTimestamp )

This gets added successfully using the ldapmodify command as
directory
manager. But both the UI and the ipa config-mod commands
refuse to add the
new attribute to ipaUserObjectClasses with error objectclass
not found.

What I'm I doing wrong ?

Not sure yet, the schema above looks OK (except some typos). I
tried it on my
VM, and it just worked:

# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema

# ipa config-mod

--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top,
ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux,
krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount

# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False

# ldapsearch -Y GSSAPI -b
'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope
subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#

# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

BTW, did you read one of the very relevant upstream guides how
to add custom
attributes to LDAP? It pretty much covers the procedure you

Re: [Freeipa-users] Replication issues

2015-04-07 Thread Prashant Bapat

Hi Thierry,

Thanks for the reply.

Turned out that the slapi-plugin was not ignoring the replicated
operations. Problem solved.

Regards.
--Prashant

On 6 April 2015 at 23:25, thierry bordaz tbor...@redhat.com wrote:

  Hello Prashant,

 If you are able to reproduce the problem (ipasshpubkey not replicated),
 would you enable replication and plugin logging (
 http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting)
 and provide the access/errors logs ?

 thanks
 thierry

 On 04/06/2015 04:38 PM, Prashant Bapat wrote:

  Hi,

  Seems like there is an issue with replication that I have encountered.

  I'm using a custom attribute and a slapi-plugin. Below is the attribute
 added.


  dn: cn=schema
 changetype: modify
 add: attributeTypes
 attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
 DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'APIGEE FREEIPA EXTENSION' )
 -
 add: objectclasses
 objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
 top AUXILIARY DESC 'APIGEE FREEIPA EXTENSION' MAY ipaSshSigTimestamp )

  This is the only change.

  Problem: I'm using a python script calling the user_add and user_mod to
 add user and then add ssh key to the user. After this the custom attr
 (ipaSshSigTimestamp) is getting replicated to the other master but the
 standard ipaSshPubKey is not.

  This had happened once before in the exact same setup. I removed the
 second master and re-installed it and it was working. But same problem
 again.

  Any pointers appreciated.

  Regards.
 --Prashant




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication issues

2015-04-06 Thread Prashant Bapat

Hi,

Seems like there is an issue with replication that I have encountered.

I'm using a custom attribute and a slapi-plugin. Below is the attribute
added.


dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'APIGEE FREEIPA EXTENSION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
top AUXILIARY DESC 'APIGEE FREEIPA EXTENSION' MAY ipaSshSigTimestamp )

This is the only change.

Problem: I'm using a python script calling the user_add and user_mod to add
user and then add ssh key to the user. After this the custom attr
(ipaSshSigTimestamp) is getting replicated to the other master but the
standard ipaSshPubKey is not.

This had happened once before in the exact same setup. I removed the second
master and re-installed it and it was working. But same problem again.

Any pointers appreciated.

Regards.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

2015-06-20 Thread Prashant Bapat

I tried the steps documented on a test VM. Looks like I ended up in the
situation described here
https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html.

I have one more question. Is there a way to disable HTTPS completely on the
WebUI. I can add HTTPS on a load balancer in front of the UI to handle SSL.



On 18 June 2015 at 19:03, Rob Crittenden rcrit...@redhat.com wrote:

 Prashant Bapat wrote:

 Hi All,

 There is a way to change the certificate for the web UI.

 I went with a standard install with a self signed CA etc. Now I want to
 install a cert from a commercial CA. I don't mind using the IPA CA certs
 for the 389 DS, just want to change the cert for the UI.

 Any pointers on how to do this ?


 http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

2015-06-27 Thread Prashant Bapat

Aah ok !

Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended
up using nss-pam-ldap, nscd and nslcd.

However this looks promising. Only for the servers exposed to Internet I
could use CentOS/Fedora and this method of authentication. Let me try this
and come back to you.

Thanks.
--Prashant

On 27 June 2015 at 10:17, Alexander Bokovoy aboko...@redhat.com wrote:



 - Original Message -
  Hi ,
 
  I'm exploring implementing a 2FA solution to my servers exposed to
 public.
  Mainly to secure SSH with 2FA. The SSH keys and users are already in
  FreeIPA.
 
  Is there a way to utilize the OTP inside FreeIPA during a user login to
 these
  servers ? A user will have to enter the TOTP code bases on whats
 configured
  in FreeIPA. Something along the lines of
  https://github.com/google/google-authenticator/tree/master/libpam
 If you are using SSSD (pam_sss), it will automatically accept 2FA.

 You need to force OpenSSH to combine authentication methods, something
 like:

 AuthenticationMethods publickey,password:pam
 publickey,keyboard-interactive:pam

 Look into sshd_config manual page for details. This is feature of OpenSSH
 6.2 or later.

 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

2015-06-20 Thread Prashant Bapat

Hi Rob,

Thanks for the reply.

The ipa-server-certinstall did require that I have the cert and the CA cert
in PEM file and the key in another PEM file. And the command went thru
successfully.

But afterwards the HTTP service stopped working. Only way I could get it to
start again was to set NSSEnforceValidCerts off in
/etc/httpd/conf.d/nss.conf.

Below is the error message from the logs.

[Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL
Session Cache of size 1. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG
with 144 bytes of entropy
[Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing
(virtual) servers for SSL
[Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify
certificate 'Signing-Cert'. Add NSSEnforceValidCerts off to nss.conf so
the server can start until the problem can be resolved.

On the turning off SSL, I did try with what you are suggesting. A load
balancer with the commercial CA and HTTPS from LB to the server behind it
and it work! Only problem is, I will have to have have 1 each load balancer
for each of the servers. This is because I used naming like ipa.example.com
and ipa2.example.com etc for the IPA servers. These are all replicas and
their name has to match whats on the LB.

Thanks again!
--Prashant


On 21 June 2015 at 01:51, Rob Crittenden rcrit...@redhat.com wrote:

 Prashant Bapat wrote:

 I tried the steps documented on a test VM. Looks like I ended up in the
 situation described here
 https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html.


 Please be careful when pointing back at old threads. This issue was about
 expired certs. I suspect you found it because of a similar error message,
 but the underlying cause is completely unrelated.

 You probably just need to add in the CA cert that issued the server
 certificate. I'd have thought that ipa-server-certinstall would enforce
 that but perhaps not.

  I have one more question. Is there a way to disable HTTPS completely on
 the WebUI. I can add HTTPS on a load balancer in front of the UI to
 handle SSL.


 It would be a rather terrible idea. You'd still have a lot of in-the-clear
 messaging between the IPA web server and the load balancer. I wouldn't
 recommend that there are real replay issues possible. You should
 re-encrypt, so terminate SSL at the load balancer and then open a new SSL
 session to IPA.

 rob




 On 18 June 2015 at 19:03, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:

 Prashant Bapat wrote:

 Hi All,

 There is a way to change the certificate for the web UI.

 I went with a standard install with a self signed CA etc. Now I
 want to
 install a cert from a commercial CA. I don't mind using the IPA
 CA certs
 for the 389 DS, just want to change the cert for the UI.

 Any pointers on how to do this ?


 http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] blank user screen? (web UI)

2015-06-21 Thread Prashant Bapat

Can you share the steps to reproduce this and the error message?

On 21 June 2015 at 02:33, Janelle janellenicol...@gmail.com wrote:

 Just wondering if others have run into the user login to the web-UI and
 with the exception of the top part of the screen and menu, all the user
 details go blank. This makes it hard for a user to click on add ssh key
 since they can't see it.

 Have reproduced this dozens of times on all browsers. Very confusing.
 There must be an answer or known fix?

 ~Janelle

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Using FreeIPA OTP in a PAM module

2015-06-26 Thread Prashant Bapat

Hi ,

I'm exploring implementing a 2FA solution to my servers exposed to public.
Mainly to secure SSH with 2FA. The SSH keys and users are already in
FreeIPA.

Is there a way to utilize the OTP inside FreeIPA during a user login to
these servers ? A user will have to enter the TOTP code bases on whats
configured in FreeIPA. Something along the lines of
https://github.com/google/google-authenticator/tree/master/libpam

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode

2015-06-17 Thread Prashant Bapat

Hi Nathaniel,

I think your patch should work. Please give me a day to test and confirm.

However, I changed this section in otptoken.py:

StrEnum('ipatokenotpalgorithm?',
cli_name='algo',
label=_('Algorithm'),
doc=_('Token hash algorithm'),
default=u'sha1',
autofill=True,
flags=('no_update'),
values=(u'sha1', u'sha256', u'sha384', u'sha512'),
)

to

StrEnum('ipatokenotpalgorithm?',
cli_name='algo',
label=_('Algorithm'),
doc=_('Token hash algorithm'),
default=*u'SHA1',*
autofill=True,
flags=('no_update'),
values=*(u'SHA1', u'SHA256', u'SHA384', u'SHA512')*,
)

And the Google Authenticator installed on a iPhone was able to scan the QR
code and work as expected.

Thanks for looking into this.

Regards.
--Prashant

On 17 June 2015 at 20:00, Nathaniel McCallum npmccal...@redhat.com wrote:

 Prashant,

 I have proposed a patch for the issue:
 https://www.redhat.com/archives/freeipa-devel/2015-June/msg00505.html

 Please test it and let me know if it works for you.

 Nathaniel

 On Wed, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote:
  Simo is right! This issue is same as
  https://fedorahosted.org/freeipa/ticket/5047
 
  If I change the algorithm in the otp url to uppercase it scans in
  Google authenticator/iPhone.
 
  Further more I manually edited the /usr/lib/python2.7/site
  -packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to
  'SHA' in a test VM and it works as expected. I hate to do this in the
  production server though.
 
 
  On 12 June 2015 at 23:32, Prashant Bapat prash...@apigee.com wrote:
   Hi,
  
   Has anyone seen this ? When a user tries to scan the QR code he
   gets a message saying invalid barcode. This happens only with
   iPhone + Google Authenticator.
  
   Thanks for your help.
  
   --Prashant
  
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Firefox issue with web ui certificate

2015-06-17 Thread Prashant Bapat

Hi,

I have gotten into a strange situation. I'm running FreeIPA for 2 different
environments, dev/production. By mistake, the domain for both are
configured same. Say EXAMPLE.COM.

Now the problem users are facing when using the web UI using Firefox. It
complains that the secure connection failed and (Error code:
sec_error_reused_issuer_and_serial).

This I understand is happening because the certificate authority for both
my environments is under the same name.

Users can only access 1 environment. The other environment will throw this
error.

This happens only with Firefox. Chrome and Safari work fine.

What are my options to fix this ?

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode

2015-06-17 Thread Prashant Bapat

Simo is right! This issue is same as
https://fedorahosted.org/freeipa/ticket/5047

If I change the algorithm in the otp url to uppercase it scans in Google
authenticator/iPhone.

Further more I manually edited
the /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py and
uppercases the 'sha' to 'SHA' in a test VM and it works as expected. I hate
to do this in the production server though.


On 12 June 2015 at 23:32, Prashant Bapat prash...@apigee.com wrote:

 Hi,

 Has anyone seen this ? When a user tries to scan the QR code he gets a
 message saying invalid barcode. This happens only with iPhone + Google
 Authenticator.

 Thanks for your help.

 --Prashant

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode

2015-06-12 Thread Prashant Bapat

Hi,

Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying invalid barcode. This happens only with iPhone + Google
Authenticator.

Thanks for your help.

--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

2015-06-30 Thread Prashant Bapat

HI Simo,

Thanks for the reply. Could you please elaborate or point me to some
documentation on how to set this up.

What I want to be able to achieve is that a user should login with a 2FA
once a day and all subsequent logins are allowed thru public key only.

Regards.
--Prashant

On 30 June 2015 at 15:44, Simo Sorce s...@redhat.com wrote:

 On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote:
  On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote:
   On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote:
On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote:
 On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote:
  Hi,
 
  I was able to set this up in a Fedora instance with SSSD and it
 works as
  expected. SSHD first uses the public key and then prompts for
 password
  which is ofcourse password+OTP.
 
  However, having a user enter the password+OTP every time he logs
 in during
  the day is kind of inconvenient. Is it possible to make sure the
 user has
  to login once and the credentials are cached for say 12/24
 hours. I know
  this is possible just using the password. Question is, is this
 possible
  using password+OTP?

 We have an SSSD feature under review now that would help you:
 https://fedorahosted.org/sssd/ticket/1807

 But to be honest, I'm not sure if we tested the patches with 2FA
 yet. We
 should!
   
hm, I agree we should, but I guess we should test that cached
authentication does _not_ work with 2FA/OTP. Because it is expected
 that
the OTP token only works once, so that e.g. it can be used in an
insecure environment to set up a secure tunnel.
  
   Sure, the second factor must not be reused :-) but couldn't we use the
   cached auth to support cases like this where the second factor is to be
   used only once per some time and use only the first factor in the
   meantime?
 
  I'm a bit reluctant here. If the two factors are intercepted in an
  insecure environment the attacker will still have a valid password which
  can be used for some time. Additionally, iirc cached authentication is
  not aware of the service used. If e.g. OTP was used to just get a
  response from some unprotected and unprivileged service the intercepted
  password can be used to log in with ssh as well. So I guess we need a
  careful discussion here.

 The solution for this environments already exists and it is called
 GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or
 more hours. There is no need to invent broken ways to skip two factor
 auth when we already have a way to make this easy *and* secure.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 3rd party certificate for WebUI only

2015-07-01 Thread Prashant Bapat

I had the exact same requirement. Since we're on AWS, I ended up putting a
ELB in front of each of my IPA servers with a commercial cert for web UI.
The communication between ELB and the IPA server is using the IPA CA cert.

On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote:

 Stephen Ingram wrote:

 I setup IPA using the internal CA. I'd like to continue using this CA,
 however, I'd also like to allow authorized external browser users (who
 haven't imported our CA) to access the WebUI without receiving a
 warning. Is it possible to add a 3rd party certificate and CA such that
 it is only used for the WebUI using the instructions at
 http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP?

 Steve



 In a word: yes.

 I'd recommend making a backup of /etc/httpd/alias and
 /etc/httpd/conf.d/nss.conf  before doing this to make rolling back, if
 necessary, easier.

 rob

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 3rd party certificate for WebUI only

2015-07-02 Thread Prashant Bapat

Since the commercial cert is outside IPA renewing that cert would not
impact IPA at all.

On 2 July 2015 at 11:50, Prasun Gera prasun.g...@gmail.com wrote:

 How smooth is the renewal process ? if the webui cert expires, does it
 affect the core ipa functionality in any way ? Also, when ipa does it's own
 auto-renewal, does it leave the webui alone if set up this way ?

 On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com
 wrote:

 I had the exact same requirement. Since we're on AWS, I ended up putting
 a ELB in front of each of my IPA servers with a commercial cert for web UI.
 The communication between ELB and the IPA server is using the IPA CA cert.

 On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote:

 Stephen Ingram wrote:

 I setup IPA using the internal CA. I'd like to continue using this CA,
 however, I'd also like to allow authorized external browser users (who
 haven't imported our CA) to access the WebUI without receiving a
 warning. Is it possible to add a 3rd party certificate and CA such that
 it is only used for the WebUI using the instructions at
 http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP?

 Steve



 In a word: yes.

 I'd recommend making a backup of /etc/httpd/alias and
 /etc/httpd/conf.d/nss.conf  before doing this to make rolling back, if
 necessary, easier.

 rob

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

2015-06-30 Thread Prashant Bapat

Hi,

I was able to set this up in a Fedora instance with SSSD and it works as
expected. SSHD first uses the public key and then prompts for password
which is ofcourse password+OTP.

However, having a user enter the password+OTP every time he logs in during
the day is kind of inconvenient. Is it possible to make sure the user has
to login once and the credentials are cached for say 12/24 hours. I know
this is possible just using the password. Question is, is this possible
using password+OTP?

Thanks.
--Prashant

On 27 June 2015 at 13:06, Prashant Bapat prash...@apigee.com wrote:

 Aah ok !

 Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended
 up using nss-pam-ldap, nscd and nslcd.

 However this looks promising. Only for the servers exposed to Internet I
 could use CentOS/Fedora and this method of authentication. Let me try this
 and come back to you.

 Thanks.
 --Prashant

 On 27 June 2015 at 10:17, Alexander Bokovoy aboko...@redhat.com wrote:



 - Original Message -
  Hi ,
 
  I'm exploring implementing a 2FA solution to my servers exposed to
 public.
  Mainly to secure SSH with 2FA. The SSH keys and users are already in
  FreeIPA.
 
  Is there a way to utilize the OTP inside FreeIPA during a user login to
 these
  servers ? A user will have to enter the TOTP code bases on whats
 configured
  in FreeIPA. Something along the lines of
  https://github.com/google/google-authenticator/tree/master/libpam
 If you are using SSSD (pam_sss), it will automatically accept 2FA.

 You need to force OpenSSH to combine authentication methods, something
 like:

 AuthenticationMethods publickey,password:pam
 publickey,keyboard-interactive:pam

 Look into sshd_config manual page for details. This is feature of OpenSSH
 6.2 or later.

 --
 / Alexander Bokovoy



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-27 Thread Prashant Bapat

Making attributes anonymously readable is very simple. You need to look
into RBAC and define the permissions/privileges you need.

On 28 October 2015 at 08:02,  wrote:

> Hi,
>
> We have recently updated from IPA 3 to IPA 4.1 and one of the changes in
> security is what attributes are available for the anonymous LDAP
> queries.
>
> Does anyone know how to edit the anonymous LDAP settings so
> that the following are available?
>
> mail: cr...@example.com
> postalCode: 3000
> street: 1 Home Parade
> mobile: -000-000
> telephoneNumber: 03--
>
> Note: We have many different types of LDAP clients here and even though
> using encrypted BIND's did work from ldapsearch queries, I couldn't get
> them to consistently work from our email clients.
>
> Regards,
>
> Craig
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-27 Thread Prashant Bapat

Refer this doc
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls


On 28 October 2015 at 11:11, Prashant Bapat <prash...@apigee.com> wrote:

> Making attributes anonymously readable is very simple. You need to look
> into RBAC and define the permissions/privileges you need.
>
> On 28 October 2015 at 08:02, <craig.li...@mypenguin.net.au> wrote:
>
>> Hi,
>>
>> We have recently updated from IPA 3 to IPA 4.1 and one of the changes in
>> security is what attributes are available for the anonymous LDAP
>> queries.
>>
>> Does anyone know how to edit the anonymous LDAP settings so
>> that the following are available?
>>
>> mail: cr...@example.com
>> postalCode: 3000
>> street: 1 Home Parade
>> mobile: -000-000
>> telephoneNumber: 03--
>>
>> Note: We have many different types of LDAP clients here and even though
>> using encrypted BIND's did work from ldapsearch queries, I couldn't get
>> them to consistently work from our email clients.
>>
>> Regards,
>>
>> Craig
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 389DS segfaults after upgrade FC 21 -> 22

2015-11-12 Thread Prashant Bapat

Is there a way for you to try F23. Its the latest anyway if thats the
reason you're upgrading.

I recently did this couple of times in a test setup (aws and virtualbox). I
have 4.1.4 (F21) in production. Was trying upgrade from F21->F22 and
F22->F23 this would give me freeipa 4.2.3. Things went very smoothly for
me.

Make sure you do a dnf update freeipa-server after you're in F23.

On 11 November 2015 at 20:56, Martin Basti  wrote:

>
>
> On 11.11.2015 11:57, Torsten Harenberg wrote:
>
>> Dear all,
>>
>> on our secondary IPA server (running 4.1.4) we did an upgrade of FC from
>> 21 to 22, as 21 is running out of support.
>>
>> The upgrade process itself went smoothly, however, 386DS segfaults now:
>>
>> ns-slapd[1427]: segfault at 7fffe301413e ip 7fffeeb1fa08 sp
>> 7fffd3d8 error 4 in libdb-5.3.so[7fffee9fa000+1b8000]
>>
>> every time it is started.
>>
>> This does not seem to be the problem reported earlier with IPA 4.2 on FC
>> 23 (that segfaulted in libslapd).
>>
>> I couldn't get a hint out of the strace output. But the packages in
>> question are:
>>
>> [root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# rpm -qf /lib64/libdb-5.3.so
>> libdb-5.3.28-12.fc22.x86_64
>> [root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]# rpm -qf /usr/sbin/ns-slapd
>> 389-ds-base-1.3.4.4-1.fc22.x86_64
>> [root@ipa2 slapd-PLEIADES-UNI-WUPPERTAL-DE]#
>>
>>
>> Any hint is appreciated!!!
>>
>> Best regards
>>
>>Torsten
>>
>> Hello,
> can you provide traceback?
>
> http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debugging-crashes
>
> Martin
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 4.1.4

2015-11-04 Thread Prashant Bapat

Great idea! Is that possible ? Any documentation on how to do this would be
very helpful.

Thanks.

On 4 November 2015 at 19:17, Rob Crittenden <rcrit...@redhat.com> wrote:

> Martin Kosek wrote:
> > On 11/04/2015 10:27 AM, Prashant Bapat wrote:
> >> Ack. But in a live replicated setup wont upgrading from F21->F22 and
> >> F22->F23 take a long time. I mean couple of hours ?
> >
> > It will take some outage time, yes. But if you have appropriate number of
> > replicas and are upgrading one by one, you should be fine - the clients
> should
> > fail over to other replicas.
> >
> >> Are there any other ways to do this. Perhaps do a fresh install of F23
> and
> >> then restore data from FreeIPA 4.1.4 (F21) ?
> >
> > FreeIPA upgrade also updates the data themselves. Restoring old data and
> > configuration files on fresh F23 using full backup + running the upgrade
> may
> > work, but there may be also a lot of hurdles. It is not really a tested
> approach.
>
> Or he could one by one install a new F23 system and configure it as a
> new master to replace one of the old ones until they are all running F23.
>
> I'm pretty sure backup/restore only works within the same version.
>
> rob
>
> >
> >>
> >> On 4 November 2015 at 14:52, Martin Kosek <mko...@redhat.com> wrote:
> >>
> >>> On 11/04/2015 10:15 AM, Lukas Slebodnik wrote:
> >>>> On (04/11/15 14:37), Prashant Bapat wrote:
> >>>>> Hi All,
> >>>>>
> >>>>> We rolled out freeipa in our setup somewhere in beginning of 2015.
> Since
> >>>>> then there have been couple of new releases. Latest being 4.2.3.
> >>>>>
> >>>>> The FreeIPA servers are installed on Fedora 21 hosts and at this
> point
> >>>>> there is no direct way of upgrading to 4.2.3 unless we also upgrade
> the
> >>> OS.
> >>>>> The COPR repos do not support Fedora 21.
> >>>>>
> >>>> Fedora 23 was released yesterday.
> >>>> It means then Fedora 21 will be out of support in a month.
> >>>> I would definitelly recomment to upgrade it to newer Fedora.
> >>>
> >>> +1. I did the same actually for FreeIPA demo which was also running on
> F21
> >>> before:
> >>> http://www.freeipa.org/page/Demo
> >>> I had to do it in two steps: F21->F22, F22->F23.
> >>>
> >>> If you make sure that F22->F23 upgrade updates to freeipa-4.2.3-1.fc23
> or
> >>> later
> >>> (https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e), it
> >>> should
> >>> work just fine.
> >>>
> >>>> If you do not want t upgrade so often you might use FreeIPA
> >>>> on CentOS 7
> >>>>
> >>>> LS
> >>>>
> >>>
> >>>
> >>
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 4.1.4

2015-11-04 Thread Prashant Bapat

Looks like there are issues with dogtag and tomcat8.
http://pki.fedoraproject.org/wiki/Tomcat_8

On 5 November 2015 at 11:32, Prashant Bapat <prash...@apigee.com> wrote:

> New issue with upgrade.
>
> I setup a test IPA server. Its on AWS EC2 instance in a VPC. Fedora 21.
> freeipa 4.1.4.
>
> Upgraded OS from F21 --> F22 --> F23. All OK.
>
> Once in F23 *ipactl start* command tells me an upgrade is needed.
>
> Ran* ipa-server-upgrade* command. This command seems to do everything but
> somehow fails during upgrading the PKI (Tomcat). Now the tomcat service
> wont start. Other components are upgraded to 4.2.2 but Tomcat is down.
>
> Attached is the *ipaupgrade.log* and *catalina.2015-11-05.log*.
>
> Any help appreciated.
>
> Thanks.
> --Prashant
>
> On 5 November 2015 at 06:31, Prashant Bapat <prash...@apigee.com> wrote:
>
>> Great idea! Is that possible ? Any documentation on how to do this would
>> be very helpful.
>>
>> Thanks.
>>
>> On 4 November 2015 at 19:17, Rob Crittenden <rcrit...@redhat.com> wrote:
>>
>>> Martin Kosek wrote:
>>> > On 11/04/2015 10:27 AM, Prashant Bapat wrote:
>>> >> Ack. But in a live replicated setup wont upgrading from F21->F22 and
>>> >> F22->F23 take a long time. I mean couple of hours ?
>>> >
>>> > It will take some outage time, yes. But if you have appropriate number
>>> of
>>> > replicas and are upgrading one by one, you should be fine - the
>>> clients should
>>> > fail over to other replicas.
>>> >
>>> >> Are there any other ways to do this. Perhaps do a fresh install of
>>> F23 and
>>> >> then restore data from FreeIPA 4.1.4 (F21) ?
>>> >
>>> > FreeIPA upgrade also updates the data themselves. Restoring old data
>>> and
>>> > configuration files on fresh F23 using full backup + running the
>>> upgrade may
>>> > work, but there may be also a lot of hurdles. It is not really a
>>> tested approach.
>>>
>>> Or he could one by one install a new F23 system and configure it as a
>>> new master to replace one of the old ones until they are all running F23.
>>>
>>> I'm pretty sure backup/restore only works within the same version.
>>>
>>> rob
>>>
>>> >
>>> >>
>>> >> On 4 November 2015 at 14:52, Martin Kosek <mko...@redhat.com> wrote:
>>> >>
>>> >>> On 11/04/2015 10:15 AM, Lukas Slebodnik wrote:
>>> >>>> On (04/11/15 14:37), Prashant Bapat wrote:
>>> >>>>> Hi All,
>>> >>>>>
>>> >>>>> We rolled out freeipa in our setup somewhere in beginning of 2015.
>>> Since
>>> >>>>> then there have been couple of new releases. Latest being 4.2.3.
>>> >>>>>
>>> >>>>> The FreeIPA servers are installed on Fedora 21 hosts and at this
>>> point
>>> >>>>> there is no direct way of upgrading to 4.2.3 unless we also
>>> upgrade the
>>> >>> OS.
>>> >>>>> The COPR repos do not support Fedora 21.
>>> >>>>>
>>> >>>> Fedora 23 was released yesterday.
>>> >>>> It means then Fedora 21 will be out of support in a month.
>>> >>>> I would definitelly recomment to upgrade it to newer Fedora.
>>> >>>
>>> >>> +1. I did the same actually for FreeIPA demo which was also running
>>> on F21
>>> >>> before:
>>> >>> http://www.freeipa.org/page/Demo
>>> >>> I had to do it in two steps: F21->F22, F22->F23.
>>> >>>
>>> >>> If you make sure that F22->F23 upgrade updates to
>>> freeipa-4.2.3-1.fc23 or
>>> >>> later
>>> >>> (https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e), it
>>> >>> should
>>> >>> work just fine.
>>> >>>
>>> >>>> If you do not want t upgrade so often you might use FreeIPA
>>> >>>> on CentOS 7
>>> >>>>
>>> >>>> LS
>>> >>>>
>>> >>>
>>> >>>
>>> >>
>>> >
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 4.1.4

2015-11-05 Thread Prashant Bapat

Please ignore my mails about tomcat/pki. An update fixed the issue.

On 5 November 2015 at 12:58, Prashant Bapat <prash...@apigee.com> wrote:

> Looks like there are issues with dogtag and tomcat8.
> http://pki.fedoraproject.org/wiki/Tomcat_8
>
> On 5 November 2015 at 11:32, Prashant Bapat <prash...@apigee.com> wrote:
>
>> New issue with upgrade.
>>
>> I setup a test IPA server. Its on AWS EC2 instance in a VPC. Fedora 21.
>> freeipa 4.1.4.
>>
>> Upgraded OS from F21 --> F22 --> F23. All OK.
>>
>> Once in F23 *ipactl start* command tells me an upgrade is needed.
>>
>> Ran* ipa-server-upgrade* command. This command seems to do everything
>> but somehow fails during upgrading the PKI (Tomcat). Now the tomcat service
>> wont start. Other components are upgraded to 4.2.2 but Tomcat is down.
>>
>> Attached is the *ipaupgrade.log* and *catalina.2015-11-05.log*.
>>
>> Any help appreciated.
>>
>> Thanks.
>> --Prashant
>>
>> On 5 November 2015 at 06:31, Prashant Bapat <prash...@apigee.com> wrote:
>>
>>> Great idea! Is that possible ? Any documentation on how to do this would
>>> be very helpful.
>>>
>>> Thanks.
>>>
>>> On 4 November 2015 at 19:17, Rob Crittenden <rcrit...@redhat.com> wrote:
>>>
>>>> Martin Kosek wrote:
>>>> > On 11/04/2015 10:27 AM, Prashant Bapat wrote:
>>>> >> Ack. But in a live replicated setup wont upgrading from F21->F22 and
>>>> >> F22->F23 take a long time. I mean couple of hours ?
>>>> >
>>>> > It will take some outage time, yes. But if you have appropriate
>>>> number of
>>>> > replicas and are upgrading one by one, you should be fine - the
>>>> clients should
>>>> > fail over to other replicas.
>>>> >
>>>> >> Are there any other ways to do this. Perhaps do a fresh install of
>>>> F23 and
>>>> >> then restore data from FreeIPA 4.1.4 (F21) ?
>>>> >
>>>> > FreeIPA upgrade also updates the data themselves. Restoring old data
>>>> and
>>>> > configuration files on fresh F23 using full backup + running the
>>>> upgrade may
>>>> > work, but there may be also a lot of hurdles. It is not really a
>>>> tested approach.
>>>>
>>>> Or he could one by one install a new F23 system and configure it as a
>>>> new master to replace one of the old ones until they are all running
>>>> F23.
>>>>
>>>> I'm pretty sure backup/restore only works within the same version.
>>>>
>>>> rob
>>>>
>>>> >
>>>> >>
>>>> >> On 4 November 2015 at 14:52, Martin Kosek <mko...@redhat.com> wrote:
>>>> >>
>>>> >>> On 11/04/2015 10:15 AM, Lukas Slebodnik wrote:
>>>> >>>> On (04/11/15 14:37), Prashant Bapat wrote:
>>>> >>>>> Hi All,
>>>> >>>>>
>>>> >>>>> We rolled out freeipa in our setup somewhere in beginning of
>>>> 2015. Since
>>>> >>>>> then there have been couple of new releases. Latest being 4.2.3.
>>>> >>>>>
>>>> >>>>> The FreeIPA servers are installed on Fedora 21 hosts and at this
>>>> point
>>>> >>>>> there is no direct way of upgrading to 4.2.3 unless we also
>>>> upgrade the
>>>> >>> OS.
>>>> >>>>> The COPR repos do not support Fedora 21.
>>>> >>>>>
>>>> >>>> Fedora 23 was released yesterday.
>>>> >>>> It means then Fedora 21 will be out of support in a month.
>>>> >>>> I would definitelly recomment to upgrade it to newer Fedora.
>>>> >>>
>>>> >>> +1. I did the same actually for FreeIPA demo which was also running
>>>> on F21
>>>> >>> before:
>>>> >>> http://www.freeipa.org/page/Demo
>>>> >>> I had to do it in two steps: F21->F22, F22->F23.
>>>> >>>
>>>> >>> If you make sure that F22->F23 upgrade updates to
>>>> freeipa-4.2.3-1.fc23 or
>>>> >>> later
>>>> >>> (https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e),
>>>> it
>>>> >>> should
>>>> >>> work just fine.
>>>> >>>
>>>> >>>> If you do not want t upgrade so often you might use FreeIPA
>>>> >>>> on CentOS 7
>>>> >>>>
>>>> >>>> LS
>>>> >>>>
>>>> >>>
>>>> >>>
>>>> >>
>>>> >
>>>>
>>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

2015-11-05 Thread Prashant Bapat

I just upgraded a test env from 4.1.4 (F21) to 4.2.3 (F23) without issues.
I had to run a dnf upgrade freeipa-server AFTER upgrading to F23 and then
run ipa-server-upgrade.

On 5 November 2015 at 16:20, John Obaterspok 
wrote:

> Hi,
>
> I waited a couple of days and when "dnf list freeipa-server
> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
> late that I received 4.2.2 during "dnf system-upgrade".
>
> Any ideas how to get it going again? Or is it easier to start from scratch
> if I only have ~ 10 IPA clients?
>
> -- john
>
>
> 2015-11-03 8:44 GMT+01:00 Martin Kosek :
>
>> On 11/02/2015 05:48 PM, Martin Kosek wrote:
>> > Hello everyone,
>> >
>> > Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The
>> release
>> > adds a lot of new exiting functionality and we are eager to hear your
>> thoughts
>> > on the release [1].
>> >
>> > Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment
>> and
>> > fails on updating the LDAP schema. The problem is tracked in Red Hat
>> Bugzilla
>> > [2]. The problem is fixed in upstream project, the development team is
>> now
>> > working on releasing FreeIPA upstream release 4.2.3 ASAP and also
>> publishing it
>> > as a 0-day update for Fedora 23. This situation should be resolved
>> within
>> > couple days, when the released build hits the official Fedora repos and
>> mirrors.
>> >
>> > Until the fixed FreeIPA version is released and in the Fedora repos,
>> please
>> > wait with updating your existing FreeIPA installation.
>> >
>> > We will keep you posted. We are very sorry for the inconvenience.
>> >
>> > [1] http://www.freeipa.org/page/Releases/4.2.0
>> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905
>> >
>>
>> The respective F23 updates are now heading to testing repo:
>>
>> FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e
>> pki-core
>> :
>> https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f
>>
>> Martin
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Upgrade from 4.1.4

2015-11-04 Thread Prashant Bapat

Hi All,

We rolled out freeipa in our setup somewhere in beginning of 2015. Since
then there have been couple of new releases. Latest being 4.2.3.

The FreeIPA servers are installed on Fedora 21 hosts and at this point
there is no direct way of upgrading to 4.2.3 unless we also upgrade the OS.
The COPR repos do not support Fedora 21.

Is there a way to get the latest freeipa WITHOUT upgrading the OS ?

Since Fedora releases a new version approx every 6 months, how are others
handling the upgrades ?

Please let me know.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 4.1.4

2015-11-04 Thread Prashant Bapat

Ack. But in a live replicated setup wont upgrading from F21->F22 and
F22->F23 take a long time. I mean couple of hours ?

Are there any other ways to do this. Perhaps do a fresh install of F23 and
then restore data from FreeIPA 4.1.4 (F21) ?

On 4 November 2015 at 14:52, Martin Kosek <mko...@redhat.com> wrote:

> On 11/04/2015 10:15 AM, Lukas Slebodnik wrote:
> > On (04/11/15 14:37), Prashant Bapat wrote:
> >> Hi All,
> >>
> >> We rolled out freeipa in our setup somewhere in beginning of 2015. Since
> >> then there have been couple of new releases. Latest being 4.2.3.
> >>
> >> The FreeIPA servers are installed on Fedora 21 hosts and at this point
> >> there is no direct way of upgrading to 4.2.3 unless we also upgrade the
> OS.
> >> The COPR repos do not support Fedora 21.
> >>
> > Fedora 23 was released yesterday.
> > It means then Fedora 21 will be out of support in a month.
> > I would definitelly recomment to upgrade it to newer Fedora.
>
> +1. I did the same actually for FreeIPA demo which was also running on F21
> before:
> http://www.freeipa.org/page/Demo
> I had to do it in two steps: F21->F22, F22->F23.
>
> If you make sure that F22->F23 upgrade updates to freeipa-4.2.3-1.fc23 or
> later
> (https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e), it
> should
> work just fine.
>
> > If you do not want t upgrade so often you might use FreeIPA
> > on CentOS 7
> >
> > LS
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client on aws (amazon linux)

2015-09-02 Thread Prashant Bapat

Lukas,

ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this
rpm cannot be installed. This is the basic issue.

Thanks.

On 2 September 2015 at 12:43, Lukas Slebodnik <lsleb...@redhat.com> wrote:

> On (02/09/15 11:22), Prashant Bapat wrote:
> >Hi,
> >
> >Running a freeipa-client on Amazon Linux is a huge challenge. This is
> >because the client depends on SSSD which in turn uses Samba libraries
> which
> >Amazon Linux does not support.
> sssd >= 1.11 can be compiled without samba libraries.
> But result is missing ad and ipa provider.
> So you would need to manually configure sssd with ldap provider against
> FreeIPA.
>
> >I tried this sometime back and gave up.
> >Instead we went with pam-nss-ldap route which works great with compat ldap
> >schema. Run the "ipa-advise" command for more details.
> >
> >I'm running the pam-nss-ldap client on 2000+ servers in AWS with Amazon
> >Linux.
> >
> ipa-client install has option "--no-sssd"
> -S, --no-sssd   Do not configure the client to use SSSD for
> authentication
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client on aws (amazon linux)

2015-09-02 Thread Prashant Bapat

Hi,

Running a freeipa-client on Amazon Linux is a huge challenge. This is
because the client depends on SSSD which in turn uses Samba libraries which
Amazon Linux does not support. I tried this sometime back and gave up.
Instead we went with pam-nss-ldap route which works great with compat ldap
schema. Run the "ipa-advise" command for more details.

I'm running the pam-nss-ldap client on 2000+ servers in AWS with Amazon
Linux.

HTH.
--Prashant

On 2 September 2015 at 02:25, Gustavo Mateus 
wrote:

> Hi,
>
> Does anyone have an updated list of packages or installation steps to get
> the ipa-client properly installed on an Amazon Linux (2015.03.1 to be more
> precise).
>
> I plan to use Red Hat as my ipa-server but the clients need to be Amazon
> Linux.
>
> Thanks,
>
> Gustavo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-10 Thread Prashant Bapat

One way to do it is write a small script which will fetch the keys from
LDAP.

As for authentication, I make the SSH public key anonymously readable for
everyone.

On 11 September 2015 at 05:00, Gustavo Mateus 
wrote:

> Hi,
>
> I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
> users public ssh key.
>
> Do I have to setup a binddn and bindpw in the ldap.conf file and use
> /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?
>
> Thanks,
> Gustavo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restricting access to unencrypted LDAP connections

2015-11-18 Thread Prashant Bapat

Exactly what I was looking for! Thank you!!

On 18 November 2015 at 13:26, Ludwig Krispenz <lkris...@redhat.com> wrote:

> you could set minssf:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/SecureConnections.html#requiring-secure-connections
>
>
> On 11/18/2015 07:24 AM, Prashant Bapat wrote:
>
> Hi,
>
> We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients
> configured to talk to them thru pam-nss-ldapd (no sssd). I want to ensure
> that these clients only talk to freeipa's LDAP server either via ldaps or
> ldap+starttls. Plain ldap should not be allowed.
>
> I can always switch to ldaps only and close the tcp/389 port on the
> firewall. But is there a way to achieve this using tcp/389 port.?
>
> Any suggestions appreciated.
>
> Thanks.
> --Prashant
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Restricting access to unencrypted LDAP connections

2015-11-17 Thread Prashant Bapat

Hi,

We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients
configured to talk to them thru pam-nss-ldapd (no sssd). I want to ensure
that these clients only talk to freeipa's LDAP server either via ldaps or
ldap+starttls. Plain ldap should not be allowed.

I can always switch to ldaps only and close the tcp/389 port on the
firewall. But is there a way to achieve this using tcp/389 port.?

Any suggestions appreciated.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeOTP

2016-06-07 Thread Prashant Bapat

If this is TOTP (time based) you want to double check the time is properly
set in both the server (NTP) and the device that is generating the OTP
tokens. I have had issues with this with my users couple of times. 

On 7 June 2016 at 19:43, Alexander Bokovoy  wrote:

> On Tue, 07 Jun 2016, Winfried de Heiden wrote:
>
>> Hi all,
>> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result.
>>
> Ok.
>
>  Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ
>>  (6 etypes {18 17 16
>>  23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
>>  otpu...@blabla.bla for krbtgt/
>>  blabla@blabla.bla, Additional pre-authentication
>>  required
>>  Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing
>>  down fd 12
>>  Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth
>>  (otp) verify
>>  failure: Connection timed out
>>
>>  I just cannot figure out what's going wrong. What is trying
>>  to connect to
>>  causing this timeout? (yep, I disabled firewalld for
>>  this...)
>>
> What is the output of  systemctl status ipa-otpd.socket
> ?
>
> if it is disabled, do
>
>  systemctl enable ipa-otpd.socket
>  systemctl start ipa-otpd.socket
>
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeOTP

2016-06-07 Thread Prashant Bapat

Do HOTP tokens work fine ?

On 7 June 2016 at 20:37, Winfried de Heiden <w...@dds.nl> wrote:

> Hi all,
>
>
> Yes I check that one also. The IPA-server is running ntp and is is sync.
> The FreeOTP app is running on my phone which is synced by network, all
> looks fine
>
>
> Forgot to mention; this IPA-server is running on Fedora ARM on a Bananapi.
> non-otp logins go well.
>
>
> Winny
>
>
>
>
> Op 07-06-16 om 16:56 schreef Prashant Bapat:
>
> If this is TOTP (time based) you want to double check the time is
> properly set in both the server (NTP) and the device that is generating the
> OTP tokens. I have had issues with this with my users couple of times. 
>
> On 7 June 2016 at 19:43, Alexander Bokovoy <aboko...@redhat.com> wrote:
>
>> On Tue, 07 Jun 2016, Winfried de Heiden wrote:
>>
>>> Hi all,
>>> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result.
>>>
>> Ok.
>>
>>  Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ
>>>  (6 etypes {18 17 16
>>>  23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
>>>  otpu...@blabla.bla for krbtgt/
>>>  blabla@blabla.bla, Additional pre-authentication
>>>  required
>>>  Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing
>>>  down fd 12
>>>  Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth
>>>  (otp) verify
>>>  failure: Connection timed out
>>>
>>>  I just cannot figure out what's going wrong. What is trying
>>>  to connect to
>>>  causing this timeout? (yep, I disabled firewalld for
>>>  this...)
>>>
>> What is the output of  systemctl status ipa-otpd.socket
>> ?
>>
>> if it is disabled, do
>>
>>  systemctl enable ipa-otpd.socket
>>  systemctl start ipa-otpd.socket
>>
>>
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Read-only access to enforce OTP

2016-06-16 Thread Prashant Bapat

Hi,

I'm writing a small script which will scan all the users and check if each
one has setup an OTP. It will send out an email to the user if OTP is
missing.

I added a new entry
* uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com*. Problem is I'm
able to read all the users attributes but not able to read anything under
*cn=otp,dc=example,dc=com* tree.

What are the permissions or ACI I need to add to give read-only access to
this user?

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat

Sure. Attached the stack trace with debuginfo installed.

Thanks much!

On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote:

> On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote:
> > gdb stacktrace attached.
>
> Can you install the debuginfo with
>
>  debuginfo-install krb5-server-1.12.2-19.fc21.x86_64
>
> as suggested by gdb and then call 'bt full' again to get more details.
> Additionally the debuginfo of the freeipa package might be missing as
> well.
>
> bye,
> Sumit
> >
> > On 28 January 2016 at 16:27, Prashant Bapat <prash...@apigee.com> wrote:
> >
> > > Thanks Sumit.
> > >
> > > From the logs there is nothing unusual around the time of core dump. I
> > > found this one line odd though.
> > >
> > > *Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
> > > krb5kdc[4471](Error): worker 4473 exited with status 134*
> > >
> > >
> > > Let me try to get the full BT.
> > >
> > > On 28 January 2016 at 13:54, Sumit Bose <sb...@redhat.com> wrote:
> > >
> > >> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
> > >> > Hi,
> > >> >
> > >> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and
> 7
> > >> > replicas in different regions. Earlier there was only 1 replica.
> Since I
> > >> > added new replicas, on the master node, once in a while the kerberos
> > >> > process dumps core and everything stops working - authentication,
> > >> > replication etc. If we restart everything using "ipactl restart"
> things
> > >> are
> > >> > back to normal.
> > >> >
> > >> > Attached is the output from journalctl for kerberos.
> > >> >
> > >> > Has anyone come across this ? Are there any pointers to
> troubleshooting
> > >> > this ?
> > >>
> > >> This might be fixed recently by a patch from Simo
> > >> (2144b1eeb789639b8a3df287b580aeb6196188a8). But to help to better
> > >> identify the issue the content of the kdc logs around the time of the
> > >> crash might be useful. Additionally a full backtrace which you can get
> > >> by calling
> > >>
> > >>   coredumpclt gdb 4475
> > >>
> > >> and then
> > >>
> > >>   bt full
> > >>
> > >> bye,
> > >> Sumit
> > >>
> > >> >
> > >> > Any help is appreciated.
> > >> >
> > >> > Thanks.
> > >> > --Prashant
> > >>
> > >> > Jan 26 03:15:59 ipa.example.net systemd-coredump[5000]: Process
> 4475
> > >> (krb5kdc) of user 0 dumped core.
> > >> >
> > >> >Stack trace
> of
> > >> thread 4475:
> > >> >#0
> > >> 0x7f99de8c18d7 raise (libc.so.6)
> > >> >#1
> > >> 0x7f99de8c353a abort (libc.so.6)
> > >> >#2
> > >> 0x7f99de8ba47d __assert_fail_base (libc.so.6)
> > >> >#3
> > >> 0x7f99de8ba532 __assert_fail (libc.so.6)
> > >> >#4
> > >> 0x7f99d783a78f ldap_get_values_len (libldap_r-2.4.so.2)
> > >> >#5
> > >> 0x7f99d7c8173e ipadb_ldap_attr_to_int (ipadb.so)
> > >> >#6
> > >> 0x7f99d7c83f9c ipadb_parse_ldap_entry (ipadb.so)
> > >> >#7
> > >> 0x7f99d7c849ab ipadb_get_principal (ipadb.so)
> > >> >#8
> > >> 0x7f99e0433b14 krb5_db_get_principal (libkdb5.so.7)
> > >> >#9
> > >> 0x55768457c230 process_tgs_req (krb5kdc)
> > >> >#10
> > >> 0x557684579fe3 dispatch (krb5kdc)
> > >> >#11
> >

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-29 Thread Prashant Bapat

We will have to run with F21 for now. There are plans for moving to CentOS
7.x in the near future. Until then, I'm afraid I will have to live with
this.

Thanks much Sumit for all your help in identifying this.

Regards.
--Prashant

On 28 January 2016 at 23:24, Sumit Bose <sb...@redhat.com> wrote:

> On Thu, Jan 28, 2016 at 09:36:55PM +0530, Prashant Bapat wrote:
> > Sure. Attached the stack trace with debuginfo installed.
> >
> > Thanks much!
>
> This looks very much like the issue Simo fixed recently, but
> unfortunately I think it is so recent that it is not available in any
> release package. Additionally it would be quite some effort for me the
> generate a F21 test build because as Lukas said F21 is already
> End-of-life and there is not infrastructure anymore to easily build F21
> package. If it would be possible to upgrade to a newer version of Fedora
> I'd be happy to provide a test build with the patch.
>
> bye,
> Sumit
>
> >
> > On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote:
> >
> > > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote:
> > > > gdb stacktrace attached.
> > >
> > > Can you install the debuginfo with
> > >
> > >  debuginfo-install krb5-server-1.12.2-19.fc21.x86_64
> > >
> > > as suggested by gdb and then call 'bt full' again to get more details.
> > > Additionally the debuginfo of the freeipa package might be missing as
> > > well.
> > >
> > > bye,
> > > Sumit
> > > >
> > > > On 28 January 2016 at 16:27, Prashant Bapat <prash...@apigee.com>
> wrote:
> > > >
> > > > > Thanks Sumit.
> > > > >
> > > > > From the logs there is nothing unusual around the time of core
> dump. I
> > > > > found this one line odd though.
> > > > >
> > > > > *Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
> > > > > krb5kdc[4471](Error): worker 4473 exited with status 134*
> > > > >
> > > > >
> > > > > Let me try to get the full BT.
> > > > >
> > > > > On 28 January 2016 at 13:54, Sumit Bose <sb...@redhat.com> wrote:
> > > > >
> > > > >> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
> > > > >> > Hi,
> > > > >> >
> > > > >> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master
> and
> > > 7
> > > > >> > replicas in different regions. Earlier there was only 1 replica.
> > > Since I
> > > > >> > added new replicas, on the master node, once in a while the
> kerberos
> > > > >> > process dumps core and everything stops working -
> authentication,
> > > > >> > replication etc. If we restart everything using "ipactl restart"
> > > things
> > > > >> are
> > > > >> > back to normal.
> > > > >> >
> > > > >> > Attached is the output from journalctl for kerberos.
> > > > >> >
> > > > >> > Has anyone come across this ? Are there any pointers to
> > > troubleshooting
> > > > >> > this ?
> > > > >>
> > > > >> This might be fixed recently by a patch from Simo
> > > > >> (2144b1eeb789639b8a3df287b580aeb6196188a8). But to help to better
> > > > >> identify the issue the content of the kdc logs around the time of
> the
> > > > >> crash might be useful. Additionally a full backtrace which you
> can get
> > > > >> by calling
> > > > >>
> > > > >>   coredumpclt gdb 4475
> > > > >>
> > > > >> and then
> > > > >>
> > > > >>   bt full
> > > > >>
> > > > >> bye,
> > > > >> Sumit
> > > > >>
> > > > >> >
> > > > >> > Any help is appreciated.
> > > > >> >
> > > > >> > Thanks.
> > > > >> > --Prashant
> > > > >>
> > > > >> > Jan 26 03:15:59 ipa.example.net systemd-coredump[5000]: Process
> > > 4475
> > > > >> (krb5kdc) of user 0 dumped core.
> > > > >> >
> > > > >> >Stack
> trace
&

[Freeipa-users] Kerberos process coredump | authentication fails

2016-01-27 Thread Prashant Bapat

Hi,

We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
replicas in different regions. Earlier there was only 1 replica. Since I
added new replicas, on the master node, once in a while the kerberos
process dumps core and everything stops working - authentication,
replication etc. If we restart everything using "ipactl restart" things are
back to normal.

Attached is the output from journalctl for kerberos.

Has anyone come across this ? Are there any pointers to troubleshooting
this ?

Any help is appreciated.

Thanks.
--Prashant
Jan 26 03:15:59 ipa.example.net systemd-coredump[5000]: Process 4475 (krb5kdc) 
of user 0 dumped core.

   Stack trace of thread 
4475:
   #0  0x7f99de8c18d7 
raise (libc.so.6)
   #1  0x7f99de8c353a 
abort (libc.so.6)
   #2  0x7f99de8ba47d 
__assert_fail_base (libc.so.6)
   #3  0x7f99de8ba532 
__assert_fail (libc.so.6)
   #4  0x7f99d783a78f 
ldap_get_values_len (libldap_r-2.4.so.2)
   #5  0x7f99d7c8173e 
ipadb_ldap_attr_to_int (ipadb.so)
   #6  0x7f99d7c83f9c 
ipadb_parse_ldap_entry (ipadb.so)
   #7  0x7f99d7c849ab 
ipadb_get_principal (ipadb.so)
   #8  0x7f99e0433b14 
krb5_db_get_principal (libkdb5.so.7)
   #9  0x55768457c230 
process_tgs_req (krb5kdc)
   #10 0x557684579fe3 
dispatch (krb5kdc)
   #11 0x55768458d8a0 
process_packet (krb5kdc)
   #12 0x7f99dec4cc78 
verto_fire (libverto.so.1)
   #13 0x7f99d6fb72a3 
epoll_event_loop_once (libtevent.so.0)
   #14 0x7f99d6fb5787 
std_event_loop_once (libtevent.so.0)
   #15 0x7f99d6fb1fed 
_tevent_loop_once (libtevent.so.0)
   #16 0x7f99dec4c3f7 
verto_run (libverto.so.1)
   #17 0x5576845795ab 
main (krb5kdc)
   #18 0x7f99de8acfe0 
__libc_start_main (libc.so.6)
   #19 0x5576845798f0 
_start (krb5kdc)

Jan 26 03:15:59 ipa.example.net systemd-coredump[4999]: Process 4473 (krb5kdc) 
of user 0 dumped core.

   Stack trace of thread 
4473:
   #0  0x7f99de8c18d7 
raise (libc.so.6)
   #1  0x7f99de8c353a 
abort (libc.so.6)
   #2  0x7f99de8ba47d 
__assert_fail_base (libc.so.6)
   #3  0x7f99de8ba532 
__assert_fail (libc.so.6)
   #4  0x7f99d783a78f 
ldap_get_values_len (libldap_r-2.4.so.2)
   #5  0x7f99d7c8173e 
ipadb_ldap_attr_to_int (ipadb.so)
   #6  0x7f99d7c83f9c 
ipadb_parse_ldap_entry (ipadb.so)
   #7  0x7f99d7c849ab 
ipadb_get_principal (ipadb.so)
   #8  0x7f99e0433b14 
krb5_db_get_principal (libkdb5.so.7)
   #9  0x55768457c230 
process_tgs_req (krb5kdc)
   #10 0x557684579fe3 
dispatch (krb5kdc)
   #11 0x55768458d8a0 
process_packet (krb5kdc)
   #12 0x7f99dec4cc78 
verto_fire (libverto.so.1)
   #13 0x7f99d6fb72a3 
epoll_event_loop_once (libtevent.so.0)
   #14 0x7f99d6fb5787 
std_event_loop_once (libtevent.so.0)
   #15 0x7f99d6fb1fed 
_tevent_loop_once (libtevent.so.0)
   #16 0x7f99dec4c3f7 
verto_run (libverto.so.1)
   #17

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat

Thanks Sumit.

>From the logs there is nothing unusual around the time of core dump. I
found this one line odd though.

*Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
krb5kdc[4471](Error): worker 4473 exited with status 134*


Let me try to get the full BT.

On 28 January 2016 at 13:54, Sumit Bose <sb...@redhat.com> wrote:

> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
> > Hi,
> >
> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
> > replicas in different regions. Earlier there was only 1 replica. Since I
> > added new replicas, on the master node, once in a while the kerberos
> > process dumps core and everything stops working - authentication,
> > replication etc. If we restart everything using "ipactl restart" things
> are
> > back to normal.
> >
> > Attached is the output from journalctl for kerberos.
> >
> > Has anyone come across this ? Are there any pointers to troubleshooting
> > this ?
>
> This might be fixed recently by a patch from Simo
> (2144b1eeb789639b8a3df287b580aeb6196188a8). But to help to better
> identify the issue the content of the kdc logs around the time of the
> crash might be useful. Additionally a full backtrace which you can get
> by calling
>
>   coredumpclt gdb 4475
>
> and then
>
>   bt full
>
> bye,
> Sumit
>
> >
> > Any help is appreciated.
> >
> > Thanks.
> > --Prashant
>
> > Jan 26 03:15:59 ipa.example.net systemd-coredump[5000]: Process 4475
> (krb5kdc) of user 0 dumped core.
> >
> >Stack trace of
> thread 4475:
> >#0
> 0x7f99de8c18d7 raise (libc.so.6)
> >#1
> 0x7f99de8c353a abort (libc.so.6)
> >#2
> 0x7f99de8ba47d __assert_fail_base (libc.so.6)
> >#3
> 0x7f99de8ba532 __assert_fail (libc.so.6)
> >#4
> 0x7f99d783a78f ldap_get_values_len (libldap_r-2.4.so.2)
> >#5
> 0x7f99d7c8173e ipadb_ldap_attr_to_int (ipadb.so)
> >#6
> 0x7f99d7c83f9c ipadb_parse_ldap_entry (ipadb.so)
> >#7
> 0x7f99d7c849ab ipadb_get_principal (ipadb.so)
> >#8
> 0x7f99e0433b14 krb5_db_get_principal (libkdb5.so.7)
> >#9
> 0x55768457c230 process_tgs_req (krb5kdc)
> >#10
> 0x557684579fe3 dispatch (krb5kdc)
> >#11
> 0x55768458d8a0 process_packet (krb5kdc)
> >#12
> 0x7f99dec4cc78 verto_fire (libverto.so.1)
> >#13
> 0x7f99d6fb72a3 epoll_event_loop_once (libtevent.so.0)
> >#14
> 0x7f99d6fb5787 std_event_loop_once (libtevent.so.0)
> >#15
> 0x7f99d6fb1fed _tevent_loop_once (libtevent.so.0)
> >#16
> 0x7f99dec4c3f7 verto_run (libverto.so.1)
> >#17
> 0x5576845795ab main (krb5kdc)
> >#18
> 0x7f99de8acfe0 __libc_start_main (libc.so.6)
> >#19
> 0x5576845798f0 _start (krb5kdc)
> >
> > Jan 26 03:15:59 ipa.example.net systemd-coredump[4999]: Process 4473
> (krb5kdc) of user 0 dumped core.
> >
> >Stack trace of
> thread 4473:
> >#0
> 0x7f99de8c18d7 raise (libc.so.6)
> >#1
> 0x7f99de8c353a abort (libc.so.6)
> >#2
> 0x7f99de8ba47d __assert_fail_base (libc.so.6)
> >#3
> 0x7f99de8ba532 __assert_fail (libc.so.6)
> >#4
>

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat

gdb stacktrace attached.

On 28 January 2016 at 16:27, Prashant Bapat <prash...@apigee.com> wrote:

> Thanks Sumit.
>
> From the logs there is nothing unusual around the time of core dump. I
> found this one line odd though.
>
> *Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
> krb5kdc[4471](Error): worker 4473 exited with status 134*
>
>
> Let me try to get the full BT.
>
> On 28 January 2016 at 13:54, Sumit Bose <sb...@redhat.com> wrote:
>
>> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
>> > Hi,
>> >
>> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
>> > replicas in different regions. Earlier there was only 1 replica. Since I
>> > added new replicas, on the master node, once in a while the kerberos
>> > process dumps core and everything stops working - authentication,
>> > replication etc. If we restart everything using "ipactl restart" things
>> are
>> > back to normal.
>> >
>> > Attached is the output from journalctl for kerberos.
>> >
>> > Has anyone come across this ? Are there any pointers to troubleshooting
>> > this ?
>>
>> This might be fixed recently by a patch from Simo
>> (2144b1eeb789639b8a3df287b580aeb6196188a8). But to help to better
>> identify the issue the content of the kdc logs around the time of the
>> crash might be useful. Additionally a full backtrace which you can get
>> by calling
>>
>>   coredumpclt gdb 4475
>>
>> and then
>>
>>   bt full
>>
>> bye,
>> Sumit
>>
>> >
>> > Any help is appreciated.
>> >
>> > Thanks.
>> > --Prashant
>>
>> > Jan 26 03:15:59 ipa.example.net systemd-coredump[5000]: Process 4475
>> (krb5kdc) of user 0 dumped core.
>> >
>> >Stack trace of
>> thread 4475:
>> >#0
>> 0x7f99de8c18d7 raise (libc.so.6)
>> >#1
>> 0x7f99de8c353a abort (libc.so.6)
>> >#2
>> 0x7f99de8ba47d __assert_fail_base (libc.so.6)
>> >#3
>> 0x7f99de8ba532 __assert_fail (libc.so.6)
>> >#4
>> 0x7f99d783a78f ldap_get_values_len (libldap_r-2.4.so.2)
>> >#5
>> 0x7f99d7c8173e ipadb_ldap_attr_to_int (ipadb.so)
>> >#6
>> 0x7f99d7c83f9c ipadb_parse_ldap_entry (ipadb.so)
>> >#7
>> 0x7f99d7c849ab ipadb_get_principal (ipadb.so)
>> >#8
>> 0x7f99e0433b14 krb5_db_get_principal (libkdb5.so.7)
>> >#9
>> 0x55768457c230 process_tgs_req (krb5kdc)
>> >#10
>> 0x557684579fe3 dispatch (krb5kdc)
>> >#11
>> 0x55768458d8a0 process_packet (krb5kdc)
>> >#12
>> 0x7f99dec4cc78 verto_fire (libverto.so.1)
>> >#13
>> 0x7f99d6fb72a3 epoll_event_loop_once (libtevent.so.0)
>> >#14
>> 0x7f99d6fb5787 std_event_loop_once (libtevent.so.0)
>> >#15
>> 0x7f99d6fb1fed _tevent_loop_once (libtevent.so.0)
>> >#16
>> 0x7f99dec4c3f7 verto_run (libverto.so.1)
>> >#17
>> 0x5576845795ab main (krb5kdc)
>> >#18
>> 0x7f99de8acfe0 __libc_start_main (libc.so.6)
>> >#19
>> 0x5576845798f0 _start (krb5kdc)
>> >
>> > Jan 26 03:15:59 ipa.example.net systemd-coredump[4999]: Process 4473
>> (krb5kdc) of user 0 dumped core.
>> >
>> >Stack trace of
>> thread 4473:
>> >

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat

Thanks Lukas.

I'm exploring moving to CentOS for our setup so that I get the advantage of
longer release cycles.

On 28 January 2016 at 16:41, Lukas Slebodnik <lsleb...@redhat.com> wrote:

> On (28/01/16 16:27), Prashant Bapat wrote:
> >Thanks Sumit.
> >
> >>From the logs there is nothing unusual around the time of core dump. I
> >found this one line odd though.
> >
> >*Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
> >krb5kdc[4471](Error): worker 4473 exited with status 134*
> >
> >
> >Let me try to get the full BT.
> >
> >On 28 January 2016 at 13:54, Sumit Bose <sb...@redhat.com> wrote:
> >
> >> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
> >> > Hi,
> >> >
> >> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
> Fedora 21 is not supprted since 2015-12-01.
> http://fedoraproject.org/wiki/End_of_life
>
> As Sumit wrote there is a high change that it's already fixed.
> I would recommend to upgrade to Fedora 22.
> There is freeipa-4.1.4-4.fc22. So it shoudl not be a big change for you.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Wildcards in sudo external hostnames

2016-02-18 Thread Prashant Bapat

Hi,

I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema.

I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and
sudo-ldap this works.

In our setup we have lot of rules with wildcard matching for sudo
hostnames. For ex webserver*, dbserver* etc.

In the IPA UI, when I try to add the hostname with wildcard (*) char I get
an error from UI. * is not allowed char.

Looks like the UI is trying to validate the hostname using
validate_dns_label in ipa/util.py and obviously * is not one of the allowed
chars.

Taking a look at the documentation of sudo, wildcards are pretty widely
used. More info here
https://www.sudo.ws/man/1.8.15/sudoers.man.html#x57696c646361726473

Other than editing the LDAP schema outside of IPA (this will work) what are
the other options to solve this ?

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wildcards in sudo external hostnames

2016-02-19 Thread Prashant Bapat

Not using SSSD because Amazon Linux does not support samba libraries
required to compile it.

On 19 February 2016 at 14:28, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Feb 19, 2016 at 11:27:16AM +0530, Prashant Bapat wrote:
> > Hi,
> >
> > I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema.
>
> Why not sssd?
>
> >
> > I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and
> > sudo-ldap this works.
> >
> > In our setup we have lot of rules with wildcard matching for sudo
> > hostnames. For ex webserver*, dbserver* etc.
> >
> > In the IPA UI, when I try to add the hostname with wildcard (*) char I
> get
> > an error from UI. * is not allowed char.
> >
> > Looks like the UI is trying to validate the hostname using
> > validate_dns_label in ipa/util.py and obviously * is not one of the
> allowed
> > chars.
> >
> > Taking a look at the documentation of sudo, wildcards are pretty widely
> > used. More info here
> > https://www.sudo.ws/man/1.8.15/sudoers.man.html#x57696c646361726473
> >
> > Other than editing the LDAP schema outside of IPA (this will work) what
> are
> > the other options to solve this ?
>
> I guess hostgroups/netgroups are even better (more explicit) than
> wildcards.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wildcards in sudo external hostnames

2016-02-22 Thread Prashant Bapat

Sorry not an option. I have couple of 1000s of instances. Aside from
switching OS is there any other option? I mean "*" char is allowed in
standard sudo implementation. To me it seems like there should not be a
host name check on sudo hosts.

On 22 February 2016 at 12:22, Alexander Bokovoy <aboko...@redhat.com> wrote:

> On Mon, 22 Feb 2016, Prashant Bapat wrote:
>
>> SSSD on Amazon linux is a dead end! I have tried since a year without any
>> definitive answer.
>>
>> Any other suggestions ?
>>
> Switch to CentOS AMIs.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wildcards in sudo external hostnames

2016-02-21 Thread Prashant Bapat

SSSD on Amazon linux is a dead end! I have tried since a year without any
definitive answer.

Any other suggestions ?

Thanks.
--Prashant

On 19 February 2016 at 21:32, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Feb 19, 2016 at 09:10:19PM +0530, Prashant Bapat wrote:
> > Not using SSSD because Amazon Linux does not support samba libraries
> > required to compile it.
>
> Time to file a request against Amazon I guess :-)
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-03-09 Thread Prashant Bapat

To follow up on this. I think the issue is resolved.

We have 8 IPA servers. And the primary server on which this error was
occurring had 7 replication agreements! Ended up changing the replication
agreements so that 2 servers had 4 agreements (3 + 1 amongst themselves)
and all others with 2 agreements each.

This seems to have resolved the core-dump of kerberos. No upgrade was done.

Hope this helps someone.

On 29 January 2016 at 15:13, Prashant Bapat <prash...@apigee.com> wrote:

> We will have to run with F21 for now. There are plans for moving to CentOS
> 7.x in the near future. Until then, I'm afraid I will have to live with
> this.
>
> Thanks much Sumit for all your help in identifying this.
>
> Regards.
> --Prashant
>
> On 28 January 2016 at 23:24, Sumit Bose <sb...@redhat.com> wrote:
>
>> On Thu, Jan 28, 2016 at 09:36:55PM +0530, Prashant Bapat wrote:
>> > Sure. Attached the stack trace with debuginfo installed.
>> >
>> > Thanks much!
>>
>> This looks very much like the issue Simo fixed recently, but
>> unfortunately I think it is so recent that it is not available in any
>> release package. Additionally it would be quite some effort for me the
>> generate a F21 test build because as Lukas said F21 is already
>> End-of-life and there is not infrastructure anymore to easily build F21
>> package. If it would be possible to upgrade to a newer version of Fedora
>> I'd be happy to provide a test build with the patch.
>>
>> bye,
>> Sumit
>>
>> >
>> > On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote:
>> >
>> > > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote:
>> > > > gdb stacktrace attached.
>> > >
>> > > Can you install the debuginfo with
>> > >
>> > >  debuginfo-install krb5-server-1.12.2-19.fc21.x86_64
>> > >
>> > > as suggested by gdb and then call 'bt full' again to get more details.
>> > > Additionally the debuginfo of the freeipa package might be missing as
>> > > well.
>> > >
>> > > bye,
>> > > Sumit
>> > > >
>> > > > On 28 January 2016 at 16:27, Prashant Bapat <prash...@apigee.com>
>> wrote:
>> > > >
>> > > > > Thanks Sumit.
>> > > > >
>> > > > > From the logs there is nothing unusual around the time of core
>> dump. I
>> > > > > found this one line odd though.
>> > > > >
>> > > > > *Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
>> > > > > krb5kdc[4471](Error): worker 4473 exited with status 134*
>> > > > >
>> > > > >
>> > > > > Let me try to get the full BT.
>> > > > >
>> > > > > On 28 January 2016 at 13:54, Sumit Bose <sb...@redhat.com> wrote:
>> > > > >
>> > > > >> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
>> > > > >> > Hi,
>> > > > >> >
>> > > > >> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1
>> master and
>> > > 7
>> > > > >> > replicas in different regions. Earlier there was only 1
>> replica.
>> > > Since I
>> > > > >> > added new replicas, on the master node, once in a while the
>> kerberos
>> > > > >> > process dumps core and everything stops working -
>> authentication,
>> > > > >> > replication etc. If we restart everything using "ipactl
>> restart"
>> > > things
>> > > > >> are
>> > > > >> > back to normal.
>> > > > >> >
>> > > > >> > Attached is the output from journalctl for kerberos.
>> > > > >> >
>> > > > >> > Has anyone come across this ? Are there any pointers to
>> > > troubleshooting
>> > > > >> > this ?
>> > > > >>
>> > > > >> This might be fixed recently by a patch from Simo
>> > > > >> (2144b1eeb789639b8a3df287b580aeb6196188a8). But to help to better
>> > > > >> identify the issue the content of the kdc logs around the time
>> of the
>> > > > >> crash might be useful. Additionally a full backtrace which you
>> can get
>> > > > >&g

[Freeipa-users] read-only service account - aci

2016-03-11 Thread Prashant Bapat

Hi,

I'm trying to use IPA's LDAP server as the user data base for an external
application.

I have created a service account from ldif below.


dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: changeme!
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0


This works fine. My question is whats the ACI associated with this new
user? Does this user have read-only access to everything in LDAP ? Or
should I add/tune the ACI.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Zombie Replica !

2016-04-06 Thread Prashant Bapat

What I have done now was to add a new server, ipa02 and configured
replication again and things are fine.

However on IPA1 the 389 ds error logs have reference to the dead ipa2
replica.

[07/Apr/2016:04:13:11 +] NSMMReplicationPlugin - agmt="cn=
meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth failed:
LDAP error -1 (Can't contact LDAP server) ()
[07/Apr/2016:04:13:11 +] NSMMReplicationPlugin - Abort CleanAllRUV Task
(rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net"
(ipa2:389)).
[07/Apr/2016:04:13:11 +] NSMMReplicationPlugin - Abort CleanAllRUV Task
(rid 6): Retrying in 14400 seconds

It will never be able to connect to ipa2 as its gone permanently. Also
the  ipa-replica-manage
list `hostname` command still shows the ipa2 as replica.

How to remove this permanently ???

Thanks.
--Prashant

On 6 April 2016 at 22:17, Prashant Bapat <prash...@apigee.com> wrote:

> # ipa-replica-manage list `hostname`
> ipa2.example.net: replica
> ipa3.example.net: replica
> ipa4.example.net: replica
>
> ipa2.example.net should not be there. How do I remove it?
>
> On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com> wrote:
>
>> Prashant Bapat wrote:
>>
>>> Hi,
>>>
>>> We had 4 IPA servers in master master mode with all of them connected to
>>> each other.
>>>
>>> IPA1 <>  IPA2 (colo 1)
>>> IPA3 <>  IPA4 (colo 2)
>>>
>>> One of the replica servers (IPA2) had to be rebuild.
>>>
>>> So I went ahead and used below commands.
>>>
>>> ipa-replica-manage disconnect IPA2 IPA3
>>> ipa-replica-manage disconnection IPA2 IPA4
>>> ipa-replica-manage del IPA2 (to remove it on IPA1).
>>>
>>> An then ran ipa-server-install --uninstallon IPA2.
>>>
>>> Created the replica info file using ipa-replica-prepare IPA2.
>>>
>>> When I tried to run ipa-replica-install on IPA2, it says
>>>
>>> A replication agreement for this host already exists. It needs to be
>>> removed.
>>> Run this on the master that generated the info file:
>>>  % ipa-replica-manage del ipa2.example.net <http://ipa2.example.net>
>>> --force
>>>
>>> Now on IPA1, no matter what I do it still has references to IPA2.
>>>
>>> So far I have tried the following.
>>>
>>>  1. ipa-replica-manage del --force IPA2
>>>  2. ipa-replica-manage del --force --cleanruv IPA2
>>>  3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl> -D "cn=directory
>>> manager" -w - -b "dc=example,dc=net" -r 6
>>>
>>>
>>> Got the rid = 6 by running
>>> ldapsearch -Y GSSAPI -b "dc=example,dc=net"
>>>
>>> '(&(nsuniqueid=---)(objectclass=nstombstone))'
>>> nsds50ruv
>>>
>>> In the directory server logs, I guess its still trying to connect to
>>> IPA2 and failing. Below are some lines.
>>>
>>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin -
>>> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" (ipa2:389):
>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact
>>> LDAP server) ()
>>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin - CleanAllRUV Task
>>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net
>>> <http://meToipa2.example.net>" (ipa2:389))
>>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin - CleanAllRUV Task
>>> (rid 6): Not all replicas online, retrying in 2560 seconds...
>>>
>>> Any pointers would be helpful.
>>>
>>
>> On ipa1 run:
>>
>> % ipa-replica-manage list -v `hostname`
>>
>> This will give the list of actual agreements and their status.
>>
>> rob
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Zombie Replica !

2016-04-06 Thread Prashant Bapat

# ipa-replica-manage list `hostname`
ipa2.example.net: replica
ipa3.example.net: replica
ipa4.example.net: replica

ipa2.example.net should not be there. How do I remove it?

On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com> wrote:

> Prashant Bapat wrote:
>
>> Hi,
>>
>> We had 4 IPA servers in master master mode with all of them connected to
>> each other.
>>
>> IPA1 <>  IPA2 (colo 1)
>> IPA3 <>  IPA4 (colo 2)
>>
>> One of the replica servers (IPA2) had to be rebuild.
>>
>> So I went ahead and used below commands.
>>
>> ipa-replica-manage disconnect IPA2 IPA3
>> ipa-replica-manage disconnection IPA2 IPA4
>> ipa-replica-manage del IPA2 (to remove it on IPA1).
>>
>> An then ran ipa-server-install --uninstallon IPA2.
>>
>> Created the replica info file using ipa-replica-prepare IPA2.
>>
>> When I tried to run ipa-replica-install on IPA2, it says
>>
>> A replication agreement for this host already exists. It needs to be
>> removed.
>> Run this on the master that generated the info file:
>>  % ipa-replica-manage del ipa2.example.net <http://ipa2.example.net>
>> --force
>>
>> Now on IPA1, no matter what I do it still has references to IPA2.
>>
>> So far I have tried the following.
>>
>>  1. ipa-replica-manage del --force IPA2
>>  2. ipa-replica-manage del --force --cleanruv IPA2
>>  3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl> -D "cn=directory
>> manager" -w - -b "dc=example,dc=net" -r 6
>>
>>
>> Got the rid = 6 by running
>> ldapsearch -Y GSSAPI -b "dc=example,dc=net"
>>
>> '(&(nsuniqueid=---)(objectclass=nstombstone))'
>> nsds50ruv
>>
>> In the directory server logs, I guess its still trying to connect to
>> IPA2 and failing. Below are some lines.
>>
>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin -
>> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" (ipa2:389):
>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact
>> LDAP server) ()
>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin - CleanAllRUV Task
>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net
>> <http://meToipa2.example.net>" (ipa2:389))
>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin - CleanAllRUV Task
>> (rid 6): Not all replicas online, retrying in 2560 seconds...
>>
>> Any pointers would be helpful.
>>
>
> On ipa1 run:
>
> % ipa-replica-manage list -v `hostname`
>
> This will give the list of actual agreements and their status.
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Zombie Replica !

2016-04-07 Thread Prashant Bapat

Thank you very much! That does it.

On 7 April 2016 at 13:12, Ludwig Krispenz <lkris...@redhat.com> wrote:

>
> On 04/07/2016 07:23 AM, Prashant Bapat wrote:
>
> What I have done now was to add a new server, ipa02 and configured
> replication again and things are fine.
>
> However on IPA1 the 389 ds error logs have reference to the dead ipa2
> replica.
>
> [07/Apr/2016:04:13:11 +] NSMMReplicationPlugin - agmt="cn=
> meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth
> failed: LDAP error -1 (Can't contact LDAP server) ()
> [07/Apr/2016:04:13:11 +] NSMMReplicationPlugin - Abort CleanAllRUV
> Task (rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net"
> (ipa2:389)).
> [07/Apr/2016:04:13:11 +] NSMMReplicationPlugin - Abort CleanAllRUV
> Task (rid 6): Retrying in 14400 seconds
>
> It will never be able to connect to ipa2 as its gone permanently. Also the
>  ipa-replica-manage list `hostname` command still shows the ipa2 as
> replica.
>
> How to remove this permanently ???
>
> I don't know why you did get into this state, ipa-replica-manage del
> should have removed the agreement. You can do it by directly deleting it in
> DS:
> - get the full dn of the agreement
> ldapsearch . -D "cn=directory manager" -w  -b cn=config 
> "cn=meToipa2.example.net"
> dn <http://meToipa2.example.net>
> it should return an entry with
> dn: 
>
> the do a delete
>
> ldapmodify . -D "cn=directory manager" -w 
> dn: 
> changetype: delete
>
>
> Thanks.
> --Prashant
>
> On 6 April 2016 at 22:17, Prashant Bapat <prash...@apigee.com> wrote:
>
>> # ipa-replica-manage list `hostname`
>> ipa2.example.net: replica
>> ipa3.example.net: replica
>> ipa4.example.net: replica
>>
>> ipa2.example.net should not be there. How do I remove it?
>>
>> On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com> wrote:
>>
>>> Prashant Bapat wrote:
>>>
>>>> Hi,
>>>>
>>>> We had 4 IPA servers in master master mode with all of them connected to
>>>> each other.
>>>>
>>>> IPA1 <>  IPA2 (colo 1)
>>>> IPA3 <>  IPA4 (colo 2)
>>>>
>>>> One of the replica servers (IPA2) had to be rebuild.
>>>>
>>>> So I went ahead and used below commands.
>>>>
>>>> ipa-replica-manage disconnect IPA2 IPA3
>>>> ipa-replica-manage disconnection IPA2 IPA4
>>>> ipa-replica-manage del IPA2 (to remove it on IPA1).
>>>>
>>>> An then ran ipa-server-install --uninstallon IPA2.
>>>>
>>>> Created the replica info file using ipa-replica-prepare IPA2.
>>>>
>>>> When I tried to run ipa-replica-install on IPA2, it says
>>>>
>>>> A replication agreement for this host already exists. It needs to be
>>>> removed.
>>>> Run this on the master that generated the info file:
>>>>  % ipa-replica-manage del ipa2.example.net <http://ipa2.example.net
>>>> >
>>>> --force
>>>>
>>>> Now on IPA1, no matter what I do it still has references to IPA2.
>>>>
>>>> So far I have tried the following.
>>>>
>>>>  1. ipa-replica-manage del --force IPA2
>>>>  2. ipa-replica-manage del --force --cleanruv IPA2
>>>>  3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl> -D "cn=directory
>>>> manager" -w - -b "dc=example,dc=net" -r 6
>>>>
>>>>
>>>> Got the rid = 6 by running
>>>> ldapsearch -Y GSSAPI -b "dc=example,dc=net"
>>>>
>>>> '(&(nsuniqueid=---)(objectclass=nstombstone))'
>>>> nsds50ruv
>>>>
>>>> In the directory server logs, I guess its still trying to connect to
>>>> IPA2 and failing. Below are some lines.
>>>>
>>>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin -
>>>> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>"
>>>> (ipa2:389):
>>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact
>>>> LDAP server) ()
>>>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin - CleanAllRUV Task
>>>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net
>>>> <http://meToipa2.example.net>" (ipa2:389))
>>>> [06/Apr/2016:10:18:09 +] NSMMReplicationPlugin - CleanAllRUV Task
>>>> (rid 6): Not all replicas online, retrying in 2560 seconds...
>>>>
>>>> Any pointers would be helpful.
>>>>
>>>
>>> On ipa1 run:
>>>
>>> % ipa-replica-manage list -v `hostname`
>>>
>>> This will give the list of actual agreements and their status.
>>>
>>> rob
>>>
>>>
>>
>
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
> O'Neill
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Users directory Browsing -

2016-03-07 Thread Prashant Bapat

A user will be able to list all other users and be able to read their
attributes. But will not be able to change anything.

Is that an issue ? I mean on a Linux box you can read /etc/passwd file
which has info about all users on that box. This doesn't cause issues.

On 8 March 2016 at 03:03, Matt Wells  wrote:

> Hi all, I had a quick question.  I swear I had this before but that could
> be the voices telling me it's true
> A normal user is logging into IPA (4.2.0) and filling in their phone
> number and info no problem.  However when that user clicks on accounts
> above they are then able to peruse the entire directory and all the other
> user accounts.
> I'm trying to remove that but for the life of me can't recall the ACI or
> where that may be.
>
> I really appreciate it, I'll continue to search through the previous
> questions and if I find it before a reply will mark this closed with the
> link.
> Thank you all -
> Wells
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-03 Thread Prashant Bapat

I guess I was looking at this wrongly!

Simo, you're right! Java and Kerberos wont work !

However password+OTP against LDAP server directly works! I can use that!

Thanks for your help!

On 3 March 2016 at 14:40, Prashant Bapat <prash...@apigee.com> wrote:

> Thanks.
>
> Let me figure out possible alternatives.
>
> On 3 March 2016 at 00:20, Simo Sorce <s...@redhat.com> wrote:
>
>>
>>
>> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
>> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
>> > Specifically i'm getting below error.
>> >
>> > javax.security.auth.login.LoginException: Pre-authentication information
>> > was invalid (24) - PREAUTH_FAILED
>> > at
>> >
>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
>> > Caused by: sun.security.krb5.KrbException: Pre-authentication
>> information
>> > was invalid (24) - PREAUTH_FAILED
>> > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
>> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
>> > expected value (906)
>> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>> >
>> > Any pointers ?
>>
>> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
>> an APIs (years behind). In this case what happens is that your Java
>> module probably does not support FAST preauth.
>>
>> > On 1 March 2016 at 21:01, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>> >
>> > > On Tue, 01 Mar 2016, Prashant Bapat wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos
>> Authentication.
>> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use
>> case.
>> > >>
>> > >> I've installed ipa-client on a server and connected it to ipa.
>> Shibboleth
>> > >> is installed on this server and I'm able to get the Kerberos
>> > >> authentication
>> > >> working. Documented here
>> > >> <
>> > >>
>> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
>> > >> >
>> > >> .
>> > >>
>> > >> However if I bring OTP into picture, authentication fails. Error
>> message
>> > >> is
>> > >> like "Pre-authentication information was invalid (24) -
>> PREAUTH_FAILED".
>> > >>
>> > >> Any pointers on how to make OTP work?
>> > >>
>> > > http://www.freeipa.org/page/V4/OTP
>> > > http://www.freeipa.org/page/V4/OTP/Detail
>> > >
>> > > --
>> > > / Alexander Bokovoy
>> > >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-03 Thread Prashant Bapat

Thanks.

Let me figure out possible alternatives.

On 3 March 2016 at 00:20, Simo Sorce <s...@redhat.com> wrote:

>
>
> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
> > Specifically i'm getting below error.
> >
> > javax.security.auth.login.LoginException: Pre-authentication information
> > was invalid (24) - PREAUTH_FAILED
> > at
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
> > Caused by: sun.security.krb5.KrbException: Pre-authentication information
> > was invalid (24) - PREAUTH_FAILED
> > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
> > expected value (906)
> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> >
> > Any pointers ?
>
> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
> an APIs (years behind). In this case what happens is that your Java
> module probably does not support FAST preauth.
>
> > On 1 March 2016 at 21:01, Alexander Bokovoy <aboko...@redhat.com> wrote:
> >
> > > On Tue, 01 Mar 2016, Prashant Bapat wrote:
> > >
> > >> Hi,
> > >>
> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos
> Authentication.
> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use
> case.
> > >>
> > >> I've installed ipa-client on a server and connected it to ipa.
> Shibboleth
> > >> is installed on this server and I'm able to get the Kerberos
> > >> authentication
> > >> working. Documented here
> > >> <
> > >>
> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
> > >> >
> > >> .
> > >>
> > >> However if I bring OTP into picture, authentication fails. Error
> message
> > >> is
> > >> like "Pre-authentication information was invalid (24) -
> PREAUTH_FAILED".
> > >>
> > >> Any pointers on how to make OTP work?
> > >>
> > > http://www.freeipa.org/page/V4/OTP
> > > http://www.freeipa.org/page/V4/OTP/Detail
> > >
> > > --
> > > / Alexander Bokovoy
> > >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-01 Thread Prashant Bapat

Hi,

I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.

I've installed ipa-client on a server and connected it to ipa. Shibboleth
is installed on this server and I'm able to get the Kerberos authentication
working. Documented here

.

However if I bring OTP into picture, authentication fails. Error message is
like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".

Any pointers on how to make OTP work?

Regards.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-02 Thread Prashant Bapat

Thanks. But my problem is not OTP per se but Kerberos thru Java.
Specifically i'm getting below error.

javax.security.auth.login.LoginException: Pre-authentication information
was invalid (24) - PREAUTH_FAILED
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
Caused by: sun.security.krb5.KrbException: Pre-authentication information
was invalid (24) - PREAUTH_FAILED
at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)

Any pointers ?

On 1 March 2016 at 21:01, Alexander Bokovoy <aboko...@redhat.com> wrote:

> On Tue, 01 Mar 2016, Prashant Bapat wrote:
>
>> Hi,
>>
>> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
>> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.
>>
>> I've installed ipa-client on a server and connected it to ipa. Shibboleth
>> is installed on this server and I'm able to get the Kerberos
>> authentication
>> working. Documented here
>> <
>> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
>> >
>> .
>>
>> However if I bring OTP into picture, authentication fails. Error message
>> is
>> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".
>>
>> Any pointers on how to make OTP work?
>>
> http://www.freeipa.org/page/V4/OTP
> http://www.freeipa.org/page/V4/OTP/Detail
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP and time step size

2016-04-22 Thread Prashant Bapat

Hi,

We have been using the OTP feature of FreeIPA extensively for users to
login to the web UI. Now we are rolling out an external service using the
LDAP authentication based on FreeIPA and OTP.

End users typically login rarely to the web UI. Only to update their SSH
keys once in 90 days.

However to the new service based on FreeIPA's LDAP they would be logging in
multiple times daily.

Here is an observation: FreeIPA's OTP mechanism is very stringent in
requiring the current token to be inside the 30 second window. Because of
this there might be a sizable percentage of users who will have to retry
login. Obviously, this is a bad user experience.

As per the RFC-6238  section 5.2,
we could allow 1 time step and make the user experience better.

Can this be done by changing a config or does it involve a
patch/code-change. Any pointers to this appreciated.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Prashant Bapat

Hi Petr,

Thanks for the response. But my question was more towards the cases where
there is a slight delay in entering the OTP in the web UI and it reaching
the IPA server. This actually can happen with ANY time window.

There are couple of scenarios.

1. Network delays.
2. User enters the OTP token and takes a few seconds before pressing
submit.
3. User has to enter OTP first and then the password. This is the case when
changing password in IPA at the moment when OTP is on.

Is there a way to make IPA honor either the current token (obviously!) or 1
elapsed token?

This will go a long way in making FreeIPA's OTP implementation much more
usable.

Thanks.
--Prashant

On 25 April 2016 at 21:48, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA extensively for users to
> login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> >
> > End users typically login rarely to the web UI. Only to update their SSH
> keys
> > once in 90 days.
> >
> > However to the new service based on FreeIPA's LDAP they would be logging
> in
> > multiple times daily.
> >
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in
> requiring
> > the current token to be inside the 30 second window. Because of this
> there might
> > be a sizable percentage of users who will have to retry login.
> Obviously, this
> > is a bad user experience.
> >
> > As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> >
> > Can this be done by changing a config or does it involve a
> patch/code-change.
> > Any pointers to this appreciated.
> >
> > Thanks.
> > --Prashant
> >
>
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
>
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Advice sought on monitoring freeipa status

2016-05-19 Thread Prashant Bapat

For the replication issues please see
http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmonitoring.html

This has a perl script that you can use.

As for the authentication of the user monitoring replication, we thought
about it and ended up allowing anonymous reads on the replication status.
Thus you don't store any user/password at all.

In addition to this, we use Monit heavily. Its pretty flexible.

--Prashant

On 18 May 2016 at 15:38, Roderick Johnstone  wrote:

> Hi
>
> I'm trying to set up some monitoring of our freeipa installation. To start
> with, I'd like to know eg:
>
> 1) If replication stopped
>
> 2) Whether the ldap datatbases on replicas are inconsistent with each
> other.
>
> We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with latest
> distribution packages.
>
> I see a number of pages at www.ipa.org about monitoring freeipa in
> various ways, but I'm not sure any were actually implemented yet.
>
> Then I found this: https://github.com/peterpakos/ipa_check_consistency
> which looks useful but seems to require a plain text password for a
> privileged ldap account to be embedded in a file, which is less than ideal.
>
> So, I was wondering, as a stop gap, whether its possible to control the
> server that the ipa commands talk to at the command line?
>
> One could then run a cron job to iterate through the servers and compare
> various outputs from ipa commands. However, the ipa man page suggests the
> ipa command will go for either the server explicitly set in
> /etc/ipa/default.conf or if unavailable use those set in the DNS _SRV_
> records.
>
> Maybe there is a better way to do this that I missed altogether?
>
> Roderick Johnstone
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Enforce use of OTP token for all users.

2016-05-16 Thread Prashant Bapat

Thanks for the reply.

Yes it will. But my question is a bit different.

I want to be able to ensure that each and every user is forced to setup
atleast 1 OTP.

I have set "Default user authentication types" to "password + OTP". With
this users who have OTP, have to use OTP. But if a user does not have OTP
they can login with just password.

Can they be forced to setup an OTP ?

On 16 May 2016 at 16:03, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 05/16/2016 12:20 PM, Prashant Bapat wrote:
> > Any suggestions on how to achieve this ?
> >
>
> `ipa config-mod --user-auth-type=otp` will force otp auth for users with
> an OTP token.
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Enforce use of OTP token for all users.

2016-05-16 Thread Prashant Bapat

Any suggestions on how to achieve this ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP token policies.

2016-05-05 Thread Prashant Bapat

+1 For enforcing OTP in web UI.

When the user logs in for the first time he should be taken to a page to
create a OTP token. Users should be able to login only using passwd+OTP.

Are there any ideas for ensuring that all users are using OTP tokens ?

On 4 May 2016 at 05:12, Peter Bisroev  wrote:

> Dear Developers,
>
> Firstly, thank you for a fantastic product. I have a few questions
> relating to OTP that I could not find the answers to in the Red Hat IdM
> manual, http://www.freeipa.org/page/V4/OTP document, and on both user and
> devel mailing lists. Hopefully I have not missed anything obvious :)
>
> With FreeIPA version 4.2, is it possible to enforce policies on what
> administrators and/or users can do with OTP tokens? For example:
>
> 1) Is there a way to enforce how many tokens can be active for a user at
> the same time?
>
> 2) Is it possible to force the number of digits to be eight and a specific
> algorithm to be used?
>
> 3) Is it possible to force the user to create a new OTP token after the
> first password change?
>
> If there is such support, it can be used to overcome the soft OTP token
> enrollment bootstrap issue. For example, currently, if the administrator
> creates a new user and enables "Two factor authentication (password + OTP)"
> but does not assign an OTP token, the user is able to login, change the
> password and continue using the new password without enabling 2FA
> indefinitely.
>
> However, once the OTP token is created, either by administrator or the
> user, the systems forces the token's use from this point on. Maybe in the
> future, FreeIPA can force the user to enable OTP at first login into the
> FreeIPA console? But I guess then, the system must somehow stop the users
> from login in into any other service besides FreeIPA web console, until the
> OTP token is generated.
>
> A few more questions:
>
> Would it be possible to describe a use case when having multiple OTP
> tokens enabled at the same time is a requirement?
>
> How does TOTP token synchronization work? Can it be disabled?
>
> Thank you for your time and help!
>
> Regards,
> --peter
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-25 Thread Prashant Bapat

In our FreeIPA deployment the clients use pam_nss_ldapd with the "compat"
schema. No ipa-client.

I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the
replicas (out of 8) where the external app authenticates against IPA's
LDAP. These 2 replicas are more used like readonly. The Web UI where the
users login and change their profile is not on these replicas.

With this LDAP binds are denied to users with expired passwords from the
external app.

Will this setup have any issues, related to replication etc ?

On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com> wrote:

> Prashant Bapat wrote:
>
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>>
>> Now the user is denied bind. But unable to reset the password.
>>
>
> Right, it's a tricky problem which is why it hasn't been resolved yet. You
> have come full circle through the same steps we went through.
>
> rob
>
>
>>
>> On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com
>> <mailto:mko...@redhat.com>> wrote:
>>
>> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
>> > Anyone ?!
>> >
>> > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com
>> <mailto:prash...@apigee.com>
>> > <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>> wrote:
>> >
>> > Hi,
>> >
>> > We are using FreeIPA's LDAP as the base for user authentication
>> in a
>> > different application. So far I have created a sysaccount which
>> does the
>> > lookup etc for a user and things are working as expected. I'm
>> even able to
>> > use OTP from the external app.
>> >
>> > One problem I'm struggling to fix is the expired passwords. Is
>> there a way
>> > to deny bind to LDAP only from this application? Obviously the
>> user would
>> > need to go to IPA's web UI and reset his password there.
>> >
>> > I came across this tickethttps://
>> fedorahosted.org/freeipa/ticket/1539 but
>> > looks like this is an old one.
>> >
>> > Thanks.
>> > --Prashant
>>
>> Hello Prashant,
>>
>> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
>> ticket, if
>> you want users with expired passwords to be denied, but it was not
>> implemented
>> yet. Help welcome!
>>
>> As a workaround, I assume you could simply leverage Kerberos for
>> authentication
>> - it does respect expired passwords. We have advise on how to
>> integrate that to
>> external web applications here:
>>
>> http://www.freeipa.org/page/Web_App_Authentication
>>
>> Martin
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] who did what on IPAv3 - auditing

2016-07-26 Thread Prashant Bapat

What we have done this as follows.

1. For all the changes, happening thru IPA APIs (either cmd line of WebUI)
you can capture these in the httpd error logs. We trigger alert emails on
important events such as new user addition etc.

2. For everything including the above, you can always enable the 389 ds
ldap audit logs. Refer to this link

.

Both these logs are sent to a central logging system for storage and
retrieval.


On 26 July 2016 at 16:15, Stefan Uygur  wrote:

> This is the case I am after just to be more precise:
>
> https://access.redhat.com/solutions/441893
>
>
>
> It was requested 3yrs ago but no follow up so far.
>
>
>
> *From:* Stefan Uygur
> *Sent:* 26 July 2016 11:18
> *To:* freeipa-users@redhat.com
> *Subject:* who did what on IPAv3 - auditing
>
>
>
> Hi all,
>
> Still around the auditing problem with IPA, it seems the part related to
> auditing is completely missing in IPA and that is not really good.
>
>
>
> For instance, to find out who did what, who added or modified the
> permissions or users or sudo rules, etc, all this need auditing and it
> needs to be proof of concept.
>
>
>
> I don’t see IPA being very friendly with auditing part, although IPA is a
> central identity management system, which means auditing is all over IPA. I
> am surprised that this part is missing.
>
>
>
> There is a page suggests to set up central login:
> http://www.freeipa.org/page/Centralized_Logging
>
>
>
> With a combination of multiple logs, but I have checked accurately the
> logs, I still can’t find out say, who added user John Doe in date 21 July
> 2016 at 11.35.
>
>
>
> Has anybody in the list experienced or set up such solution where the IPA
> server activity is tracked down?
>
>
>
> Stefan
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-13 Thread Prashant Bapat

Tough luck! If its tricky for you (FreeIPA core developers) then its pretty
much impossible to solve it for mere mortals like me !

On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com> wrote:

> Prashant Bapat wrote:
>
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>>
>> Now the user is denied bind. But unable to reset the password.
>>
>
> Right, it's a tricky problem which is why it hasn't been resolved yet. You
> have come full circle through the same steps we went through.
>
> rob
>
>
>>
>> On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com
>> <mailto:mko...@redhat.com>> wrote:
>>
>> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
>> > Anyone ?!
>> >
>> > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com
>> <mailto:prash...@apigee.com>
>> > <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>> wrote:
>> >
>> > Hi,
>> >
>> > We are using FreeIPA's LDAP as the base for user authentication
>> in a
>> > different application. So far I have created a sysaccount which
>> does the
>> > lookup etc for a user and things are working as expected. I'm
>> even able to
>> > use OTP from the external app.
>> >
>> > One problem I'm struggling to fix is the expired passwords. Is
>> there a way
>> > to deny bind to LDAP only from this application? Obviously the
>> user would
>> > need to go to IPA's web UI and reset his password there.
>> >
>> > I came across this tickethttps://
>> fedorahosted.org/freeipa/ticket/1539 but
>> > looks like this is an old one.
>> >
>> > Thanks.
>> > --Prashant
>>
>> Hello Prashant,
>>
>> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
>> ticket, if
>> you want users with expired passwords to be denied, but it was not
>> implemented
>> yet. Help welcome!
>>
>> As a workaround, I assume you could simply leverage Kerberos for
>> authentication
>> - it does respect expired passwords. We have advise on how to
>> integrate that to
>> external web applications here:
>>
>> http://www.freeipa.org/page/Web_App_Authentication
>>
>> Martin
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OS migration from Fedora to CentOS?

2016-07-19 Thread Prashant Bapat

I was in the exact same situation. Had to upgraded from FC21 (4.1.4) to
CentOS 7.2 (4.2.0). Upgrade went thru fine thanks to this thread :-)

For migrating the DNA ranges, I used this link
https://blog-rcritten.rhcloud.com/?p=50 Is this fine?

Thanks.

On 10 February 2016 at 15:02, Martin Kosek  wrote:

> On 02/05/2016 11:35 AM, Petr Vobornik wrote:
> > On 02/04/2016 06:14 PM, Christophe TREFOIS wrote:
> >> Hi all,
> >>
> >> We are currently running a 3-replica (all are setup with the —setup-ca
> flag)
> >> cluster on Fedora 21, with FreeIPA 4.1.4.
> >>
> >> We would like to slowly upgrade to the new version and move away from
> Fedora
> >> to CentOS 7.2.
> >>
> >> We were thinking of the following:
> >>
> >> - Create 3 CentOS machines with —setup-ca flag so that our current
> cluster is 6.
> >> The first CentOS VM would then probably update the DB schema to the new
> >> FreeIPA version.
> >> - Remove the Fedora VMs 1 by 1 from the cluster using
> ipa-replica-manage del
> >> 
> >> - Be happy?
> >>
> >>
> >> 1. Could you please advise if this is considered the safest practise?
> >
> > More or less yes:
> >
> > 1. create First IPA 4.2 against some FreeIPA 4.1.4 with CA
> > 2. create the other two against the newly Created CentOS - will verify
> if it is
> > in a good shape
> > 3. set new renewal CRL master:
> > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> > 4. Migrate DNA ranges using ipa-replica-manage tool
> >
> > if all works well, remove all servers:
> >
> > 5. remove CA repl. agreements for old servers using ipa-csreplica-manage
> del
> > 6. remove old servers data and repl. agreements using ipa-replica-manage
> del
> > 7. uninstall old servers using ipa-server-install --uninstall
> >
> >> 2. Do we have to update to intermediate versions and if so how?
> >
> > Should not be necessary.
>
> Some advise is also present in the RHEL official docs:
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-07 Thread Prashant Bapat

Anyone ?!

On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com> wrote:

> Hi,
>
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does the
> lookup etc for a user and things are working as expected. I'm even able to
> use OTP from the external app.
>
> One problem I'm struggling to fix is the expired passwords. Is there a way
> to deny bind to LDAP only from this application? Obviously the user would
> need to go to IPA's web UI and reset his password there.
>
> I came across this ticket https://fedorahosted.org/freeipa/ticket/1539
> but looks like this is an old one.
>
> Thanks.
> --Prashant
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-06 Thread Prashant Bapat

Hi,

We are using FreeIPA's LDAP as the base for user authentication in a
different application. So far I have created a sysaccount which does the
lookup etc for a user and things are working as expected. I'm even able to
use OTP from the external app.

One problem I'm struggling to fix is the expired passwords. Is there a way
to deny bind to LDAP only from this application? Obviously the user would
need to go to IPA's web UI and reset his password there.

I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but
looks like this is an old one.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-09 Thread Prashant Bapat

I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 and
compiled the ipa-pwd-extop slapi plugin.

Now the user is denied bind. But unable to reset the password.


On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com> wrote:

> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> > Anyone ?!
> >
> > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com
> > <mailto:prash...@apigee.com>> wrote:
> >
> > Hi,
> >
> > We are using FreeIPA's LDAP as the base for user authentication in a
> > different application. So far I have created a sysaccount which does
> the
> > lookup etc for a user and things are working as expected. I'm even
> able to
> > use OTP from the external app.
> >
> > One problem I'm struggling to fix is the expired passwords. Is there
> a way
> > to deny bind to LDAP only from this application? Obviously the user
> would
> > need to go to IPA's web UI and reset his password there.
> >
> > I came across this ticket
> https://fedorahosted.org/freeipa/ticket/1539 but
> > looks like this is an old one.
> >
> > Thanks.
> > --Prashant
>
> Hello Prashant,
>
> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
> ticket, if
> you want users with expired passwords to be denied, but it was not
> implemented
> yet. Help welcome!
>
> As a workaround, I assume you could simply leverage Kerberos for
> authentication
> - it does respect expired passwords. We have advise on how to integrate
> that to
> external web applications here:
>
> http://www.freeipa.org/page/Web_App_Authentication
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] RBAC - User Administrator - OTP tokens

2016-09-27 Thread Prashant Bapat

RBAC Role "User Administrator" should have access to all users OTP tokens.
Specifically to remove if some one has lost their token. We get this a lot.

I found no permissions that give this access.

Can someone explain if this can be added easily either from the WebUI or
CLI.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Prashant Bapat

Some more info.

This is happening on one of the hosts for which replica-info file was
generated but for some reason the replica installation failed. So I went
ahead and deleted and created the replica file again and this time
installation went thru fine. Should this cause logs like this ?

These messages are seen every 5 mins.

On 18 October 2016 at 22:38, Prashant Bapat <prash...@apigee.com> wrote:

> Hi,
>
> I'm seeing lots of error messages like this in the DS logs.
>
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
>
> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have total 8
> IPA servers with replication. Below are the steps I followed.
>
> 1. Install a new Centos server.
> 2. Replicated against a Fedora server with CA.
> 3. Moved the DNA ranges.
> 4. From the Centos master created replicas.
>
> Is this related to the DS package version ? We have 389-ds-base-1.3.4.0-33.
> el7_2.x86_64.
>
> Thanks.
> --Prashant
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Prashant Bapat

Thanks. This is error was did not include ipaca which is discussed a lot on
this list. So I was not sure.

There was indeed a dangling reference to an old replica. Removed now.
ipa-replica-manage
clean-ruv did the trick.

On 19 October 2016 at 14:14, Petr Spacek <pspa...@redhat.com> wrote:

> On 19.10.2016 10:14, Ludwig Krispenz wrote:
> >
> > On 10/19/2016 09:39 AM, Prashant Bapat wrote:
> >> Some more info.
> >>
> >> This is happening on one of the hosts for which replica-info file was
> >> generated but for some reason the replica installation failed. So I went
> >> ahead and deleted and created the replica file again and this time
> >> installation went thru fine. Should this cause logs like this ?
> > you now have two replicaids with the same url, you need to do a cleanruv
> as
> > discussed frequently on this list
>
> For reference, it is described here:
> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records
>
> Petr^2 Spacek
>
> >>
> >> These messages are seen every 5 mins.
> >>
> >> On 18 October 2016 at 22:38, Prashant Bapat <prash...@apigee.com
> >> <mailto:prash...@apigee.com>> wrote:
> >>
> >> Hi,
> >>
> >> I'm seeing lots of error messages like this in the DS logs.
> >>
> >> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> <http://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet>)
> failed.
> >>
> >> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have
> >> total 8 IPA servers with replication. Below are the steps I
> followed.
> >>
> >> 1. Install a new Centos server.
> >> 2. Replicated against a Fedora server with CA.
> >> 3. Moved the DNA ranges.
> >> 4. From the Centos master created replicas.
> >>
> >> Is this related to the DS package version ? We
> >> have 389-ds-base-1.3.4.0-33.el7_2.x86_64.
> >>
> >> Thanks.
> >> --Prashant
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Lots of error messages in logs after upgrade

2016-10-18 Thread Prashant Bapat

Hi,

I'm seeing lots of error messages like this in the DS logs.

[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.

We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have total 8
IPA servers with replication. Below are the steps I followed.

1. Install a new Centos server.
2. Replicated against a Fedora server with CA.
3. Moved the DNA ranges.
4. From the Centos master created replicas.

Is this related to the DS package version ? We
have 389-ds-base-1.3.4.0-33.el7_2.x86_64.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

79 matches

Mail list logo