Re: [Freeipa-users] creating an LDAP bind user
Thanks Jason, that was exactly the issue! It's working now. On Wed, Apr 26, 2017 at 4:11 PM, Jason B. Nance <ja...@tresgeek.net> wrote: > Hi Chris, > >> # remoteu, sysaccounts, etc, example.com >> dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com >> objectClass: account >> objectClass: simplesecurityobject >> objectClass: top >> uid: remoteu >> userPassword:: [hash value] >> >> This new user is unable to run LDAP searches though: >> ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu >> Enter LDAP Password: >> ldap_bind: Invalid credentials (49) > > Your DN (-D) is incorrect in your ldapsearch call. It needs to match the > part after the "dn:" string you provided in your query of the user above > (uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com). > > In some cases you can shorten the DN but only if your suffix/basedn is set > correctly for the client making the call. > > Regards, > > j -- Chris Herdt UIS Systems Administrator che...@umn.edu 612-301-2232 (office) 734-754-3585 (mobile) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] creating an LDAP bind user
I am setting up LDAP authentication with a remote service. On https://www.freeipa.org/page/HowTo/LDAP it says the following: "Do not use the Directory Manager account to authenticate remote services to the IPA LDAP server. Use a system account, created like this:" I followed the steps there to create an entry under sysaccounts, and confirmed it is there using ldapsearch: ldapsearch -D 'cn=Directory Manager' -W -H ldap://ipa01.example.com -x uid=remoteu # remoteu, sysaccounts, etc, example.com dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: remoteu userPassword:: [hash value] This new user is unable to run LDAP searches though: ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu Enter LDAP Password: ldap_bind: Invalid credentials (49) The new user is also unable to authenticate the remote service. (The Directory Manager user is able to authenticate the remote service, although as pointed out above, that's not a good idea.) The How-To LDAP page also notes: "IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need." I'm not sure if that's part of the issue or not. I'm using IPA version 4.4.0. Thanks in advance for any suggestions. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error deleting IPA host: SSL peer cannot verify your certificate
Although I had previously been using a self-signed certificate, I recently started using a cert signed by InCommon CA on my FreeIPA master (still on IPA 3.0.0 at this time). I added the certificate and intermediate certificates to /etc/ssl/certs and the certificate database in /etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing to the new certificate for NSSNickname. I can log into the web UI, but when I attempt to delete a host I get the following error: Operations Error Some entries were not deleted Show details Under "Show details": cannot connect to 'https://freeipa.example.com:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. Likewise, if I attempt to delete a host using the CLI I get an error message: # ipa host-del host-01.example.com ipa: ERROR: cert validation failed for "CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml If I enable the verbose flag -vv, I see that it is making an HTTP POST request to https://freeipa.example.com/ipa/xml. It looks like Firefox on my local client trusts the certificate, but that the server itself does not trust its own certificate when connecting to itself. Can anyone advise on how I can address this issue? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Why is port 80 needed for replication?
I'm curious as to why HTTP (port 80) is needed for IPA server replication, particularly since HTTPS (port 443) is also used. What unencrypted data is exchanged? Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening
On Mon, Mar 6, 2017 at 3:20 AM, Tomas Krizek <tkri...@redhat.com> wrote: > On 03/04/2017 12:51 AM, Chris Herdt wrote: >> On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <tkri...@redhat.com> wrote: >>> >>> On 03/02/2017 06:25 PM, Chris Herdt wrote: >>> >>> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mba...@redhat.com> wrote: >>>> >>>> >>>> >>>> On 02.03.2017 16:55, Chris Herdt wrote: >>>> >>>> >>>> >>>> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote: >>>>> >>>>> >>>>> On 02.03.2017 01:07, Chris Herdt wrote: >>>>> >>>>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a >>>>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html >>>>> >>>>> At this step: >>>>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >>>>> /var/lib/ipa/replica-info-replicaname.example.com.gpg >>>>> >>>>> I get the error: >>>>> ERROR cannot connect to 'ldaps://master.example.com' >>>>> >>>>> I ran ipa-replica-conncheck and found that port 636 is not accessible: >>>>> Port check failed! Inaccessible port(s): 636 (TCP) >>>>> >>>>> The port is not blocked. I'm wondering where in the configuration for >>>>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is >>>>> a way I can specify to use port 389 for setting up the replica. >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> Chris Herdt >>>>> Systems Administrator >>>>> >>>>> >>>>> >>>>> Hello, >>>>> this is known issue only in FreeIPA 4.4.x, this will be fixed in next >>>>> minor update which should be released soon to RHEL7.3 (I don't know how >>>>> fast it will be in Centos) >>>>> >>>>> so you can wait, or enable it manually (not nice) >>>>> >>>>> sorry for troubles >>>>> Martin >>>> >>>> >>>> Thanks for the reply! Before attempting this in my production environment, >>>> I had set up a similar configuration in a test environment (FreeIPA 3.0.0 >>>> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the >>>> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA >>>> 3.0.0 production server. >>>> >>>> To enable the fix manually, I'm assuming I'd need to install FreeIPA from >>>> source on the intended replica? If I download the 4.4.3 release from >>>> https://pagure.io/freeipa/releases, will that be sufficient? >>>> >>>> Sorry, >>>> I probably misread what you wrote, I thought that port is closed on >>>> replica, but now I see that port is closed on 3.3.0 master, so this is >>>> something different. I'm not aware of any issue on 3.3.0 that should cause >>>> this. >>>> >>>> Could you check your configuration on 3.3.0 master? Is port opened on >>>> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on >>>> master? >>>> >>>> Martin >>> >>> When I compare the errors file on my production environment and my test >>> environment, I do note that the LDAPS entry is missing from my production >>> environment: >>> >>> production: >>> [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces >>> port 389 for LDAP requests >>> [01/Mar/2017:17:30:07 -0600] - Listening on >>> /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests >>> >>> test: >>> [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces >>> port 389 for LDAP requests >>> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for >>> LDAPS requests >>> [28/Feb/2017:13:37:50 -0600] - Listening on >>> /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests >>> >>> I'm not sure why it is missing though. Which config file(s) should I be >>> checking? >>> >>> You can examine
Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening
On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <tkri...@redhat.com> wrote: > > > On 03/02/2017 06:25 PM, Chris Herdt wrote: > > On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mba...@redhat.com> wrote: >> >> >> >> >> On 02.03.2017 16:55, Chris Herdt wrote: >> >> >> >> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote: >>> >>> >>> >>> On 02.03.2017 01:07, Chris Herdt wrote: >>> >>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a >>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html >>> >>> At this step: >>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >>> /var/lib/ipa/replica-info-replicaname.example.com.gpg >>> >>> I get the error: >>> ERROR cannot connect to 'ldaps://master.example.com' >>> >>> I ran ipa-replica-conncheck and found that port 636 is not accessible: >>> Port check failed! Inaccessible port(s): 636 (TCP) >>> >>> The port is not blocked. I'm wondering where in the configuration for >>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a >>> way I can specify to use port 389 for setting up the replica. >>> >>> Thanks! >>> >>> -- >>> Chris Herdt >>> Systems Administrator >>> >>> >>> >>> Hello, >>> this is known issue only in FreeIPA 4.4.x, this will be fixed in next >>> minor update which should be released soon to RHEL7.3 (I don't know how >>> fast it will be in Centos) >>> >>> so you can wait, or enable it manually (not nice) >>> >>> sorry for troubles >>> Martin >> >> >> >> Thanks for the reply! Before attempting this in my production environment, I >> had set up a similar configuration in a test environment (FreeIPA 3.0.0 >> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the >> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA >> 3.0.0 production server. >> >> To enable the fix manually, I'm assuming I'd need to install FreeIPA from >> source on the intended replica? If I download the 4.4.3 release from >> https://pagure.io/freeipa/releases, will that be sufficient? >> >> Sorry, >> I probably misread what you wrote, I thought that port is closed on replica, >> but now I see that port is closed on 3.3.0 master, so this is something >> different. I'm not aware of any issue on 3.3.0 that should cause this. >> >> Could you check your configuration on 3.3.0 master? Is port opened on >> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on >> master? >> >> Martin > > > When I compare the errors file on my production environment and my test > environment, I do note that the LDAPS entry is missing from my production > environment: > > production: > [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [01/Mar/2017:17:30:07 -0600] - Listening on > /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests > > test: > [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS > requests > [28/Feb/2017:13:37:50 -0600] - Listening on > /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests > > I'm not sure why it is missing though. Which config file(s) should I be > checking? > > You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if > the Directory Server has LDAP configured correctly. In particular, you're > interested in: > > - nsslapd-security in cn=config > - cn=encryption,cn=config > - cn=RSA,cn=encryption,cn=config > > Also, you can check if the certificate for LDAPS is available in the NSS > database: > > certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L nsslapd-security was set to off. I set it to on, but SSL failed. There were no certificates listed--which I think explains why SSL failed--when running: certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L ipa-getcert list shows several certs, including one with location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' -- I'm not sure where this cert exists though. I assume I need to get the NSS db to recognize the Server-Cert, for example: certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM -i ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening
On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mba...@redhat.com> wrote: > > > > On 02.03.2017 16:55, Chris Herdt wrote: > > > > On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 02.03.2017 01:07, Chris Herdt wrote: >> >> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a >> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_P >> olicy_Guide/upgrading.html >> >> At this step: >> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >> /var/lib/ipa/replica-info-replicaname.example.com.gpg >> >> I get the error: >> ERROR cannot connect to 'ldaps://master.example.com' >> >> I ran ipa-replica-conncheck and found that port 636 is not accessible: >> Port check failed! Inaccessible port(s): 636 (TCP) >> >> The port is not blocked. I'm wondering where in the configuration for >> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a >> way I can specify to use port 389 for setting up the replica. >> >> Thanks! >> >> -- >> Chris Herdt >> Systems Administrator >> >> >> >> Hello, >> this is known issue only in FreeIPA 4.4.x, this will be fixed in next >> minor update which should be released soon to RHEL7.3 (I don't know how >> fast it will be in Centos) >> >> so you can wait, or enable it manually (not nice) >> >> sorry for troubles >> Martin >> > > > Thanks for the reply! Before attempting this in my production environment, > I had set up a similar configuration in a test environment (FreeIPA 3.0.0 > master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the > ipa-replica-install went fine. I assumed this was an issue with my FreeIPA > 3.0.0 production server. > > To enable the fix manually, I'm assuming I'd need to install FreeIPA from > source on the intended replica? If I download the 4.4.3 release from > https://pagure.io/freeipa/releases, will that be sufficient? > > Sorry, > I probably misread what you wrote, I thought that port is closed on > replica, but now I see that port is closed on 3.3.0 master, so this is > something different. I'm not aware of any issue on 3.3.0 that should cause > this. > > Could you check your configuration on 3.3.0 master? Is port opened on > master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on > master? > > Martin > When I compare the errors file on my production environment and my test environment, I do note that the LDAPS entry is missing from my production environment: production: [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Mar/2017:17:30:07 -0600] - Listening on /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests test: [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS requests [28/Feb/2017:13:37:50 -0600] - Listening on /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests I'm not sure why it is missing though. Which config file(s) should I be checking? -- Chris Herdt Systems Administrator -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening
On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 02.03.2017 01:07, Chris Herdt wrote: > > I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a > FreeIPA 3.0.0 master on CentOS 6.8 following the steps at > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/upgrading.html > > At this step: > ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir > /var/lib/ipa/replica-info-replicaname.example.com.gpg > > I get the error: > ERROR cannot connect to 'ldaps://master.example.com' > > I ran ipa-replica-conncheck and found that port 636 is not accessible: > Port check failed! Inaccessible port(s): 636 (TCP) > > The port is not blocked. I'm wondering where in the configuration for > FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a > way I can specify to use port 389 for setting up the replica. > > Thanks! > > -- > Chris Herdt > Systems Administrator > > > > Hello, > this is known issue only in FreeIPA 4.4.x, this will be fixed in next > minor update which should be released soon to RHEL7.3 (I don't know how > fast it will be in Centos) > > so you can wait, or enable it manually (not nice) > > sorry for troubles > Martin > Thanks for the reply! Before attempting this in my production environment, I had set up a similar configuration in a test environment (FreeIPA 3.0.0 master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the ipa-replica-install went fine. I assumed this was an issue with my FreeIPA 3.0.0 production server. To enable the fix manually, I'm assuming I'd need to install FreeIPA from source on the intended replica? If I download the 4.4.3 release from https://pagure.io/freeipa/releases, will that be sufficient? Thanks again. -- Chris Herdt Systems Administrator -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening
I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a FreeIPA 3.0.0 master on CentOS 6.8 following the steps at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html At this step: ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir /var/lib/ipa/replica-info-replicaname.example.com.gpg I get the error: ERROR cannot connect to 'ldaps://master.example.com' I ran ipa-replica-conncheck and found that port 636 is not accessible: Port check failed! Inaccessible port(s): 636 (TCP) The port is not blocked. I'm wondering where in the configuration for FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a way I can specify to use port 389 for setting up the replica. Thanks! -- Chris Herdt Systems Administrator -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project