Re: [Freeipa-users] Naming a FreeIPA domain and router differences
Ah, I think I totally misread the DNS page, the first time... https://www.freeipa.org/page/DNS Looks like I should put the router on int.custom.com as a domain, and I can create the freeipa domain as domain.custom.com -Harry On 8 December 2016 at 13:15, Harry Kashouli <kashma...@gmail.com> wrote: > Hi all, > > I want to make sure I'm understanding how to name my FreeIPA server. > > (following names are placeholders) > On my router, I've set the domain to localdomain, so my server > automatically gets the full name as server.localdomain. I want my FreeIPA > domain to be domain.custom.com because I own the custom.com domain; so > when I'm setting it up, I answer the "server host name" question as > pc.domain.custom.com. > > Is this wrong? Does the domain on my router have to match the FreeIPA > domain in any way? > > Thanks, > -Harry > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Naming a FreeIPA domain and router differences
Hi all, I want to make sure I'm understanding how to name my FreeIPA server. (following names are placeholders) On my router, I've set the domain to localdomain, so my server automatically gets the full name as server.localdomain. I want my FreeIPA domain to be domain.custom.com because I own the custom.com domain; so when I'm setting it up, I answer the "server host name" question as pc.domain.custom.com. Is this wrong? Does the domain on my router have to match the FreeIPA domain in any way? Thanks, -Harry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Tomcat service cannot work at the same time
I'm an idiot... I figured it out. I forgot to change the shutdown port for Apache Tomcat, so pki-tomcat was in conflict. Seems to be running fine now! :D -Harry On 7 September 2016 at 13:12, Harry Kashouli <kashma...@gmail.com> wrote: > Hi all, > > System details: > Fedora 24 > FreeIPA 4.3.2, and working fine > > Desired outcome: > To have pwm running on the same server, for password self-service - > https://github.com/pwm-project/pwm > > My FreeIPA server is running fine, but when I attempt to start Tomcat for > pwm, that service will not work. Systemctl output below, let me know if you > need anything extra, and where to grab it from. > > If I enable Tomcat at boot, then both that and the ipa/kerberos services > fail to start. It seems I cannot have both Apache Tomcat and FreeIPA > running at the same time. I even tried changing Tomcat's ports by > increasing the port number, by 1. > > [root@~]# systemctl status tomcat > ● tomcat.service - Apache Tomcat Web Application Container >Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; > vendor preset: disabled) >Active: active (running) since Wed 2016-09-07 13:00:26 PDT; 21s ago > Main PID: 13925 (java) > Tasks: 18 (limit: 512) >CGroup: /system.slice/tomcat.service >└─13925 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource. > Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/ > tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar > -Dcatalina.base=/usr/share/t > > Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, DEBUG, > pwm.PwmEnvironment, released file lock on file /var/lib/tomcat/webapps/pwm/ > WEB-INF/applicationPath.lock > Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, INFO , > pwm.PwmApplication, PWM v1.8.0-SNAPSHOT b18063275 > rb329bec559be6e47c64239474c637b8bd9ed2d93 closed for bidness, cya! > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.443 WARNING > [localhost-startStop-1] > org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads > The web application [pwm] appears to have started a thread named > [PwmSettingXml s > Sep 07 13:00:43 server[13925]: java.lang.Thread.sleep(Native Method) > Sep 07 13:00:43 server[13925]: password.pwm.util.Helper. > pause(Helper.java:112) > Sep 07 13:00:43 server[13925]: password.pwm.config.PwmSettingXml$1.run( > PwmSettingXml.java:73) > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.508 INFO [main] > org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler > ["http-nio-8081"] > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.510 INFO [main] > org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler > ["ajp-nio-8010"] > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.548 INFO [main] > org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler > ["http-nio-8081"] > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.550 INFO [main] > org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler > ["ajp-nio-8010"] > [root@~]# systemctl status tomcat > ● tomcat.service - Apache Tomcat Web Application Container >Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; > vendor preset: disabled) >Active: inactive (dead) > > Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, DEBUG, > pwm.PwmEnvironment, released file lock on file /var/lib/tomcat/webapps/pwm/ > WEB-INF/applicationPath.lock > Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, INFO , > pwm.PwmApplication, PWM v1.8.0-SNAPSHOT b18063275 > rb329bec559be6e47c64239474c637b8bd9ed2d93 closed for bidness, cya! > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.443 WARNING > [localhost-startStop-1] > org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads > The web application [pwm] appears to have started a thread named > [PwmSettingXml s > Sep 07 13:00:43 server[13925]: java.lang.Thread.sleep(Native Method) > Sep 07 13:00:43 server[13925]: password.pwm.util.Helper. > pause(Helper.java:112) > Sep 07 13:00:43 server[13925]: password.pwm.config.PwmSettingXml$1.run( > PwmSettingXml.java:73) > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.508 INFO [main] > org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler > ["http-nio-8081"] > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.510 INFO [main] > org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler > ["ajp-nio-8010"] > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.548 INFO [main] > org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler > ["http-nio-8081"] > Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.550 INFO [main] > org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler > ["ajp-nio-8010"] > > Cheers, > -Harry > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and Tomcat service cannot work at the same time
Hi all, System details: Fedora 24 FreeIPA 4.3.2, and working fine Desired outcome: To have pwm running on the same server, for password self-service - https://github.com/pwm-project/pwm My FreeIPA server is running fine, but when I attempt to start Tomcat for pwm, that service will not work. Systemctl output below, let me know if you need anything extra, and where to grab it from. If I enable Tomcat at boot, then both that and the ipa/kerberos services fail to start. It seems I cannot have both Apache Tomcat and FreeIPA running at the same time. I even tried changing Tomcat's ports by increasing the port number, by 1. [root@~]# systemctl status tomcat ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2016-09-07 13:00:26 PDT; 21s ago Main PID: 13925 (java) Tasks: 18 (limit: 512) CGroup: /system.slice/tomcat.service └─13925 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/t Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, DEBUG, pwm.PwmEnvironment, released file lock on file /var/lib/tomcat/webapps/pwm/WEB-INF/applicationPath.lock Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, INFO , pwm.PwmApplication, PWM v1.8.0-SNAPSHOT b18063275 rb329bec559be6e47c64239474c637b8bd9ed2d93 closed for bidness, cya! Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.443 WARNING [localhost-startStop-1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [pwm] appears to have started a thread named [PwmSettingXml s Sep 07 13:00:43 server[13925]: java.lang.Thread.sleep(Native Method) Sep 07 13:00:43 server[13925]: password.pwm.util.Helper.pause(Helper.java:112) Sep 07 13:00:43 server[13925]: password.pwm.config.PwmSettingXml$1.run(PwmSettingXml.java:73) Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.508 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8081"] Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.510 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-8010"] Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.548 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8081"] Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.550 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-8010"] [root@~]# systemctl status tomcat ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: inactive (dead) Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, DEBUG, pwm.PwmEnvironment, released file lock on file /var/lib/tomcat/webapps/pwm/WEB-INF/applicationPath.lock Sep 07 13:00:43 server[13925]: 2016-09-07T13:00:43Z, INFO , pwm.PwmApplication, PWM v1.8.0-SNAPSHOT b18063275 rb329bec559be6e47c64239474c637b8bd9ed2d93 closed for bidness, cya! Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.443 WARNING [localhost-startStop-1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [pwm] appears to have started a thread named [PwmSettingXml s Sep 07 13:00:43 server[13925]: java.lang.Thread.sleep(Native Method) Sep 07 13:00:43 server[13925]: password.pwm.util.Helper.pause(Helper.java:112) Sep 07 13:00:43 server[13925]: password.pwm.config.PwmSettingXml$1.run(PwmSettingXml.java:73) Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.508 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8081"] Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.510 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-8010"] Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.548 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8081"] Sep 07 13:00:43 server[13925]: 07-Sep-2016 13:00:43.550 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-8010"] Cheers, -Harry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Remote users and passwords
Hi all, I have FreeIPA set up on my home server (Fedora 24), and I would like for remote users to be able to set up new passwords, after I set them up with a default one. Most likely, they will be running Windows. What is the best/suggested/correct method to do this? Thanks, -Harry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP only seems to allow anonymous access
Sorry, I missed adding the mailing list, added now. Ah, I'll bear that in mind about authentication prior to 4.4. I have 4.3.1 on Fedora 24 right now. I'm using anonymous authentication for now, for my various situations such as Jira/etc, and it seems to work, and I'll try again in 4.4 with various GUI apps. Thanks again for all the help! -Harry On 29 August 2016 at 01:59, Alexander Bokovoy <aboko...@redhat.com> wrote: > Again, don't answer to me directly, use freeipa-users@ mailing list. > > On Mon, 29 Aug 2016, Harry Kashouli wrote: > >> Fixed it, and now it looks like I actually get a successful result, and it >> gives me info on the account. Thanks, I should've guessed that I needed to >> replace $REALM. >> >> Now, even though this works, if I try to connect via a GUI such as LDAP >> Admin, I can only connect to the database if I use "Simple >> Authentication", >> and anonymous. If I switch it to GSS-API and add the admin user, I get an >> error as follows: >> "LDAP error! Invalid credentials: SASL(-13): authentication failure: >> GSSAPI Failure: gss_accept_sec_context" >> >> I've tried using the following two options as base, but still no sucess: >> - dc=outland,dc=zsazouli,dc=com >> - cn=users,cn=accounts,dc=outland,dc=zsazouli,dc=com >> > I don't think it is related to the choice of the base here. You need to > look into details of your GUI application. 'LDAP Admin' app is running > on Windows and I don't think it is going to use IPA's credentials -- it > is rather using Active Directory user's ones. However, we do not support > GSSAPI authentication as an AD user to LDAP in versions before FreeIPA 4.4. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP only seems to allow anonymous access
This is the error I get: ldapsearch -LLL GSSAPI -b cn=users,cn=accounts,$REALM uid=admin SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: -Harry On 28 August 2016 at 08:01, Rob Crittenden <rcrit...@redhat.com> wrote: > Harry Kashouli wrote: > >> Hi all, >> >> I can only seem to connect clients to my FreeIPA's LDAP if I use the >> following: >> - Simple authentication >> - Anonymous login >> >> If I try to log in using any user credentials, it will not work. Are >> both GSS-API and named logins not allowed by default? >> > > Not sure what you mean by named logins but GSSAPI should work fine: > > $ kinit test > $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=test > ... > > What error(s) are you seeing? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP only seems to allow anonymous access
Hi all, I can only seem to connect clients to my FreeIPA's LDAP if I use the following: - Simple authentication - Anonymous login If I try to log in using any user credentials, it will not work. Are both GSS-API and named logins not allowed by default? Thanks, -Harry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI access from outside the home network via port forwarding
Thanks for all the info. I think I sorted out the rewrite rules now, and the error I get is "Secure Connection Failed. SSL_ERROR_UNRECOGNIZED_NAME_ALERT". I'm going to try and google this, since I'm assuming I need a ServerAlias somewhere. If someone knows the correct way, please let me know :) -Harry On 13 July 2016 at 08:11, Rob Crittenden <rcrit...@redhat.com> wrote: > Harry Kashouli wrote: > >> I tried uncommenting everything in the ipa-rewrite.conf file, but it >> still changed the web address. I'll try clearing the cache, in case that >> was still remembering the links. >> >> I may be attacking my original thought badly, if this is going to be bad >> for security. I'm wanting to allow users to change their passwords >> remotely, so I figured giving them public access to the Web UI was the >> way to go. Is there a better solution? >> > > Moving back to list. > > Getting the rewrite rules right can be tricky sometimes. You might have an > easier time using a proxy instead. Exposing the UI increases the attack > surface area so as usual it's a balance of security and convenience that > you need to assess. > > A community portal was started last summer but has largely stalled. This > is the long-term plan for what you're looking for. The design and a pointer > to the current code is at https://www.freeipa.org/page/V4/Community_Portal > > rob > > >> -Harry >> >> On 11 July 2016 at 19:56, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Harry Kashouli wrote: >> >> Hi all, >> >> I have a freeipa server set up, and would like to access the Web >> UI >> remotely (from outside my home network). >> >> I set up a fresh Fedora 24 server install, and installed >> freeipa-server. >>- I own a domain, domain.com <http://domain.com> >> <http://domain.com> >>- The hostname of my freeipa server is >> hostname.subdomain.domain.com < >> http://hostname.subdomain.domain.com> >> <http://hostname.subdomain.domain.com> >>- My home network domain is subdomain.domain.com >> <http://subdomain.domain.com> >> <http://subdomain.domain.com> >> >> I set up a CNAME hostname.domain.com >> <http://hostname.domain.com> <http://hostname.domain.com> and >> port forwardings, and I tested this works with nginx on the same >> machine; I can successfully see the nginx test page. >> I then assumed I could do the same with the freeipa Web UI, but >> when I >> navigate to http://hostname.domain.com:, it >> switches to >> https://hostname.subdomain.domain.com:, and with >> the >> following error: "Server not found" >> >> What am I doing wrong? >> >> >> Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting >> to the real name of the IPA server when it was installed. You can >> try tweaking this to allow both names, or to just not do the >> rewriting. >> >> You may have issues with Kerberos and SSL due to using a different >> name. >> >> You definitely don't want to use IPA over an unsecure channel. >> >> rob >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web UI access from outside the home network via port forwarding
Hi all, I have a freeipa server set up, and would like to access the Web UI remotely (from outside my home network). I set up a fresh Fedora 24 server install, and installed freeipa-server. - I own a domain, domain.com - The hostname of my freeipa server is hostname.subdomain.domain.com - My home network domain is subdomain.domain.com I set up a CNAME hostname.domain.com and port forwardings, and I tested this works with nginx on the same machine; I can successfully see the nginx test page. I then assumed I could do the same with the freeipa Web UI, but when I navigate to http://hostname.domain.com:, it switches to https://hostname.subdomain.domain.com:, and with the following error: "Server not found" What am I doing wrong? Thanks. -Harry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project