[Freeipa-users] Free-IPA in an AWS Base Image
I want to create an AWS AMI that when it starts up will register itself with a Free-IPA instance. The issue I have run into so far is every instance when it starts up uses the original instances hostname. What do I need to do to have free-ipa work in a DHCP environment like this? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
Yes it works if I specify the -s as ldap.mycorp.com. So we have progress! It now appears to authenticate fine when it posts the session but I have a new error. I get an Ipa Error 911 Missing HTTP referer. br/ You have to configure your browser to send HTTP referer header. I assume this is because the external name doesn't match the internal name. Is there a way to modify this somewhere? Thanks. Steve On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose sb...@redhat.com wrote: On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote: Hi Sumit, That does indeed work. What does that tell us? I'm sorry, but it only tells that in general GSSAPI/Kerberos is working. I think it does not help much with your original issue. About ipa-getkeytab, does it work if you specify the server with the -s/--server option? bye, Sumit Steve On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose sb...@redhat.com wrote: On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ' ? bye, Sumit So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
So I understand the mitigation of CSRF attacks. I would like ipa to be able
to handle a specific set of referers. My use case may be less common since
my freeipa instance is handling our server infrastructure not desktops.
I have everything working now. Here is an example nginx server config in
case anyone else needs it:
server {
server_name ipa.corp.com;
listen 443 ssl;
location / {
proxy_cookie_domain ldap.corp.com ipa.corp.com;
proxy_pass https://ldap.corp.com/;
proxy_set_header Referer https://ldap.corp.com/ipa/ui;
}
}
ipa.corp.com would be the external server and ldap.corp.com would be the
internal server.
Thanks for your help.
Steve
On Mon, Feb 3, 2014 at 11:10 AM, Alexander Bokovoy aboko...@redhat.comwrote:
On Mon, 03 Feb 2014, Steve Severance wrote:
Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
It now appears to authenticate fine when it posts the session but I have a
new error.
I get an Ipa Error 911 Missing HTTP referer. br/ You have to configure
your browser to send HTTP referer header. I assume this is because the
external name doesn't match the internal name. Is there a way to modify
this somewhere?
You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for
details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the
security errata addressing it.
We are deliberately closing cross-site forgery by enforcing
HTTP referrer checks.
Your nginx proxy would be a middle man which we are attempting to
protect against.
Recent discussions on how to allow your use case but still keep the
security tight can be seen here:
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter
part of the thread). Discussion stalled since then.
Thanks.
Steve
On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose sb...@redhat.com wrote:
On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
Hi Sumit, That does indeed work. What does that tell us?
I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
I think it does not help much with your original issue. About
ipa-getkeytab, does it work if you specify the server with the
-s/--server option?
bye,
Sumit
Steve
On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose sb...@redhat.com wrote:
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
Hi Everyone,
I have deployed freeipa inside our production network. I want to be
able
to
access the web ui so I am attempting to add it to our nginx edge
machine. I
can pass the requests upstream just fine but I am unable to login
using a
username/password. I have enabled password authentication in the
kerberos
section of the freeipa httpd config file. In the logs it looks like
the
authentication succeeds and a ticket is issued. I assume that the
cookie
that is returned (ipa_session) has the authentication information
in
it.
The subsequent call to get json data fails and I am prompted to
login
again.
I found this thread (
https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
which has instructions on adding ipa.mydomain.com to the keytab.
When I
call ipa-getkeytab it hangs for a bit before returning:
ldap_sasl_bind(SIMPLE):
Can't contact LDAP server (-1)
Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
ldap.mydomain.com
I get:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
GSSAPI ' ?
bye,
Sumit
So we seem to have a SASL problem. If I run ldapsearch with -x
simple
authentication works just fine.
Do I need to do something special to enable SASL so I can get the
keytab?
The ipa-getkeytab command does not seem to have an option to use
simple
authentication.
Thanks.
Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Steve Severance
Director of Engineering
Altos Research
e. st...@altosresearch.com
m. (240) 472 - 9645
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
/ Alexander Bokovoy
--
Steve Severance
Director of Engineering
Altos Research
e. st...@altosresearch.com
m. (240) 472 - 9645
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deploying freeipa behind nginx
Hi Dmitri, I am using Free Ipa 3.1.5 on Fedora 18. The design basically looks like the following. All of this is hosted at AWS in our VPC. The nginx box is on a web addressable subnet while the FreeIPA box is on a private subnet that is not internet accessible. My goal is to be able to use the web UI from our office without having to invest in a hardware VPN connection. So nginx basically just acts as a reverse proxy and created the connection on the users behalf to the ipa server. I can login into other machines I have both in our private data center and in AWS using ipa and that works great as far as I can tell. Any more information I can supply? Thanks. Steve On Wed, Jan 29, 2014 at 4:18 AM, Dmitri Pal d...@redhat.com wrote: On 01/28/2014 05:29 PM, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve To be able to help a small diagram would be really helpful. The error above indicates that there is an entity that tries to connect to the LDAP using Kerberos GSSAPI and can't because it either does not have kerberos identity or keys or it is misconfigured and can't get to them. The diagram of request flow would help to troubleshoot the issue. What version of FreeIPA you are using? What platform? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Deploying freeipa behind nginx
Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to login using a username/password. I have enabled password authentication in the kerberos section of the freeipa httpd config file. In the logs it looks like the authentication succeeds and a ticket is issued. I assume that the cookie that is returned (ipa_session) has the authentication information in it. The subsequent call to get json data fails and I am prompted to login again. I found this thread ( https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) which has instructions on adding ipa.mydomain.com to the keytab. When I call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com I get: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: So we seem to have a SASL problem. If I run ldapsearch with -x simple authentication works just fine. Do I need to do something special to enable SASL so I can get the keytab? The ipa-getkeytab command does not seem to have an option to use simple authentication. Thanks. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
