Re: [Freeipa-users] LDAP server failover via altServer attribute?

[Răzvan Corneliu C.R. VILT]

Hi Guillermo,

In February I published my findings for switching IPA in OpenDirectory 
compatible mode. See:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html 

Start by reading that thread.

More recently, Stefan Zecevic picked this up and opened up some interesting 
test cases for the setup in this thread:
https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html 


There's also a ticket for implementing these changes in IPA 4.4 
.

I'm willing to invest 4 hours per week into this if anyone else joins.

I have VMware virtual machines for every x86 OS X release possible (from Tiger 
to El Capitan) and for historical reasons I also have a few PPC releases in 
QEMU format.

I can host the VMs on a server but I need some help configuring the 389 
directory server plugins to automatically generate the needed extra attributes 
(authAuthority and altSecurityIdentities). I personally think that cn=config 
should be also automatically generated.

Cheers,
Răzvan


> On 22 mai 2016, at 21:31, Guillermo Fuentes 
>  wrote:
> 
> This is great info Razvan. Thanks for sharing it!
> We provision Macs by pushing configuration scripts via Munki.
> Can you point me where I can find more documentation about this?
> Thanks again,
> Guillermo
> 
> On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" 
> > wrote:
> Hi guys,
> 
> Regarding the Macs, there are a few notes:
> 
> 1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient 
> and cn=KerberosKDC,cn=config)
> 2) The LDAP replicas can be also configured in cn=config and it is cached by 
> OpenDirectory in the following format:
> 
> dn: cn=ldapreplicas, cn=config, dc=example, dc=com
> objectClass: apple-configuration
> apple-ldap-replica: ldap://192.168.1.1 <>
> apple-ldap-replica: ldap://192.168.2.2 <>
> apple-ldap-writable-replica: ldap://192.168.1.1 <>
> apple-ldap-writable-replica: ldap://192.168.2.2 <>
> apple-xml-plist: base64 encode of:
> -
> 
>  "http://www.apple.com/DTDs/PropertyList-1.0.dtd 
> ">
> 
> 
>   GUID
>   01234567-89AB-CDEF-0123-456789ABCDEF
>   IPaddresses
>   
>   192.168.1.1
> 10.0.0.1
>   
>   PrimaryMaster
>   ipa-server.example.org 
>   ReplicaName
>   Master
>   Replicas
>   
>ipa-bkserver.example.org 
> 
> 
>
> 
> 
> --
> 
> 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL 
> and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.
> 
> 
> If you do this manually instead of OpenDirectory compatible way, your machine 
> doesn't create an account for itself in IPA so service access without login 
> are not available, it doesn't download the root CA automatically and you 
> don't get SSO out of the box.
> 
> 
>> On 20 mai 2016, at 22:13, Guillermo Fuentes 
>> > > wrote:
>> 
>> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = 
>> yes" and removing the KDC server ("kdc = xxx") entries from the 
>> /Library/Preferences/edu.mit.Kerberos config file does the trick.
>> 
>> For LDAP, although you can enable it, I can't see it documented anywhere so 
>> I'm assuming that isn't the recommended way for the Mac. This can be enabled 
>> by running this for the LDAP server you're using:
>> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>>  module ldap option "Use DNS replicas" "true"
>> 
>> Adding the altServer values with the Directory Manager credentials worked 
>> and I'm happy to report that the failover on the Mac works great with 
>> FreeIPA!
>> 
>> As suggested by Rob, for three servers, on server ipa1:
>> $ ldapmodify -x -D 'cn=directory manager' -W
>> Enter LDAP Password:
>> dn:
>> changetype: modify
>> add: altServer
>> altServer: ldap://ipa2.example.com 
>> -
>> add: altServer
>> altServer: ldap://ipa3.example.com 
>> 
>> modifying entry ""
>> ^D
>> 
>> The altServer values didn't replicate so I had to add them to each of the 
>> FreeIPA servers.
>> 
>> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute 
>> to look for replicas in case of failover: 
>> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>>  module ldap option "Use altServer replicas" "true"
>> 
>> And, viola! Highly available authentication with a FreeIPA cluster for the 
>> Mac!
>> 
>> Thanks so 

Re: [Freeipa-users] LDAP server failover via altServer attribute?

[Guillermo Fuentes]

This is great info Razvan. Thanks for sharing it!
We provision Macs by pushing configuration scripts via Munki.
Can you point me where I can find more documentation about this?
Thanks again,
Guillermo

On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" <
razvan.v...@me.com> wrote:

> Hi guys,
>
> Regarding the Macs, there are a few notes:
>
> 1) The template kerberos setup can be pushed through LDAP
> (cn=KerberosClient and cn=KerberosKDC,cn=config)
> 2) The LDAP replicas can be also configured in cn=config and it is cached
> by OpenDirectory in the following format:
>
> dn: cn=ldapreplicas, cn=config, dc=example, dc=com
> objectClass: apple-configuration
> apple-ldap-replica: ldap://192.168.1.1
> apple-ldap-replica: ldap://192.168.2.2
> apple-ldap-writable-replica: ldap://192.168.1.1
> apple-ldap-writable-replica: ldap://192.168.2.2
> apple-xml-plist: base64 encode of:
> -
> 
>  http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
> 
> GUID
> 01234567-89AB-CDEF-0123-456789ABCDEF
> IPaddresses
> 
> 192.168.1.1
> 10.0.0.1
> 
> PrimaryMaster
> ipa-server.example.org
> ReplicaName
> Master
> Replicas
> 
>ipa-bkserver.example.org
> 
>
> 
> 
> --
>
> 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL
> and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.
>
>
> If you do this manually instead of OpenDirectory compatible way, your
> machine doesn't create an account for itself in IPA so service access
> without login are not available, it doesn't download the root CA
> automatically and you don't get SSO out of the box.
>
>
> On 20 mai 2016, at 22:13, Guillermo Fuentes <
> guillermo.fuen...@modernizingmedicine.com> wrote:
>
> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc
> = yes" and removing the KDC server ("kdc = xxx") entries from the
> /Library/Preferences/edu.mit.Kerberos config file does the trick.
>
> For LDAP, although you can enable it, I can't see it documented anywhere
> so I'm assuming that isn't the recommended way for the Mac. This can be
> enabled by running this for the LDAP server you're using:
> sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
> "Use DNS replicas" "true"
>
> Adding the altServer values with the Directory Manager credentials worked
> and I'm happy to report that the failover on the Mac works great with
> FreeIPA!
>
> As suggested by Rob, for three servers, on server ipa1:
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://ipa2.example.com
> -
> add: altServer
> altServer: ldap://ipa3.example.com
>
> modifying entry ""
> ^D
>
> The altServer values didn't replicate so I had to add them to each of the
> FreeIPA servers.
>
> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer
> attribute to look for replicas in case of failover:
> sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
> "Use altServer replicas" "true"
>
> And, viola! Highly available authentication with a FreeIPA cluster for the
> Mac!
>
> Thanks so much for your help!
> Guillermo
>
>
> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden 
> wrote:
>
>> Martin Basti wrote:
>>
>>> Hello,
>>>
>>> IPA uses SRV records for failover to another replica/LDAP.
>>>
>>> I don't know how it works on MACs, but in case that there is no
>>> possibility to use SRV, you may need to file a RFE ticket
>>> (https://fedorahosted.org/freeipa/newticket)
>>>
>>
>> Agreed, SRV records are the preferred mechanism. I was curious though so
>> played with this a bit and it is possible to add altServer values:
>>
>> $ ldapmodify -x -D 'cn=directory manager' -W
>> Enter LDAP Password:
>> dn:
>> changetype: modify
>> add: altServer
>> altServer: ldap://gyre.example.com
>>
>> modifying entry ""
>> ^D
>>
>> $ ldapsearch -LLL -x -b "" -s base altServer
>> dn:
>> altServer: ldap://gyre.example.com
>>
>> My test rig is a single master so I don't know if this replicates or not.
>>
>> rob
>>
>>
>>> Martin
>>>
>>>
>>> On 19.05.2016 17:43, Guillermo Fuentes wrote:
>>>
 Hello all,

 As OS X allows LDAP server failover via the altServer attribute
 (RFC4512) from RootDSE, it would be great to be able to configure our
 Macs to connect to a single FreeIPA server and add other FreeIPA
 servers as multiple altServer values.
 The current schema doesn't seem to support adding this attribute.
 Can this be done in a way I'm missing?

 Thanks in advance!

 GUILLERMO FUENTES
 SR. SYSTEMS ADMINISTRATOR

 561-880-2998 x1337

 guillermo.fuen...@modmed.com 


 [ Modernizing Medicine ] 
 [ Facebook ] 
   [
 LinkedIn ] 

Re: [Freeipa-users] LDAP server failover via altServer attribute?

[Răzvan Corneliu C.R. VILT]

Hi guys,

Regarding the Macs, there are a few notes:

1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient 
and cn=KerberosKDC,cn=config)
2) The LDAP replicas can be also configured in cn=config and it is cached by 
OpenDirectory in the following format:

dn: cn=ldapreplicas, cn=config, dc=example, dc=com
objectClass: apple-configuration
apple-ldap-replica: ldap://192.168.1.1 
apple-ldap-replica: ldap://192.168.2.2 
apple-ldap-writable-replica: ldap://192.168.1.1 
apple-ldap-writable-replica: ldap://192.168.2.2 
apple-xml-plist: base64 encode of:
-

http://www.apple.com/DTDs/PropertyList-1.0.dtd;>


GUID
01234567-89AB-CDEF-0123-456789ABCDEF
IPaddresses

192.168.1.1
10.0.0.1

PrimaryMaster
ipa-server.example.org
ReplicaName
Master
Replicas

   ipa-bkserver.example.org

   


--

3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL 
and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.


If you do this manually instead of OpenDirectory compatible way, your machine 
doesn't create an account for itself in IPA so service access without login are 
not available, it doesn't download the root CA automatically and you don't get 
SSO out of the box.


> On 20 mai 2016, at 22:13, Guillermo Fuentes 
>  wrote:
> 
> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = 
> yes" and removing the KDC server ("kdc = xxx") entries from the 
> /Library/Preferences/edu.mit.Kerberos config file does the trick.
> 
> For LDAP, although you can enable it, I can't see it documented anywhere so 
> I'm assuming that isn't the recommended way for the Mac. This can be enabled 
> by running this for the LDAP server you're using:
> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>  module ldap option "Use DNS replicas" "true"
> 
> Adding the altServer values with the Directory Manager credentials worked and 
> I'm happy to report that the failover on the Mac works great with FreeIPA!
> 
> As suggested by Rob, for three servers, on server ipa1:
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://ipa2.example.com 
> -
> add: altServer
> altServer: ldap://ipa3.example.com 
> 
> modifying entry ""
> ^D
> 
> The altServer values didn't replicate so I had to add them to each of the 
> FreeIPA servers.
> 
> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute 
> to look for replicas in case of failover: 
> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>  module ldap option "Use altServer replicas" "true"
> 
> And, viola! Highly available authentication with a FreeIPA cluster for the 
> Mac!
> 
> Thanks so much for your help!
> Guillermo
> 
> 
> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden  > wrote:
> Martin Basti wrote:
> Hello,
> 
> IPA uses SRV records for failover to another replica/LDAP.
> 
> I don't know how it works on MACs, but in case that there is no
> possibility to use SRV, you may need to file a RFE ticket
> (https://fedorahosted.org/freeipa/newticket 
> )
> 
> Agreed, SRV records are the preferred mechanism. I was curious though so 
> played with this a bit and it is possible to add altServer values:
> 
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://gyre.example.com 
> 
> modifying entry ""
> ^D
> 
> $ ldapsearch -LLL -x -b "" -s base altServer
> dn:
> altServer: ldap://gyre.example.com 
> 
> My test rig is a single master so I don't know if this replicates or not.
> 
> rob
> 
> 
> Martin
> 
> 
> On 19.05.2016 17:43, Guillermo Fuentes wrote:
> Hello all,
> 
> As OS X allows LDAP server failover via the altServer attribute
> (RFC4512) from RootDSE, it would be great to be able to configure our
> Macs to connect to a single FreeIPA server and add other FreeIPA
> servers as multiple altServer values.
> The current schema doesn't seem to support adding this attribute.
> Can this be done in a way I'm missing?
> 
> Thanks in advance!
> 
> GUILLERMO FUENTES
> SR. SYSTEMS ADMINISTRATOR
> 
> 561-880-2998 x1337 
> 
> guillermo.fuen...@modmed.com  
> >
> 
> 
> [ Modernizing Medicine ] >
> [ Facebook ] 

Re: [Freeipa-users] LDAP server failover via altServer attribute?

[Guillermo Fuentes]

SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc
= yes" and removing the KDC server ("kdc = xxx") entries from the
/Library/Preferences/edu.mit.Kerberos config file does the trick.

For LDAP, although you can enable it, I can't see it documented anywhere so
I'm assuming that isn't the recommended way for the Mac. This can be
enabled by running this for the LDAP server you're using:
sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
"Use DNS replicas" "true"

Adding the altServer values with the Directory Manager credentials worked
and I'm happy to report that the failover on the Mac works great with
FreeIPA!

As suggested by Rob, for three servers, on server ipa1:
$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn:
changetype: modify
add: altServer
altServer: ldap://ipa2.example.com
-
add: altServer
altServer: ldap://ipa3.example.com

modifying entry ""
^D

The altServer values didn't replicate so I had to add them to each of the
FreeIPA servers.

Then, tell the Mac (testing on OS X v10.11.5) to use the altServer
attribute to look for replicas in case of failover:
sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
"Use altServer replicas" "true"

And, viola! Highly available authentication with a FreeIPA cluster for the
Mac!

Thanks so much for your help!
Guillermo


On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden 
wrote:

> Martin Basti wrote:
>
>> Hello,
>>
>> IPA uses SRV records for failover to another replica/LDAP.
>>
>> I don't know how it works on MACs, but in case that there is no
>> possibility to use SRV, you may need to file a RFE ticket
>> (https://fedorahosted.org/freeipa/newticket)
>>
>
> Agreed, SRV records are the preferred mechanism. I was curious though so
> played with this a bit and it is possible to add altServer values:
>
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://gyre.example.com
>
> modifying entry ""
> ^D
>
> $ ldapsearch -LLL -x -b "" -s base altServer
> dn:
> altServer: ldap://gyre.example.com
>
> My test rig is a single master so I don't know if this replicates or not.
>
> rob
>
>
>> Martin
>>
>>
>> On 19.05.2016 17:43, Guillermo Fuentes wrote:
>>
>>> Hello all,
>>>
>>> As OS X allows LDAP server failover via the altServer attribute
>>> (RFC4512) from RootDSE, it would be great to be able to configure our
>>> Macs to connect to a single FreeIPA server and add other FreeIPA
>>> servers as multiple altServer values.
>>> The current schema doesn't seem to support adding this attribute.
>>> Can this be done in a way I'm missing?
>>>
>>> Thanks in advance!
>>>
>>> GUILLERMO FUENTES
>>> SR. SYSTEMS ADMINISTRATOR
>>>
>>> 561-880-2998 x1337
>>>
>>> guillermo.fuen...@modmed.com 
>>>
>>>
>>> [ Modernizing Medicine ] 
>>> [ Facebook ] 
>>> [
>>> LinkedIn ] 
>>> [
>>> YouTube ] 
>>>  [
>>> Twitter ]   [ Blog ]
>>>    [ Instagram ]
>>> 
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP server failover via altServer attribute?

[Rob Crittenden]

Martin Basti wrote:

Hello,

IPA uses SRV records for failover to another replica/LDAP.

I don't know how it works on MACs, but in case that there is no
possibility to use SRV, you may need to file a RFE ticket
(https://fedorahosted.org/freeipa/newticket)


Agreed, SRV records are the preferred mechanism. I was curious though so 
played with this a bit and it is possible to add altServer values:


$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn:
changetype: modify
add: altServer
altServer: ldap://gyre.example.com

modifying entry ""
^D

$ ldapsearch -LLL -x -b "" -s base altServer
dn:
altServer: ldap://gyre.example.com

My test rig is a single master so I don't know if this replicates or not.

rob



Martin


On 19.05.2016 17:43, Guillermo Fuentes wrote:

Hello all,

As OS X allows LDAP server failover via the altServer attribute
(RFC4512) from RootDSE, it would be great to be able to configure our
Macs to connect to a single FreeIPA server and add other FreeIPA
servers as multiple altServer values.
The current schema doesn't seem to support adding this attribute.
Can this be done in a way I'm missing?

Thanks in advance!

GUILLERMO FUENTES
SR. SYSTEMS ADMINISTRATOR

561-880-2998 x1337

guillermo.fuen...@modmed.com 


[ Modernizing Medicine ] 
[ Facebook ] [
LinkedIn ]   
  [
YouTube ]    [
Twitter ] [ Blog ]
 [ Instagram ]












--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP server failover via altServer attribute?

[Martin Basti]

Hello,

IPA uses SRV records for failover to another replica/LDAP.

I don't know how it works on MACs, but in case that there is no 
possibility to use SRV, you may need to file a RFE ticket 
(https://fedorahosted.org/freeipa/newticket)


Martin


On 19.05.2016 17:43, Guillermo Fuentes wrote:

Hello all,

As OS X allows LDAP server failover via the altServer attribute 
(RFC4512) from RootDSE, it would be great to be able to configure our 
Macs to connect to a single FreeIPA server and add other FreeIPA 
servers as multiple altServer values.

The current schema doesn't seem to support adding this attribute.
Can this be done in a way I'm missing?

Thanks in advance!

GUILLERMO FUENTES
SR. SYSTEMS ADMINISTRATOR

561-880-2998 x1337

guillermo.fuen...@modmed.com 


[ Modernizing Medicine ] 
[ Facebook ]  		[ 
LinkedIn ]  		[ 
YouTube ]  		[ 
Twitter ]  		[ Blog ] 
 		[ Instagram ] 









-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] LDAP server failover via altServer attribute?

[Guillermo Fuentes]

Hello all,

As OS X allows LDAP server failover via the altServer attribute (RFC4512)
from RootDSE, it would be great to be able to configure our Macs to connect
to a single FreeIPA server and add other FreeIPA servers as multiple
altServer values.
The current schema doesn't seem to support adding this attribute.
Can this be done in a way I'm missing?

Thanks in advance!

GUILLERMO FUENTES
SR. SYSTEMS ADMINISTRATOR

561-880-2998 x1337

guillermo.fuen...@modmed.com

[image: [ Modernizing Medicine ]] 
[image: [ Facebook ]]  [image:
[ LinkedIn ]]  [image:
[ YouTube ]]  [image: [
Twitter ]]  [image: [ Blog ]]
 [image: [ Instagram ]]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project