[Freeipa-users] Re: Ipsilon - Unauthorized
On 17.01.19 10:09, Alexander Bokovoy wrote: On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote: I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html When I try to log in with the admin user I get the "Unauthorized" error. The logs say: ==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 10.65.150.250:33802] PAM account validation failed for user admin: Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_transaction_id=ccb72cfc-7db9-4fce-8c9c-ba143c284440 Well, as it says, PAM validation failed. You need to look into sssd logs to see what was wrong. Most likely you have no HBAC rule that allows to login to ipsilon for your users. Did you create one? You need to create HBAC service 'ipsilon' and then an HBAC rule to govern access to this service on the machine where ipsilon is deployed. Thanks a lot for pointing me in the right direction. I am already logged in. As we are still not using IPA productively I did not come to my mind... Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ipsilon - Unauthorized
On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote: I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html When I try to log in with the admin user I get the "Unauthorized" error. The logs say: ==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 10.65.150.250:33802] PAM account validation failed for user admin: Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_transaction_id=ccb72cfc-7db9-4fce-8c9c-ba143c284440 Well, as it says, PAM validation failed. You need to look into sssd logs to see what was wrong. Most likely you have no HBAC rule that allows to login to ipsilon for your users. Did you create one? You need to create HBAC service 'ipsilon' and then an HBAC rule to govern access to this service on the machine where ipsilon is deployed. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipsilon
Andrew Meyer via FreeIPA-users wrote: > Not sure if this is the right place for support w/ ipsilon. But I got > it installed and I'm able to browse the to website and login now. > However when I go to the login stack there are some button to the right > of the login plugins, and they say that's it. What does > that mean? Also I've enabled saml2, form, ipa, gssapi and secure as > security providers yet I only see saml2. Is this normal? You want https://lists.fedorahosted.org/admin/lists/ipsilon.lists.fedorahosted.org/ You are confusing the protocols. SAML2 is the protocol that the SP uses to request authentication for a user from the IdP. form, ipa, gssapi, etc. are the protocols used to authenticate the user on the IdP. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FKX2NVHEDTTF7MHBL5HUNSVY6ZSL4TZ2/
[Freeipa-users] Re: ipsilon
On Tue, May 22, 2018 at 02:38:11PM +, Andrew Meyer via FreeIPA-users wrote: > What about on CentOS 7? On Thu, May 17, 2018 at 07:45:34PM +, Andrew Meyer via FreeIPA-users wrote: > So I followed the directions to add it to my dev freeipa servers, restarted > the httpd. But when I go to log in at https://myserver/idp as admin or > myself, I get 401 Unauthorized no matter what. This is what I need to > install the server: > sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes CentOS 7 ships Ipsilon 1.0.0 while ipsilon-openidc (needed for the --openid option above) only started to be available with Ipsilon 2. How did you install Ipsilon on CentOS 7 so that the above ipsilon-server-install command passed for you? -- Jan Pazdziora Senior Principal Software Engineer, Security Engineering, Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RFLWXBTKCRFGJ2Z6Q57D4DCE4VPFFZOJ/
[Freeipa-users] Re: ipsilon
What about on CentOS 7? On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-userswrote: On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 17 touko 2018, Andrew Meyer wrote: > > So I followed the directions to add it to my dev freeipa servers, > > restarted the httpd. But when I go to log in at > > https://myserver/idp as admin or myself, I get 401 Unauthorized no > > matter what. This is what I need to install the server: sudo > > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes > I do not run Ipsilon on the same machine as IPA master and do not > recommend that. Use a separate IPA client. It used to work fairly well in 2015: https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine and I've used it for number of demos and testing. However, at least with Fedora 28, it will fail simply because FreeIPA is python3 and Ipsilon is python2, and wsgi does not like mixing the two. -- Jan Pazdziora Senior Principal Software Engineer, Security Engineering, Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FTZKURPBI2H2YFEQKA36TSUX735CXX4A/
[Freeipa-users] Re: ipsilon
On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 17 touko 2018, Andrew Meyer wrote: > > So I followed the directions to add it to my dev freeipa servers, > > restarted the httpd. But when I go to log in at > > https://myserver/idp as admin or myself, I get 401 Unauthorized no > > matter what. This is what I need to install the server: sudo > > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes > I do not run Ipsilon on the same machine as IPA master and do not > recommend that. Use a separate IPA client. It used to work fairly well in 2015: https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine and I've used it for number of demos and testing. However, at least with Fedora 28, it will fail simply because FreeIPA is python3 and Ipsilon is python2, and wsgi does not like mixing the two. -- Jan Pazdziora Senior Principal Software Engineer, Security Engineering, Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/
[Freeipa-users] Re: ipsilon
On to, 17 touko 2018, Rob Crittenden via FreeIPA-users wrote: Andrew Meyer via FreeIPA-users wrote: Has anyone installed this on their prod FreeIPA installation? I need to hook FreeIPA into some other auth systems that don't support LDAP. Ipsilon is a fine IdP and is used to host a bunch of huge, operational infrastructure (like FAS). A bunch of FreeIPA developers have contributed to it and AFAIK it still works fine using IPA as an identity backend. Correct. Whole Fedora actually runs off that -- FAS is ipsilon and Kerberos authentication is done by Fedora FreeIPA instance behind it. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YM4ADRPL7MZIIQDFNPJ6IRTVQKHRP2DF/
[Freeipa-users] Re: ipsilon
On to, 17 touko 2018, Andrew Meyer wrote: So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes I do not run Ipsilon on the same machine as IPA master and do not recommend that. Use a separate IPA client. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IZVOVIZDFO264VOCVVUWAAM3ZWIUT7MO/
[Freeipa-users] Re: ipsilon
Andrew Meyer via FreeIPA-users wrote: > Has anyone installed this on their prod FreeIPA installation? I need to > hook FreeIPA into some other auth systems that don't support LDAP. Ipsilon is a fine IdP and is used to host a bunch of huge, operational infrastructure (like FAS). A bunch of FreeIPA developers have contributed to it and AFAIK it still works fine using IPA as an identity backend. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HWZSGAS4F43IQ7RHQ2K2CKGWIPPCLAHR/
[Freeipa-users] Re: ipsilon
So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes I see this in /var/log/messages:May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9215]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9217]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9219]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9221]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9223]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9224]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9228]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9230]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9238]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9240]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9243]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9245]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. This is what is in /var/log/http/error_log:[Thu May 17 13:55:56.263306 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user andrew.meyer: Authentication failure, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=fe82e294-370f-4dfa-805d-01082b021a96[Thu May 17 13:55:59.673795 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/form[Thu May 17 13:56:05.735790 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user admin: Error in service module, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=cc8808fc-c9b0-4d9e-b3da-4b01ba7e823b[Thu May 17 13:56:08.232387 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/form[Thu May 17 13:56:14.206573 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=096ef2ce-e43e-488e-8421-533c90b4714a[Thu May 17 14:39:17.674883 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:21.039126 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:32.032374 2018] [authnz_pam:warn] [pid 8830] [client 10.1.6.250:51742] PAM authentication failed for user admin: Error in service module, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=94fe5ec3-1608-4977-840a-8b186f4eee28 On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users