subject:"\[Freeipa\-users\] Re\: ipsilon"

[Freeipa-users] Re: Ipsilon - Unauthorized

2019-01-17 Thread Ronald Wimmer via FreeIPA-users

On 17.01.19 10:09, Alexander Bokovoy wrote:

On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I set up ipsilon on a separate machine as documented in
https://ipsilon-project.org/doc/quickstart-ipa.html

When I try to log in with the admin user I get the "Unauthorized"
error. The logs say:

==> ssl_error_log <==
[Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977]
[client 10.65.150.250:33802] PAM account validation failed for user
admin: Permission denied, referer:
https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_transaction_id=ccb72cfc-7db9-4fce-8c9c-ba143c284440

Well, as it says, PAM validation failed. You need to look into sssd logs
to see what was wrong. Most likely you have no HBAC rule that allows to
login to ipsilon for your users. Did you create one? You need to create
HBAC service 'ipsilon' and then an HBAC rule to govern access to this
service on the machine where ipsilon is deployed.

Thanks a lot for pointing me in the right direction. I am already logged
in. As we are still not using IPA productively I did not come to my mind...

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipsilon - Unauthorized

2019-01-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I set up ipsilon on a separate machine as documented in 
https://ipsilon-project.org/doc/quickstart-ipa.html


When I try to log in with the admin user I get the "Unauthorized" 
error. The logs say:


==> ssl_error_log <==
[Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 
10.65.150.250:33802] PAM account validation failed for user admin: 
Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_transaction_id=ccb72cfc-7db9-4fce-8c9c-ba143c284440

Well, as it says, PAM validation failed. You need to look into sssd logs
to see what was wrong. Most likely you have no HBAC rule that allows to
login to ipsilon for your users. Did you create one? You need to create
HBAC service 'ipsilon' and then an HBAC rule to govern access to this
service on the machine where ipsilon is deployed.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipsilon

2018-06-06 Thread Rob Crittenden via FreeIPA-users

Andrew Meyer via FreeIPA-users wrote:
> Not sure if this is the right place for support w/ ipsilon.  But I got
> it installed and I'm able to browse the to website and login now. 
> However when I go to the login stack there are some button to the right
> of the login plugins, and they say   that's it.  What does
> that mean?  Also I've enabled saml2, form, ipa, gssapi and secure as
> security providers yet I only see saml2.  Is this normal?

You want
https://lists.fedorahosted.org/admin/lists/ipsilon.lists.fedorahosted.org/

You are confusing the protocols.

SAML2 is the protocol that the SP uses to request authentication for a
user from the IdP. form, ipa, gssapi, etc. are the protocols used to
authenticate the user on the IdP.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FKX2NVHEDTTF7MHBL5HUNSVY6ZSL4TZ2/

[Freeipa-users] Re: ipsilon

2018-05-25 Thread Jan Pazdziora via FreeIPA-users

On Tue, May 22, 2018 at 02:38:11PM +, Andrew Meyer via FreeIPA-users wrote:
> What about on CentOS 7? 

On Thu, May 17, 2018 at 07:45:34PM +, Andrew Meyer via FreeIPA-users wrote:
> So I followed the directions to add it to my dev freeipa servers, restarted 
> the httpd.  But when I go to log in  at https://myserver/idp as admin or 
> myself, I get 401 Unauthorized no matter what.  This is what I need to 
> install the server:
> sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes

CentOS 7 ships Ipsilon 1.0.0 while ipsilon-openidc (needed for the
--openid option above) only started to be available with Ipsilon 2.

How did you install Ipsilon on CentOS 7 so that the above
ipsilon-server-install command passed for you?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RFLWXBTKCRFGJ2Z6Q57D4DCE4VPFFZOJ/

[Freeipa-users] Re: ipsilon

2018-05-22 Thread Andrew Meyer via FreeIPA-users

What about on CentOS 7? 

On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-users 
 wrote:
 

 On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> On to, 17 touko 2018, Andrew Meyer wrote:
> > So I followed the directions to add it to my dev freeipa servers,
> > restarted the httpd.  But when I go to log in  at
> > https://myserver/idp as admin or myself, I get 401 Unauthorized no
> > matter what.  This is what I need to install the server: sudo
> > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
> I do not run Ipsilon on the same machine as IPA master and do not
> recommend that. Use a separate IPA client.

It used to work fairly well in 2015:

    https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine

and I've used it for number of demos and testing.

However, at least with Fedora 28, it will fail simply because FreeIPA
is python3 and Ipsilon is python2, and wsgi does not like mixing the
two.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FTZKURPBI2H2YFEQKA36TSUX735CXX4A/

[Freeipa-users] Re: ipsilon

2018-05-22 Thread Jan Pazdziora via FreeIPA-users

On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> On to, 17 touko 2018, Andrew Meyer wrote:
> > So I followed the directions to add it to my dev freeipa servers,
> > restarted the httpd.  But when I go to log in  at
> > https://myserver/idp as admin or myself, I get 401 Unauthorized no
> > matter what.  This is what I need to install the server: sudo
> > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
> I do not run Ipsilon on the same machine as IPA master and do not
> recommend that. Use a separate IPA client.

It used to work fairly well in 2015:

https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine

and I've used it for number of demos and testing.

However, at least with Fedora 28, it will fail simply because FreeIPA
is python3 and Ipsilon is python2, and wsgi does not like mixing the
two.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/

[Freeipa-users] Re: ipsilon

2018-05-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 touko 2018, Rob Crittenden via FreeIPA-users wrote:

Andrew Meyer via FreeIPA-users wrote:

Has anyone installed this on their prod FreeIPA installation?  I need to
hook FreeIPA into some other auth systems that don't support LDAP.


Ipsilon is a fine IdP and is used to host a bunch of huge, operational
infrastructure (like FAS).

A bunch of FreeIPA developers have contributed to it and AFAIK it still
works fine using IPA as an identity backend.

Correct. Whole Fedora actually runs off that -- FAS is ipsilon and
Kerberos authentication is done by Fedora FreeIPA instance behind it.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YM4ADRPL7MZIIQDFNPJ6IRTVQKHRP2DF/

[Freeipa-users] Re: ipsilon

2018-05-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 touko 2018, Andrew Meyer wrote:

So I followed the directions to add it to my dev freeipa servers,
restarted the httpd.  But when I go to log in  at
https://myserver/idp as admin or myself, I get 401 Unauthorized no
matter what.  This is what I need to install the server: sudo
ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes

I do not run Ipsilon on the same machine as IPA master and do not
recommend that. Use a separate IPA client.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IZVOVIZDFO264VOCVVUWAAM3ZWIUT7MO/

[Freeipa-users] Re: ipsilon

2018-05-17 Thread Rob Crittenden via FreeIPA-users

Andrew Meyer via FreeIPA-users wrote:
> Has anyone installed this on their prod FreeIPA installation?  I need to
> hook FreeIPA into some other auth systems that don't support LDAP.

Ipsilon is a fine IdP and is used to host a bunch of huge, operational
infrastructure (like FAS).

A bunch of FreeIPA developers have contributed to it and AFAIK it still
works fine using IPA as an identity backend.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HWZSGAS4F43IQ7RHQ2K2CKGWIPPCLAHR/

[Freeipa-users] Re: ipsilon

2018-05-17 Thread Andrew Meyer via FreeIPA-users

So I followed the directions to add it to my dev freeipa servers, restarted the 
httpd.  But when I go to log in  at https://myserver/idp as admin or myself, I 
get 401 Unauthorized no matter what.  This is what I need to install the server:
sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes

I see this in /var/log/messages:May 17 14:34:04 freeipa01-dev 
[sssd[ldap_child[9215]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:34:04 freeipa01-dev 
[sssd[ldap_child[9217]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev 
[sssd[ldap_child[9219]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev 
[sssd[ldap_child[9221]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev 
[sssd[ldap_child[9223]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev 
[sssd[ldap_child[9224]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev 
[sssd[ldap_child[9228]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev 
[sssd[ldap_child[9230]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev 
[sssd[ldap_child[9238]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev 
[sssd[ldap_child[9240]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev 
[sssd[ldap_child[9243]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev 
[sssd[ldap_child[9245]]]: Failed to initialize credentials using keytab 
[MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.
This is what is in /var/log/http/error_log:[Thu May 17 13:55:56.263306 2018] 
[authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication 
failed for user andrew.meyer: Authentication failure, referer: 
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=fe82e294-370f-4dfa-805d-01082b021a96[Thu
 May 17 13:55:59.673795 2018] [auth_gssapi:error] [pid 8829] [client 
10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, 
referer: https://freeipa01-dev.example.local/idp/login/form[Thu May 17 
13:56:05.735790 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] 
PAM authentication failed for user admin: Error in service module, referer: 
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=cc8808fc-c9b0-4d9e-b3da-4b01ba7e823b[Thu
 May 17 13:56:08.232387 2018] [auth_gssapi:error] [pid 8829] [client 
10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, 
referer: https://freeipa01-dev.example.local/idp/login/form[Thu May 17 
13:56:14.206573 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] 
NO AUTH DATA Client did not send any authentication headers, referer: 
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=096ef2ce-e43e-488e-8421-533c90b4714a[Thu
 May 17 14:39:17.674883 2018] [auth_gssapi:error] [pid 8830] [client 
10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, 
referer: https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:21.039126 
2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA 
Client did not send any authentication headers, referer: 
https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:32.032374 2018] 
[authnz_pam:warn] [pid 8830] [client 10.1.6.250:51742] PAM authentication 
failed for user admin: Error in service module, referer: 
https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=94fe5ec3-1608-4977-840a-8b186f4eee28

 

On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users

[Freeipa-users] Re: Ipsilon - Unauthorized

[Freeipa-users] Re: Ipsilon - Unauthorized

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

[Freeipa-users] Re: ipsilon

10 matches

Site Navigation

Mail list logo

Footer information