Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to

Re: [Freeipa-users] verified certificates both sides of a TLS channel

2015-03-06 Thread Martin Kosek
On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please?

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
I have 2 IPA servers where I kinit to and post to the api using curl/json. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Herwono W Wijaya
FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3 [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local [06/Mar/2015:21:51:15 +0700]

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 16:24, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Keytabs are used by Kerberos and MIT kerberos libraries fully

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-06 Thread Dan Mossor
On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket.

Re: [Freeipa-users] verified certificates both sides of a TLS channel

2015-03-06 Thread Dmitri Pal
On 03/06/2015 08:05 AM, Martin Kosek wrote: On 03/06/2015 01:16 PM, Dmitri Pal wrote: On 03/06/2015 04:32 AM, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-06 Thread Dmitri Pal
On 03/06/2015 09:26 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again!

Re: [Freeipa-users] Freeipa and dns

2015-03-06 Thread Jan Pazdziora
On Fri, Mar 06, 2015 at 09:15:44AM +0100, Andrew Holway wrote: For now the work around would be to have an explicit set of servers configured on the clients. You will loose a bit of agility if you plan to deploy replicas dynamically but if you do not plan to do that static server list

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-06 Thread Jakub Hrozek
On Fri, Mar 06, 2015 at 10:56:09AM +0100, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Martin Kosek
Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin On 03/06/2015 02:09 PM, Herwono W Wijaya wrote: Gianluca's method not

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Gianluca Cecchi
On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Martin Kosek
This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek

[Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt -- Manage your subscription for the

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Herwono W Wijaya
there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always

Re: [Freeipa-users] verified certificates both sides of a TLS channel

2015-03-06 Thread Martin Kosek
On 03/06/2015 01:16 PM, Dmitri Pal wrote: On 03/06/2015 04:32 AM, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Martin Kosek
On 03/06/2015 01:30 PM, Matt . wrote: Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Herwono W Wijaya
sorry my mistake, okay I'll check slapd log files and try to figure out what happened On 3/6/15 8:43 PM, Martin Kosek wrote: This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory

Re: [Freeipa-users] verified certificates both sides of a TLS channel

2015-03-06 Thread Dmitri Pal
On 03/06/2015 04:32 AM, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi Martin, Thanks, I saw that ticket but didn't got to the wiki part yet. What I wonder in Step 6: 6. Request a signed certificate for the service and see the entry in Certmonger. In case you created a NSS database with a PIN (see the step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Rich Megginson
On 03/06/2015 07:54 AM, Herwono W Wijaya wrote: FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3 [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Simo Sorce
On Fri, 2015-03-06 at 16:24 +0100, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? What kind of load balancing ? An IPA server

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Dmitri Pal
On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Herwono W Wijaya
this result from #strings /usr/lib/openldap/slapd | grep 1.3.6.1.4 On 3/6/15 10:40 PM, Rich Megginson wrote: On 03/06/2015 07:54 AM, Herwono W Wijaya wrote: FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Herwono W Wijaya
vCenter SSO works well with Univention LDAP. Here I want to make sure if FreeIPA can work with vCenter SSO, because I read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration And thanks for the help and answer any questions from me. Have a nice day. On 3/6/15 11:23 PM,

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-06 Thread Dan Mossor
On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Gianluca Cecchi
On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-06 Thread Dan Mossor
On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Rich Megginson
On 03/06/2015 09:01 AM, Herwono W Wijaya wrote: this result from #strings /usr/lib/openldap/slapd | grep 1.3.6.1.4 Sorry, I should have been much more explicit about what you need to do: 1) Are you a VMWare customer with a paid support contract? If so, then contact VMWare support - ask them

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-06 Thread Martin Kosek
On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as

[Freeipa-users] Synology DSM5 and freeIPA

2015-03-06 Thread Roberto Cornacchia
Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Gianluca Cecchi
On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Herwono W Wijaya
Tomorrow I will try to capture Univention LDAP traffic with wireshark, and if possible I will try also this FreeIPA with vCenter 6. Since I became one of the private beta testers so I had vCenter 6. On 3/7/15 1:34 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-06 Thread Dmitri Pal
On 03/06/2015 11:59 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: From

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Rich Megginson
On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter SSO and IPA. Then we can compare the TCP traffic dumps. Here I want to

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Dmitri Pal
On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Natxo Asenjo
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 11:02 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Gianluca Cecchi
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Rich Megginson
On 03/06/2015 11:02 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Rich Megginson
On 03/06/2015 09:13 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-06 Thread Martin Kosek
On 03/06/2015 05:59 PM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: From

[Freeipa-users] Can't add AD user group to IPA group

2015-03-06 Thread Guertin, David S.
I'm on my second attempt trying to set up an IPA server with a trust relationship to our AD domain. The first attempt had inexplicable problems with winbind, so this time I've set up a RHEL7 server, and things are going better, but I'm stuck when trying to add an AD user group to an IPA group.

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-06 Thread Craig White
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Guertin, David S. Sent: Friday, March 06, 2015 1:04 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Can't add AD user group to IPA group I'm on my second attempt trying to set up an IPA

Re: [Freeipa-users] Freeipa and dns

2015-03-06 Thread Andrew Holway
FreeIPA does not support DNS sites yet. https://fedorahosted.org/freeipa/ticket/2008 https://fedorahosted.org/bind-dyndb-ldap/ticket/126 https://fedorahosted.org/bind-dyndb-ldap/ticket/126# It is in plans for the next release but as a stretch goal. For now the work around would be to

[Freeipa-users] verified certificates both sides of a TLS channel

2015-03-06 Thread Andrew Holway
Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-06 Thread Gianluca Cecchi
On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 04:38 AM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. You mean admin user from vCenter, not admin