Hi All,
I'm trying to implement FreeIPA for Users and SSH pub keys management in
our infra. We have a setup that spans multiple geographies. What we are
thinking is something like below.
1. Have 2 full FreeIPA servers with multi master replicas in one region.
2. In other regions just have a LDAP
You could use DNS based failover for this.
Configure DNS with a low TTL value like 60 secs. When the primary fails,
update the dns with the secondary.
Services like dynect offer tihs.
On 1 January 2015 at 11:05, Sanju A sanj...@tcs.com wrote:
Hi All,
I have configured Master - Master
Hi,
I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
balancer, specifically Amazon ELB.
I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks
like there is more to it than just this file.
Any suggestions ?
Thanks.
--Prashant
--
Manage your subscription
Hi ,
Is there a way of making the nsAccountLock attribute (User enable/disable)
to be anonymously readable ?
I'm trying to implement a SSH key lookup sshd authorized key command
script. Based on this attribute the user will be allowed to login. I need
this to be anonymously readable.
Tried
,
Matt
2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com:
Hi,
I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
balancer, specifically Amazon ELB.
I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks
like
there is more to it than just
command to lookup the keys.
Thanks.
--Prashant
On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote:
Hi,
Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a):
Hi ,
Is there a way of making the nsAccountLock attribute (User
enable/disable) to be anonymously readable ?
I'm trying
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is the ldif
Ok the command you gave me worked. But I was following the PDF and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com wrote:
Martin,
Thanks!
Let me
Hi Rob,
Yes I did restart it.
Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?
Thanks.
--Prashant
On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Ok the command you gave me worked. But I
to existing
modified
users. There is an example of such plugin in the PDF I mentioned.
On 03/23/2015 05:22 PM, Prashant Bapat wrote:
Hi Rob,
Yes I did restart it.
Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?
Thanks
not replicated),
would you enable replication and plugin logging (
http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting)
and provide the access/errors logs ?
thanks
thierry
On 04/06/2015 04:38 PM, Prashant Bapat wrote:
Hi,
Seems like there is an issue with replication
Hi,
Seems like there is an issue with replication that I have encountered.
I'm using a custom attribute and a slapi-plugin. Below is the attribute
added.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
DESC 'SSH
of the UI to handle SSL.
On 18 June 2015 at 19:03, Rob Crittenden rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Hi All,
There is a way to change the certificate for the web UI.
I went with a standard install with a self signed CA etc. Now I want to
install a cert from a commercial CA
Aah ok !
Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended
up using nss-pam-ldap, nscd and nslcd.
However this looks promising. Only for the servers exposed to Internet I
could use CentOS/Fedora and this method of authentication. Let me try this
and come back to you.
!
--Prashant
On 21 June 2015 at 01:51, Rob Crittenden rcrit...@redhat.com wrote:
Prashant Bapat wrote:
I tried the steps documented on a test VM. Looks like I ended up in the
situation described here
https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html.
Please be careful
Can you share the steps to reproduce this and the error message?
On 21 June 2015 at 02:33, Janelle janellenicol...@gmail.com wrote:
Just wondering if others have run into the user login to the web-UI and
with the exception of the top part of the screen and menu, all the user
details go blank.
Hi ,
I'm exploring implementing a 2FA solution to my servers exposed to public.
Mainly to secure SSH with 2FA. The SSH keys and users are already in
FreeIPA.
Is there a way to utilize the OTP inside FreeIPA during a user login to
these servers ? A user will have to enter the TOTP code bases on
, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote:
Simo is right! This issue is same as
https://fedorahosted.org/freeipa/ticket/5047
If I change the algorithm in the otp url to uppercase it scans in
Google authenticator/iPhone.
Further more I manually edited the /usr/lib/python2.7/site
Hi,
I have gotten into a strange situation. I'm running FreeIPA for 2 different
environments, dev/production. By mistake, the domain for both are
configured same. Say EXAMPLE.COM.
Now the problem users are facing when using the web UI using Firefox. It
complains that the secure connection failed
' to 'SHA' in a test VM and it works as expected. I hate
to do this in the production server though.
On 12 June 2015 at 23:32, Prashant Bapat prash...@apigee.com wrote:
Hi,
Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying invalid barcode. This happens only
Hi,
Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying invalid barcode. This happens only with iPhone + Google
Authenticator.
Thanks for your help.
--Prashant
--
Manage your subscription for the Freeipa-users mailing list:
:
On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote:
Hi,
I was able to set this up in a Fedora instance with SSSD and it
works as
expected. SSHD first uses the public key and then prompts for
password
which is ofcourse password+OTP.
However
I had the exact same requirement. Since we're on AWS, I ended up putting a
ELB in front of each of my IPA servers with a commercial cert for web UI.
The communication between ELB and the IPA server is using the IPA CA cert.
On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote:
it's own
auto-renewal, does it leave the webui alone if set up this way ?
On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com
wrote:
I had the exact same requirement. Since we're on AWS, I ended up putting
a ELB in front of each of my IPA servers with a commercial cert for web
. Is it possible to make sure the user has
to login once and the credentials are cached for say 12/24 hours. I know
this is possible just using the password. Question is, is this possible
using password+OTP?
Thanks.
--Prashant
On 27 June 2015 at 13:06, Prashant Bapat prash...@apigee.com wrote:
Aah ok
Making attributes anonymously readable is very simple. You need to look
into RBAC and define the permissions/privileges you need.
On 28 October 2015 at 08:02, wrote:
> Hi,
>
> We have recently updated from IPA 3 to IPA 4.1 and one of the changes in
> security is
Refer this doc
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
On 28 October 2015 at 11:11, Prashant Bapat <prash...@apigee.com> wrote:
> Making attributes an
Is there a way for you to try F23. Its the latest anyway if thats the
reason you're upgrading.
I recently did this couple of times in a test setup (aws and virtualbox). I
have 4.1.4 (F21) in production. Was trying upgrade from F21->F22 and
F22->F23 this would give me freeipa 4.2.3. Things went
Great idea! Is that possible ? Any documentation on how to do this would be
very helpful.
Thanks.
On 4 November 2015 at 19:17, Rob Crittenden <rcrit...@redhat.com> wrote:
> Martin Kosek wrote:
> > On 11/04/2015 10:27 AM, Prashant Bapat wrote:
> >> Ack. But in a li
Looks like there are issues with dogtag and tomcat8.
http://pki.fedoraproject.org/wiki/Tomcat_8
On 5 November 2015 at 11:32, Prashant Bapat <prash...@apigee.com> wrote:
> New issue with upgrade.
>
> I setup a test IPA server. Its on AWS EC2 instance in a VPC. Fedora 21.
Please ignore my mails about tomcat/pki. An update fixed the issue.
On 5 November 2015 at 12:58, Prashant Bapat <prash...@apigee.com> wrote:
> Looks like there are issues with dogtag and tomcat8.
> http://pki.fedoraproject.org/wiki/Tomcat_8
>
> On 5 November 2015 at 11:32, Pra
I just upgraded a test env from 4.1.4 (F21) to 4.2.3 (F23) without issues.
I had to run a dnf upgrade freeipa-server AFTER upgrading to F23 and then
run ipa-server-upgrade.
On 5 November 2015 at 16:20, John Obaterspok
wrote:
> Hi,
>
> I waited a couple of days and
Hi All,
We rolled out freeipa in our setup somewhere in beginning of 2015. Since
then there have been couple of new releases. Latest being 4.2.3.
The FreeIPA servers are installed on Fedora 21 hosts and at this point
there is no direct way of upgrading to 4.2.3 unless we also upgrade the OS.
The
k <mko...@redhat.com> wrote:
> On 11/04/2015 10:15 AM, Lukas Slebodnik wrote:
> > On (04/11/15 14:37), Prashant Bapat wrote:
> >> Hi All,
> >>
> >> We rolled out freeipa in our setup somewhere in beginning of 2015. Since
> >> then there have been couple o
Lukas,
ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this
rpm cannot be installed. This is the basic issue.
Thanks.
On 2 September 2015 at 12:43, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> On (02/09/15 11:22), Prashant Bapat wrote:
> >Hi,
> >
Hi,
Running a freeipa-client on Amazon Linux is a huge challenge. This is
because the client depends on SSSD which in turn uses Samba libraries which
Amazon Linux does not support. I tried this sometime back and gave up.
Instead we went with pam-nss-ldap route which works great with compat ldap
One way to do it is write a small script which will fetch the keys from
LDAP.
As for authentication, I make the SSH public key anonymously readable for
everyone.
On 11 September 2015 at 05:00, Gustavo Mateus
wrote:
> Hi,
>
> I'm trying to setup my Amazon Linux
equiring-secure-connections
>
>
> On 11/18/2015 07:24 AM, Prashant Bapat wrote:
>
> Hi,
>
> We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients
> configured to talk to them thru pam-nss-ldapd (no sssd). I want to ensure
> that these clients only talk to freeip
Hi,
We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients
configured to talk to them thru pam-nss-ldapd (no sssd). I want to ensure
that these clients only talk to freeipa's LDAP server either via ldaps or
ldap+starttls. Plain ldap should not be allowed.
I can always switch to
If this is TOTP (time based) you want to double check the time is properly
set in both the server (NTP) and the device that is generating the OTP
tokens. I have had issues with this with my users couple of times.
On 7 June 2016 at 19:43, Alexander Bokovoy wrote:
> On
>
>
> Forgot to mention; this IPA-server is running on Fedora ARM on a Bananapi.
> non-otp logins go well.
>
>
> Winny
>
>
>
>
> Op 07-06-16 om 16:56 schreef Prashant Bapat:
>
> If this is TOTP (time based) you want to double check the time is
> pr
Hi,
I'm writing a small script which will scan all the users and check if each
one has setup an OTP. It will send out an email to the user if OTP is
missing.
I added a new entry
* uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com*. Problem is I'm
able to read all the users attributes but
Sure. Attached the stack trace with debuginfo installed.
Thanks much!
On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote:
> On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote:
> > gdb stacktrace attached.
>
> Can you install the debuginfo with
&
wrote:
> On Thu, Jan 28, 2016 at 09:36:55PM +0530, Prashant Bapat wrote:
> > Sure. Attached the stack trace with debuginfo installed.
> >
> > Thanks much!
>
> This looks very much like the issue Simo fixed recently, but
> unfortunately I think it is so recent that
Hi,
We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
replicas in different regions. Earlier there was only 1 replica. Since I
added new replicas, on the master node, once in a while the kerberos
process dumps core and everything stops working - authentication,
replication
at 13:54, Sumit Bose <sb...@redhat.com> wrote:
> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
> > Hi,
> >
> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
> > replicas in different regions. Earlier there was only
gdb stacktrace attached.
On 28 January 2016 at 16:27, Prashant Bapat <prash...@apigee.com> wrote:
> Thanks Sumit.
>
> From the logs there is nothing unusual around the time of core dump. I
> found this one line odd though.
>
> *Jan 26 03:15:58 ipa.example.net <http:/
Thanks Lukas.
I'm exploring moving to CentOS for our setup so that I get the advantage of
longer release cycles.
On 28 January 2016 at 16:41, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> On (28/01/16 16:27), Prashant Bapat wrote:
> >Thanks Sumit.
> >
> >>From the
Hi,
I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema.
I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and
sudo-ldap this works.
In our setup we have lot of rules with wildcard matching for sudo
hostnames. For ex webserver*, dbserver* etc.
In the IPA UI, when I
Not using SSSD because Amazon Linux does not support samba libraries
required to compile it.
On 19 February 2016 at 14:28, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Fri, Feb 19, 2016 at 11:27:16AM +0530, Prashant Bapat wrote:
> > Hi,
> >
> > I'm using FreeI
voy <aboko...@redhat.com> wrote:
> On Mon, 22 Feb 2016, Prashant Bapat wrote:
>
>> SSSD on Amazon linux is a dead end! I have tried since a year without any
>> definitive answer.
>>
>> Any other suggestions ?
>>
> Switch to CentOS AMIs.
>
SSSD on Amazon linux is a dead end! I have tried since a year without any
definitive answer.
Any other suggestions ?
Thanks.
--Prashant
On 19 February 2016 at 21:32, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Fri, Feb 19, 2016 at 09:10:19PM +0530, Prashant Bapat wrote:
> >
agreements each.
This seems to have resolved the core-dump of kerberos. No upgrade was done.
Hope this helps someone.
On 29 January 2016 at 15:13, Prashant Bapat <prash...@apigee.com> wrote:
> We will have to run with F21 for now. There are plans for moving to CentOS
> 7.x in the near f
Hi,
I'm trying to use IPA's LDAP server as the user data base for an external
application.
I have created a service account from ldif below.
dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword:
cationPlugin - Abort CleanAllRUV Task
(rid 6): Retrying in 14400 seconds
It will never be able to connect to ipa2 as its gone permanently. Also
the ipa-replica-manage
list `hostname` command still shows the ipa2 as replica.
How to remove this permanently ???
Thanks.
--Prashant
On 6 April 2016 at 22:17, P
# ipa-replica-manage list `hostname`
ipa2.example.net: replica
ipa3.example.net: replica
ipa4.example.net: replica
ipa2.example.net should not be there. How do I remove it?
On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com> wrote:
> Prashant Bapat wrote:
>
>> Hi,
Thank you very much! That does it.
On 7 April 2016 at 13:12, Ludwig Krispenz <lkris...@redhat.com> wrote:
>
> On 04/07/2016 07:23 AM, Prashant Bapat wrote:
>
> What I have done now was to add a new server, ipa02 and configured
> replication again and things are fine.
>
&
A user will be able to list all other users and be able to read their
attributes. But will not be able to change anything.
Is that an issue ? I mean on a Linux box you can read /etc/passwd file
which has info about all users on that box. This doesn't cause issues.
On 8 March 2016 at 03:03, Matt
I guess I was looking at this wrongly!
Simo, you're right! Java and Kerberos wont work !
However password+OTP against LDAP server directly works! I can use that!
Thanks for your help!
On 3 March 2016 at 14:40, Prashant Bapat <prash...@apigee.com> wrote:
> Thanks.
>
> Le
Thanks.
Let me figure out possible alternatives.
On 3 March 2016 at 00:20, Simo Sorce <s...@redhat.com> wrote:
>
>
> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
> > Specifica
Hi,
I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.
I've installed ipa-client on a server and connected it to ipa. Shibboleth
is installed on this server and I'm able to get the Kerberos
(KDCRep.java:140)
Any pointers ?
On 1 March 2016 at 21:01, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Tue, 01 Mar 2016, Prashant Bapat wrote:
>
>> Hi,
>>
>> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
>> I'm aware of I
Hi,
We have been using the OTP feature of FreeIPA extensively for users to
login to the web UI. Now we are rolling out an external service using the
LDAP authentication based on FreeIPA and OTP.
End users typically login rarely to the web UI. Only to update their SSH
keys once in 90 days.
in making FreeIPA's OTP implementation much more
usable.
Thanks.
--Prashant
On 25 April 2016 at 21:48, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA exten
For the replication issues please see
http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmonitoring.html
This has a perl script that you can use.
As for the authentication of the user monitoring replication, we thought
about it and ended up allowing anonymous reads on the
. But if a user does not have OTP
they can login with just password.
Can they be forced to setup an OTP ?
On 16 May 2016 at 16:03, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 05/16/2016 12:20 PM, Prashant Bapat wrote:
> > Any suggestions on how to achieve this ?
> >
Any suggestions on how to achieve this ?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
+1 For enforcing OTP in web UI.
When the user logs in for the first time he should be taken to a page to
create a OTP token. Users should be able to login only using passwd+OTP.
Are there any ideas for ensuring that all users are using OTP tokens ?
On 4 May 2016 at 05:12, Peter Bisroev
at.com> wrote:
> Prashant Bapat wrote:
>
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>>
>> Now the user is denied bind. But unable to reset the password.
>>
>
> Right, it's a tr
What we have done this as follows.
1. For all the changes, happening thru IPA APIs (either cmd line of WebUI)
you can capture these in the httpd error logs. We trigger alert emails on
important events such as new user addition etc.
2. For everything including the above, you can always enable the
Tough luck! If its tricky for you (FreeIPA core developers) then its pretty
much impossible to solve it for mere mortals like me !
On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com> wrote:
> Prashant Bapat wrote:
>
>> I cherrypi
I was in the exact same situation. Had to upgraded from FC21 (4.1.4) to
CentOS 7.2 (4.2.0). Upgrade went thru fine thanks to this thread :-)
For migrating the DNA ranges, I used this link
https://blog-rcritten.rhcloud.com/?p=50 Is this fine?
Thanks.
On 10 February 2016 at 15:02, Martin Kosek
Anyone ?!
On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com> wrote:
> Hi,
>
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does the
> lookup etc for a user and things are wor
Hi,
We are using FreeIPA's LDAP as the base for user authentication in a
different application. So far I have created a sysaccount which does the
lookup etc for a user and things are working as expected. I'm even able to
use OTP from the external app.
One problem I'm struggling to fix is the
I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 and
compiled the ipa-pwd-extop slapi plugin.
Now the user is denied bind. But unable to reset the password.
On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com> wrote:
> On 07/07/2016 05:19 PM, Prashant Ba
RBAC Role "User Administrator" should have access to all users OTP tokens.
Specifically to remove if some one has lost their token. We get this a lot.
I found no permissions that give this access.
Can someone explain if this can be added easily either from the WebUI or
CLI.
Thanks.
--Prashant
this ?
These messages are seen every 5 mins.
On 18 October 2016 at 22:38, Prashant Bapat <prash...@apigee.com> wrote:
> Hi,
>
> I'm seeing lots of error messages like this in the DS logs.
>
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-pr
wrote:
> On 19.10.2016 10:14, Ludwig Krispenz wrote:
> >
> > On 10/19/2016 09:39 AM, Prashant Bapat wrote:
> >> Some more info.
> >>
> >> This is happening on one of the hosts for which replica-info file was
> >> generated but for some reason the repl
Hi,
I'm seeing lots of error messages like this in the DS logs.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral,
79 matches
Mail list logo