Re: [Freeipa-users] Client Certificate

2014-09-23 Thread Walid
Yes Dmitri these two hints would definitely help, the servers are not 4.x
yet though.

On 19 September 2014 23:14, Dmitri Pal d...@redhat.com wrote:

  On 09/19/2014 04:03 PM, Walid wrote:

 Thank you all, will investigate the requirements of host keytabs, and if
 there is a way around it by having it shared but secure for our context.


 Couple hints.

 1. If you have a keytab stashed and the system was rebuilt you can now
 rerun ipa-client-install using this keytab to get a new one and configure
 the client system. It can run and then die but if you store the keytab
 after running ipa-client-install you would be able to revive it next time
 2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab
 command. It is implemented to allow clusters that have to share the same
 key but it might be applicable to your use case too.

 Thanks
 Dmitri



 On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote:

   On 09/18/2014 10:12 AM, Walid A. Shaari wrote:

 Hi,

  we are going to have a use case of diskless HPC clients that will use
 the IPA for lookups, I was wondering if i can get rid of the state-fulness
 of the client configuration as much as possible as it is more of a cattle
 than pets use case. that is i do not need to know that the client is part
 of the domain, no need to enroll a node with a certificate. and services
 will be mostly hpc mpi and ssh, not required to have an SSL certificate for
 secure communication. is it possible to get rid of the client certificate
 and the requirements for clients to enroll? or there are other uses for the
 certificate that i am not aware of ?

  regards

  Walid


   I think the main problem is making sure that the client can connect to
 IPA server.
 You can elect to not use ipa-client and just copy configuration files.
 The problem is that SSSD requires some type of the authentication to get to
 IPA as a host to do the lookups.
 So this connection must be authenticated. Since you want it to be
 stateless you do not want to manage keys or certs the only option (which I
 really do not like) is to use bind password in a file for LDAP connection.
 You would probably use the same unprivileged account for this bind. However
 when we get to 4.x you would need to adjust permissions on the server side
 to make sure that proper read permissions are granted. Having a password in
 a file is a security risk so make sure it is not leaked.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project




 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-19 Thread Dmitri Pal

On 09/19/2014 04:03 PM, Walid wrote:
Thank you all, will investigate the requirements of host keytabs, and 
if there is a way around it by having it shared but secure for our 
context.


Couple hints.

1. If you have a keytab stashed and the system was rebuilt you can now 
rerun ipa-client-install using this keytab to get a new one and 
configure the client system. It can run and then die but if you store 
the keytab after running ipa-client-install you would be able to revive 
it next time
2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab 
command. It is implemented to allow clusters that have to share the same 
key but it might be applicable to your use case too.


Thanks
Dmitri



On 18 September 2014 23:04, Dmitri Pal d...@redhat.com 
mailto:d...@redhat.com wrote:


On 09/18/2014 10:12 AM, Walid A. Shaari wrote:

Hi,

we are going to have a use case of diskless HPC clients that will
use the IPA for lookups, I was wondering if i can get rid of the
state-fulness of the client configuration as much as possible as
it is more of a cattle than pets use case. that is i do not need
to know that the client is part of the domain, no need to enroll
a node with a certificate. and services will be mostly hpc mpi
and ssh, not required to have an SSL certificate for secure
communication. is it possible to get rid of the client
certificate and the requirements for clients to enroll? or there
are other uses for the certificate that i am not aware of ?

regards

Walid



I think the main problem is making sure that the client can
connect to IPA server.
You can elect to not use ipa-client and just copy configuration
files. The problem is that SSSD requires some type of the
authentication to get to IPA as a host to do the lookups.
So this connection must be authenticated. Since you want it to be
stateless you do not want to manage keys or certs the only option
(which I really do not like) is to use bind password in a file for
LDAP connection. You would probably use the same unprivileged
account for this bind. However when we get to 4.x you would need
to adjust permissions on the server side to make sure that proper
read permissions are granted. Having a password in a file is a
security risk so make sure it is not leaked.

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-19 Thread Walid
Thank you all, will investigate the requirements of host keytabs, and if
there is a way around it by having it shared but secure for our context.

On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote:

  On 09/18/2014 10:12 AM, Walid A. Shaari wrote:

 Hi,

  we are going to have a use case of diskless HPC clients that will use
 the IPA for lookups, I was wondering if i can get rid of the state-fulness
 of the client configuration as much as possible as it is more of a cattle
 than pets use case. that is i do not need to know that the client is part
 of the domain, no need to enroll a node with a certificate. and services
 will be mostly hpc mpi and ssh, not required to have an SSL certificate for
 secure communication. is it possible to get rid of the client certificate
 and the requirements for clients to enroll? or there are other uses for the
 certificate that i am not aware of ?

  regards

  Walid


  I think the main problem is making sure that the client can connect to
 IPA server.
 You can elect to not use ipa-client and just copy configuration files. The
 problem is that SSSD requires some type of the authentication to get to IPA
 as a host to do the lookups.
 So this connection must be authenticated. Since you want it to be
 stateless you do not want to manage keys or certs the only option (which I
 really do not like) is to use bind password in a file for LDAP connection.
 You would probably use the same unprivileged account for this bind. However
 when we get to 4.x you would need to adjust permissions on the server side
 to make sure that proper read permissions are granted. Having a password in
 a file is a security risk so make sure it is not leaked.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Client Certificate

2014-09-18 Thread Walid A. Shaari
Hi,

we are going to have a use case of diskless HPC clients that will use the
IPA for lookups, I was wondering if i can get rid of the state-fulness of
the client configuration as much as possible as it is more of a cattle than
pets use case. that is i do not need to know that the client is part of the
domain, no need to enroll a node with a certificate. and services will be
mostly hpc mpi and ssh, not required to have an SSL certificate for secure
communication. is it possible to get rid of the client certificate and the
requirements for clients to enroll? or there are other uses for the
certificate that i am not aware of ?

regards

Walid
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Walid A. Shaari wrote:
 Hi,
 
 we are going to have a use case of diskless HPC clients that will use
 the IPA for lookups, I was wondering if i can get rid of the
 state-fulness of the client configuration as much as possible as it is
 more of a cattle than pets use case. that is i do not need to know that
 the client is part of the domain, no need to enroll a node with a
 certificate. and services will be mostly hpc mpi and ssh, not required
 to have an SSL certificate for secure communication. is it possible to
 get rid of the client certificate and the requirements for clients to
 enroll? or there are other uses for the certificate that i am not aware of ?

Yes, you don't need to obtain a machine certificate. In fact we have
stopped doing this upstream.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Walid A. Shaari
Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3
clients?

On 18 September 2014 17:43, Rob Crittenden rcrit...@redhat.com wrote:

 Walid A. Shaari wrote:
  Hi,
 
  we are going to have a use case of diskless HPC clients that will use
  the IPA for lookups, I was wondering if i can get rid of the
  state-fulness of the client configuration as much as possible as it is
  more of a cattle than pets use case. that is i do not need to know that
  the client is part of the domain, no need to enroll a node with a
  certificate. and services will be mostly hpc mpi and ssh, not required
  to have an SSL certificate for secure communication. is it possible to
  get rid of the client certificate and the requirements for clients to
  enroll? or there are other uses for the certificate that i am not aware
 of ?

 Yes, you don't need to obtain a machine certificate. In fact we have
 stopped doing this upstream.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Simo Sorce
On Thu, 18 Sep 2014 18:49:44 +0300
Walid A. Shaari walid.sha...@linux.com wrote:

 Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and
 3 clients?

The X509 certificate has always been provided as a commodity but never
required.
Keytabs are the only thing we require.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Walid A. Shaari wrote:
 Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3
 clients?

Sure, the cert isn't used anyway but it isn't optional to have
certmonger try to get one.

If you really care you can run a command to tell certmonger to stop
tracking the cert though:

# ipa-getcert stop-tracking -d /etc/pki/nssdb -n 'IPA Machine
Certificate - client.example.com'

That doesn't remove the certificate from the database. If you want to do
that do:

# certutil -D -d /etc/pki/nssdb/ -n 'IPA Machine Certificate -
client.example.com'

And you might to revoke the cert. To do that you'd use ipa cert-revoke
serial number. You need pretty high privileges to do that though
(admin has them).

rob

 
 On 18 September 2014 17:43, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:
 
 Walid A. Shaari wrote:
  Hi,
 
  we are going to have a use case of diskless HPC clients that will use
  the IPA for lookups, I was wondering if i can get rid of the
  state-fulness of the client configuration as much as possible as it is
  more of a cattle than pets use case. that is i do not need to know
 that
  the client is part of the domain, no need to enroll a node with a
  certificate. and services will be mostly hpc mpi and ssh, not required
  to have an SSL certificate for secure communication. is it possible to
  get rid of the client certificate and the requirements for clients to
  enroll? or there are other uses for the certificate that i am not
 aware of ?
 
 Yes, you don't need to obtain a machine certificate. In fact we have
 stopped doing this upstream.
 
 rob
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Natxo Asenjo
hi,

On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote:


 Yes, you don't need to obtain a machine certificate. In fact we have
 stopped doing this upstream.


Do you mean ipa will not have a CA in the future? Or will it be optional?
Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa,
actually.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Alexander Bokovoy

On Thu, 18 Sep 2014, Natxo Asenjo wrote:

hi,

On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote:



Yes, you don't need to obtain a machine certificate. In fact we have
stopped doing this upstream.



Do you mean ipa will not have a CA in the future? Or will it be optional?
Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa,
actually.

host certificate is not used for anything right now, so it is removed in
4.x. All the rest is in place and CA can be external one.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Natxo Asenjo wrote:
 hi,
 
 On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:
 
 
 Yes, you don't need to obtain a machine certificate. In fact we have
 stopped doing this upstream.
 
 
 Do you mean ipa will not have a CA in the future? Or will it be
 optional? Or am I misunderstanding this :-) ? I quite like the CA stuff
 in ipa, actually.


No, don't worry, the CA isn't going anywhere :-)

On the client right now we retrieve a certificate for host identity and
store it in /etc/pki/nssdb. We did this for future proofing and here we
are, pretty far in the future, and we've never used it. So we decided to
stop generating it.

If on the off chance it turns out we're wrong and someone has actually
found a use for that certificate it can be quite easily generated using
ipa-getcert after the client is enrolled.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Dmitri Pal

On 09/18/2014 10:12 AM, Walid A. Shaari wrote:

Hi,

we are going to have a use case of diskless HPC clients that will use 
the IPA for lookups, I was wondering if i can get rid of the 
state-fulness of the client configuration as much as possible as it is 
more of a cattle than pets use case. that is i do not need to know 
that the client is part of the domain, no need to enroll a node with a 
certificate. and services will be mostly hpc mpi and ssh, not required 
to have an SSL certificate for secure communication. is it possible to 
get rid of the client certificate and the requirements for clients to 
enroll? or there are other uses for the certificate that i am not 
aware of ?


regards

Walid


I think the main problem is making sure that the client can connect to 
IPA server.
You can elect to not use ipa-client and just copy configuration files. 
The problem is that SSSD requires some type of the authentication to get 
to IPA as a host to do the lookups.
So this connection must be authenticated. Since you want it to be 
stateless you do not want to manage keys or certs the only option (which 
I really do not like) is to use bind password in a file for LDAP 
connection. You would probably use the same unprivileged account for 
this bind. However when we get to 4.x you would need to adjust 
permissions on the server side to make sure that proper read permissions 
are granted. Having a password in a file is a security risk so make sure 
it is not leaked.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Natxo Asenjo
hi,

On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Natxo Asenjo wrote:
  hi,
 
  On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com wrote:
 
 
  Yes, you don't need to obtain a machine certificate. In fact we have
  stopped doing this upstream.
 
 
  Do you mean ipa will not have a CA in the future? Or will it be
  optional? Or am I misunderstanding this :-) ? I quite like the CA stuff
  in ipa, actually.
 

 No, don't worry, the CA isn't going anywhere :-)

 On the client right now we retrieve a certificate for host identity and
 store it in /etc/pki/nssdb. We did this for future proofing and here we
 are, pretty far in the future, and we've never used it. So we decided to
 stop generating it.

 If on the off chance it turns out we're wrong and someone has actually
 found a use for that certificate it can be quite easily generated using
 ipa-getcert after the client is enrolled.


ok. I was thinking on starting a pilot with dot1.x and hosts certificates
are usually used for this, so it would be nice  to have a cli switch during
enrollment.

-- 
groet,
natxo



-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Natxo Asenjo wrote:
 hi,
 
 On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:
 
 Natxo Asenjo wrote:
  hi,
 
  On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com 
 mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote:
 
 
  Yes, you don't need to obtain a machine certificate. In fact we have
  stopped doing this upstream.
 
 
  Do you mean ipa will not have a CA in the future? Or will it be
  optional? Or am I misunderstanding this :-) ? I quite like the CA stuff
  in ipa, actually.
 
 
 No, don't worry, the CA isn't going anywhere :-)
 
 On the client right now we retrieve a certificate for host identity and
 store it in /etc/pki/nssdb. We did this for future proofing and here we
 are, pretty far in the future, and we've never used it. So we decided to
 stop generating it.
 
 If on the off chance it turns out we're wrong and someone has actually
 found a use for that certificate it can be quite easily generated using
 ipa-getcert after the client is enrolled.
 
 
 ok. I was thinking on starting a pilot with dot1.x and hosts
 certificates are usually used for this, so it would be nice  to have a
 cli switch during enrollment.

Ok, do you have a preference on where the cert would be installed?
Currently it is added to /etc/pki/nssdb but we were going to move it to
/etc/ipa/nssdb before deciding to drop it altogether. I think if we
restore the functionality we'll use the later database.

I filed https://fedorahosted.org/freeipa/ticket/4550
rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Natxo Asenjo
On Thu, Sep 18, 2014 at 10:51 PM, Rob Crittenden rcrit...@redhat.com
wrote:

 Natxo Asenjo wrote:
  ok. I was thinking on starting a pilot with dot1.x and hosts
  certificates are usually used for this, so it would be nice  to have a
  cli switch during enrollment.

 Ok, do you have a preference on where the cert would be installed?
 Currently it is added to /etc/pki/nssdb but we were going to move it to
 /etc/ipa/nssdb before deciding to drop it altogether. I think if we
 restore the functionality we'll use the later database.

 I filed https://fedorahosted.org/freeipa/ticket/4550
 rob


Not really, although having all kind of certificates in /etc/pki is
convenient or is where we all expect them to be ...

Thanks for taking the time to file the RFE, by the way.
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project