[Freeipa-users] Integrating Yubikey tokens into FreeIPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ0bNbAAoJEAJsWS61tB+q7GIQAMXapL6GzaemqR9R6WgwmixE zVt6QBv7+4KBY9xRJHvf1ZW0qXAAvE93Vtv1TwxfK3NrUULnLS6kMEkht5U9SPrs vDDuF214WC2iyL/3afTX0Bxx63UTGtX5RYdsSRv7udV0Ambgyif1FbMbu9zhpIKN nvG22tDYrh2EjEdJKV5yaZZPkgR5Id/xZ/4objax9WEatV3G7L/xQUaD/YpisUXp hXGgdfwAw+2RtxsLxsmdc8bU29J7Gk2jJKHKTJj0TIZp9MkVanC0Xr78v3YdxHGz yxy/D7j71qrDiXYRxS/ioJ1QrCfN1DHx9AYDLh3S0/HCbFUn2e8fFTqFEY3J/aok 0ffI79JhxFZZifeqywthun7jXaPAK/mhiZZxa0da3ivToBWPx1EK58K2+J/ylANW cwjGz5E/LzzzV8rcVIfnvwjPhQEISGtKvRCRSNnfcFzD8DpMGuGmAU9rtn2jn28O VXuVfKIQZnFZL/yQVSuG7zUbqYJbYapW0BBC2AIizFxqQ7jIfDkQkdYX8GgqgKRR 6G4uKBQJR8av9y0stnx/ZkU93/B9V2SVhpD7d6A6Q3Uwxma2sQ9ViiQFCdmkiTIF bcTb4avmMLmEAJCwVHbcl5fxu+vRT7YVS3hRkX/NMcuL9U4DHZr7o1do7JMUniXd zkFHj48GnS5Rt2LXkYwc =Yh/1 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Hi Dale, what problem do you have adding new schema ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/19/2012 01:20 PM, Simo Sorce wrote:
On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Morning all
Heres something I was working on last night with Gavin Spurgeon.
If anyone would like to comment on better ways to achieve this, i'd love
to here it so I can update my own procedures (and the article of course)
https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/
I hope some people find it useful.
Hi Dale,
what problem do you have adding new schema ?
we weren't able to add any objectIdentifier fields... when trying to
search for existing schema entries, we received the below output.
[root@ds01 ~]# ldapsearch -LLL -h localhost -D cn=Directory Manager -x
-w redhat123 -b cn=schema
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
[root@ds01 ~]#
We were trying to use this schema which what created by Michal, however
we never managed to get it imported with the objectidentifier values there.
dn: cn=yubikey,cn=config
objectClass: SchemaConfig
cn: yubikey
#
# YubiKey LDAP schema
#
# Author: Michal Ludvig mic...@logix.cz
# Consider a small PayPal donation:
# http://logix.cz/michal/devel/yubikey-ldap/
#
# Common Logix OID structure
# LogixOID.Project.SNMP/LDAP
ObjectIdentifier: {0}logixOID1.3.6.1.4.1.40789
ObjectIdentifier: {1}YubiKeyPrjlogixOID:2012.11.1
ObjectIdentifier: {2}YkSNMPYubiKeyPrj:1
ObjectIdentifier: {3}YkLDAPYubiKeyPrj:2
# YubiKey schema sub-tree
ObjectIdentifier: {4}YkAttribute YkLDAP:1
ObjectIdentifier: {5}YkObjectClass YkLDAP:2
AttributeTypes: {0}( YkAttribute:1
NAME 'yubiKeyId'
DESC 'Yubico YubiKey ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
ObjectClasses: {0}( YkObjectClass:1
NAME 'yubiKeyUser'
DESC 'Yubico YubiKey User'
SUP top
AUXILIARY
MAY ( yubiKeyId ) )
we ended up having to settle for
dn: cn=schema
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC
'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{1
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC
'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) )
Is there any security restrictions on the schema or perhaps something
done differently to normal LDAP? Unless of course I'm doing something silly.
thoughts?
Simo.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBAgAGBQJQ0cHaAAoJEAJsWS61tB+qwhwQAJF96eCzWsD2RYXZJpu9p2X9
bItiGZ5i1TYwc37CtSKkMaCf1TQzPcSvgCc3dGdUqpLYzO0zbiUmxJBXBCplTaXi
J4ETOnkJQ5gheW1LpsCXGmGpX1eDIxC3PjtyjOFHKkFavdpvcxxgdzKhR7w1BK9J
vw+QjPBs5DoUDQaihE0DbhEOPkZR2aqFHenI5ozv7ifSWpV3yq/zLpGADRAcOAEh
/8FrYCu4GpIMKD7UTAee8U/Mrmekq8z2ZUVn5P1c/QOU41dy6aKMBS7tN6Evgpp6
SFOxX23wWd6ukIh3QSWCcwSOafiF0SQI9B9Ds2SHogf9FToq+R3xfXXM6bDEfU7B
FhRQhIeqqUrz9zsj/FeL1rDvXgD7Moynm6x3pBokBEvQlHPdWwQteSzVi841eJg+
+akNxR9pJtvuigTF4md71M0JqBUx+vJVkpIN3SU5u/L2LOud6/d14GcybdIynrC6
FRYfvglR5NuwhcVEZZIn5fZmiROERXtgqqmxy0nTFDpJ1njm80jOH4blmmqtRFGM
lumq+0jFDrWCpv4bJIPmlu3xlORSOpp8WcwqzKVS3Ss07owMXXqGmXCpmSxNMdJk
6hfnKvewQrH8Lpf9A8M92hFrvaXfbWp55EmN4VokiQjoFRpS51YjuLYPwMkT/8vA
PNDkBUrrn2eUu/41BaNc
=yKMg
-END PGP SIGNATURE-
0xB5B41FAA.asc
Description: application/pgp-keys
0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
On 12/19/2012 07:04 AM, Simo Sorce wrote:
On Wed, 2012-12-19 at 13:32 +, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/19/2012 01:20 PM, Simo Sorce wrote:
On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Morning all
Heres something I was working on last night with Gavin Spurgeon.
If anyone would like to comment on better ways to achieve this, i'd love
to here it so I can update my own procedures (and the article of course)
https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/
I hope some people find it useful.
Hi Dale,
what problem do you have adding new schema ?
we weren't able to add any objectIdentifier fields... when trying to
search for existing schema entries, we received the below output.
[root@ds01 ~]# ldapsearch -LLL -h localhost -D cn=Directory Manager -x
-w redhat123 -b cn=schema
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
For some reason the attribute you need to list are not returned by
default and needs to be explicitly listed, they are treated as
operatrional.
In LDAPv3, operational attributes are not returned by default - they
must be explicitly specified.
The search you need is:
ldapsearch -h localhost -x -b cn=schema attributeTypes,objectClasses
ldapsearch -h localhost -x -b cn=schema objectclass=* \*
attributeTypes objectClasses
Also note that the lines will be wrapped, so if you are trying to grep
for something, you will have to unwrap the lines first - see
http://richmegginson.livejournal.com/18726.html
Note that you do not need any auth to read the schema by default.
[root@ds01 ~]#
We were trying to use this schema which what created by Michal, however
we never managed to get it imported with the objectidentifier values there.
dn: cn=yubikey,cn=config
objectClass: SchemaConfig
cn: yubikey
#
# YubiKey LDAP schema
#
# Author: Michal Ludvigmic...@logix.cz
# Consider a small PayPal donation:
# http://logix.cz/michal/devel/yubikey-ldap/
#
# Common Logix OID structure
#LogixOID.Project.SNMP/LDAP
ObjectIdentifier: {0}logixOID1.3.6.1.4.1.40789
ObjectIdentifier: {1}YubiKeyPrjlogixOID:2012.11.1
ObjectIdentifier: {2}YkSNMPYubiKeyPrj:1
ObjectIdentifier: {3}YkLDAPYubiKeyPrj:2
# YubiKey schema sub-tree
ObjectIdentifier: {4}YkAttribute YkLDAP:1
ObjectIdentifier: {5}YkObjectClass YkLDAP:2
AttributeTypes: {0}( YkAttribute:1
NAME 'yubiKeyId'
DESC 'Yubico YubiKey ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
ObjectClasses: {0}( YkObjectClass:1
NAME 'yubiKeyUser'
DESC 'Yubico YubiKey User'
SUP top
AUXILIARY
MAY ( yubiKeyId ) )
we ended up having to settle for
dn: cn=schema
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC
'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{1
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC
'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) )
Is there any security restrictions on the schema or perhaps something
done differently to normal LDAP? Unless of course I'm doing something silly.
thoughts?
Ah no it's just that 389ds does not support the prettified OIDs yet. The
schema file you ended up importing is 100% equivalent to the one with
the OID prefix substitutions.
Simo.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
