[Freeipa-users] Integrating Yubikey tokens into FreeIPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ0bNbAAoJEAJsWS61tB+q7GIQAMXapL6GzaemqR9R6WgwmixE zVt6QBv7+4KBY9xRJHvf1ZW0qXAAvE93Vtv1TwxfK3NrUULnLS6kMEkht5U9SPrs vDDuF214WC2iyL/3afTX0Bxx63UTGtX5RYdsSRv7udV0Ambgyif1FbMbu9zhpIKN nvG22tDYrh2EjEdJKV5yaZZPkgR5Id/xZ/4objax9WEatV3G7L/xQUaD/YpisUXp hXGgdfwAw+2RtxsLxsmdc8bU29J7Gk2jJKHKTJj0TIZp9MkVanC0Xr78v3YdxHGz yxy/D7j71qrDiXYRxS/ioJ1QrCfN1DHx9AYDLh3S0/HCbFUn2e8fFTqFEY3J/aok 0ffI79JhxFZZifeqywthun7jXaPAK/mhiZZxa0da3ivToBWPx1EK58K2+J/ylANW cwjGz5E/LzzzV8rcVIfnvwjPhQEISGtKvRCRSNnfcFzD8DpMGuGmAU9rtn2jn28O VXuVfKIQZnFZL/yQVSuG7zUbqYJbYapW0BBC2AIizFxqQ7jIfDkQkdYX8GgqgKRR 6G4uKBQJR8av9y0stnx/ZkU93/B9V2SVhpD7d6A6Q3Uwxma2sQ9ViiQFCdmkiTIF bcTb4avmMLmEAJCwVHbcl5fxu+vRT7YVS3hRkX/NMcuL9U4DHZr7o1do7JMUniXd zkFHj48GnS5Rt2LXkYwc =Yh/1 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Hi Dale, what problem do you have adding new schema ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/19/2012 01:20 PM, Simo Sorce wrote: On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Hi Dale, what problem do you have adding new schema ? we weren't able to add any objectIdentifier fields... when trying to search for existing schema entries, we received the below output. [root@ds01 ~]# ldapsearch -LLL -h localhost -D cn=Directory Manager -x -w redhat123 -b cn=schema dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema [root@ds01 ~]# We were trying to use this schema which what created by Michal, however we never managed to get it imported with the objectidentifier values there. dn: cn=yubikey,cn=config objectClass: SchemaConfig cn: yubikey # # YubiKey LDAP schema # # Author: Michal Ludvig mic...@logix.cz # Consider a small PayPal donation: # http://logix.cz/michal/devel/yubikey-ldap/ # # Common Logix OID structure # LogixOID.Project.SNMP/LDAP ObjectIdentifier: {0}logixOID1.3.6.1.4.1.40789 ObjectIdentifier: {1}YubiKeyPrjlogixOID:2012.11.1 ObjectIdentifier: {2}YkSNMPYubiKeyPrj:1 ObjectIdentifier: {3}YkLDAPYubiKeyPrj:2 # YubiKey schema sub-tree ObjectIdentifier: {4}YkAttribute YkLDAP:1 ObjectIdentifier: {5}YkObjectClass YkLDAP:2 AttributeTypes: {0}( YkAttribute:1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) ObjectClasses: {0}( YkObjectClass:1 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) we ended up having to settle for dn: cn=schema # attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1 objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) Is there any security restrictions on the schema or perhaps something done differently to normal LDAP? Unless of course I'm doing something silly. thoughts? Simo. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ0cHaAAoJEAJsWS61tB+qwhwQAJF96eCzWsD2RYXZJpu9p2X9 bItiGZ5i1TYwc37CtSKkMaCf1TQzPcSvgCc3dGdUqpLYzO0zbiUmxJBXBCplTaXi J4ETOnkJQ5gheW1LpsCXGmGpX1eDIxC3PjtyjOFHKkFavdpvcxxgdzKhR7w1BK9J vw+QjPBs5DoUDQaihE0DbhEOPkZR2aqFHenI5ozv7ifSWpV3yq/zLpGADRAcOAEh /8FrYCu4GpIMKD7UTAee8U/Mrmekq8z2ZUVn5P1c/QOU41dy6aKMBS7tN6Evgpp6 SFOxX23wWd6ukIh3QSWCcwSOafiF0SQI9B9Ds2SHogf9FToq+R3xfXXM6bDEfU7B FhRQhIeqqUrz9zsj/FeL1rDvXgD7Moynm6x3pBokBEvQlHPdWwQteSzVi841eJg+ +akNxR9pJtvuigTF4md71M0JqBUx+vJVkpIN3SU5u/L2LOud6/d14GcybdIynrC6 FRYfvglR5NuwhcVEZZIn5fZmiROERXtgqqmxy0nTFDpJ1njm80jOH4blmmqtRFGM lumq+0jFDrWCpv4bJIPmlu3xlORSOpp8WcwqzKVS3Ss07owMXXqGmXCpmSxNMdJk 6hfnKvewQrH8Lpf9A8M92hFrvaXfbWp55EmN4VokiQjoFRpS51YjuLYPwMkT/8vA PNDkBUrrn2eUu/41BaNc =yKMg -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
On 12/19/2012 07:04 AM, Simo Sorce wrote: On Wed, 2012-12-19 at 13:32 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/19/2012 01:20 PM, Simo Sorce wrote: On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Hi Dale, what problem do you have adding new schema ? we weren't able to add any objectIdentifier fields... when trying to search for existing schema entries, we received the below output. [root@ds01 ~]# ldapsearch -LLL -h localhost -D cn=Directory Manager -x -w redhat123 -b cn=schema dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema For some reason the attribute you need to list are not returned by default and needs to be explicitly listed, they are treated as operatrional. In LDAPv3, operational attributes are not returned by default - they must be explicitly specified. The search you need is: ldapsearch -h localhost -x -b cn=schema attributeTypes,objectClasses ldapsearch -h localhost -x -b cn=schema objectclass=* \* attributeTypes objectClasses Also note that the lines will be wrapped, so if you are trying to grep for something, you will have to unwrap the lines first - see http://richmegginson.livejournal.com/18726.html Note that you do not need any auth to read the schema by default. [root@ds01 ~]# We were trying to use this schema which what created by Michal, however we never managed to get it imported with the objectidentifier values there. dn: cn=yubikey,cn=config objectClass: SchemaConfig cn: yubikey # # YubiKey LDAP schema # # Author: Michal Ludvigmic...@logix.cz # Consider a small PayPal donation: # http://logix.cz/michal/devel/yubikey-ldap/ # # Common Logix OID structure #LogixOID.Project.SNMP/LDAP ObjectIdentifier: {0}logixOID1.3.6.1.4.1.40789 ObjectIdentifier: {1}YubiKeyPrjlogixOID:2012.11.1 ObjectIdentifier: {2}YkSNMPYubiKeyPrj:1 ObjectIdentifier: {3}YkLDAPYubiKeyPrj:2 # YubiKey schema sub-tree ObjectIdentifier: {4}YkAttribute YkLDAP:1 ObjectIdentifier: {5}YkObjectClass YkLDAP:2 AttributeTypes: {0}( YkAttribute:1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) ObjectClasses: {0}( YkObjectClass:1 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) we ended up having to settle for dn: cn=schema # attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1 objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) Is there any security restrictions on the schema or perhaps something done differently to normal LDAP? Unless of course I'm doing something silly. thoughts? Ah no it's just that 389ds does not support the prettified OIDs yet. The schema file you ended up importing is 100% equivalent to the one with the OID prefix substitutions. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users