subject:"\[Freeipa\-users\] deploying FreeIPA"

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-02-03 Thread Steve Severance

So I understand the mitigation of CSRF attacks. I would like ipa to be able
to handle a specific set of referers. My use case may be less common since
my freeipa instance is handling our server infrastructure not desktops.

I have everything working now. Here is an example nginx server config in
case anyone else needs it:

server {
server_name ipa.corp.com;
listen 443 ssl;
location / {
proxy_cookie_domain ldap.corp.com ipa.corp.com;
proxy_pass https://ldap.corp.com/;
proxy_set_header Referer https://ldap.corp.com/ipa/ui;
}
}

ipa.corp.com would be the external server and ldap.corp.com would be the
internal server.

Thanks for your help.

Steve



On Mon, Feb 3, 2014 at 11:10 AM, Alexander Bokovoy wrote:

> On Mon, 03 Feb 2014, Steve Severance wrote:
>
>> Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
>> It now appears to authenticate fine when it posts the session but I have a
>> new error.
>>
>> I get an Ipa Error 911 "Missing HTTP referer.  You have to configure
>> your browser to send HTTP referer header." I assume this is because the
>> external name doesn't match the internal name. Is there a way to modify
>> this somewhere?
>>
> You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for
> details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the
> security errata addressing it.
>
> We are deliberately closing cross-site forgery by enforcing
> HTTP referrer checks.
>
> Your nginx proxy would be a middle man which we are attempting to
> protect against.
>
> Recent discussions on how to allow your use case but still keep the
> security tight can be seen here:
> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter
> part of the thread). Discussion stalled since then.
>
>
>
>> Thanks.
>>
>> Steve
>>
>>
>> On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose  wrote:
>>
>>  On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
>>> > Hi Sumit, That does indeed work. What does that tell us?
>>>
>>> I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
>>> I think it does not help much with your original issue. About
>>> ipa-getkeytab, does it work if you specify the server with the
>>> -s/--server option?
>>>
>>>
>>> bye,
>>> Sumit
>>>
>>> >
>>> > Steve
>>> >
>>> >
>>> > On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose  wrote:
>>> >
>>> > > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
>>> > > > Hi Everyone,
>>> > > >
>>> > > > I have deployed freeipa inside our production network. I want to be
>>> able
>>> > > to
>>> > > > access the web ui so I am attempting to add it to our nginx edge
>>> > > machine. I
>>> > > > can pass the requests upstream just fine but I am unable to login
>>> using a
>>> > > > username/password. I have enabled password authentication in the
>>> kerberos
>>> > > > section of the freeipa httpd config file. In the logs it looks like
>>> the
>>> > > > authentication succeeds and a ticket is issued. I assume that the
>>> cookie
>>> > > > that is returned (ipa_session) has the authentication information
>>> in
>>> it.
>>> > > > The subsequent call to get json data fails and I am prompted to
>>> login
>>> > > again.
>>> > > >
>>> > > > I found this thread (
>>> > > >
>>> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
>>> > > > which has instructions on adding ipa.mydomain.com to the keytab.
>>> When I
>>> > > > call ipa-getkeytab it hangs for a bit before returning:
>>> > > ldap_sasl_bind(SIMPLE):
>>> > > > Can't contact LDAP server (-1)
>>> > > >
>>> > > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
>>> > > ldap.mydomain.com
>>> > > >
>>> > > > I get:
>>> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>> > > > additional info: SASL(-4): no mechanism available:
>>> > >
>>> > > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
>>> > > GSSAPI ' ?
>>> > >
>>> > > bye,
>>> > > Sumit
>>> > >
>>> > > >
>>> > > > So we seem to have a SASL problem. If I run ldapsearch with -x
>>> simple
>>> > > > authentication works just fine.
>>> > > >
>>> > > > Do I need to do something special to enable SASL so I can get the
>>> keytab?
>>> > > > The ipa-getkeytab command does not seem to have an option to use
>>> simple
>>> > > > authentication.
>>> > > >
>>> > > > Thanks.
>>> > > >
>>> > > > Steve
>>> > >
>>> > > > ___
>>> > > > Freeipa-users mailing list
>>> > > > Freeipa-users@redhat.com
>>> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > >
>>>
>>>
>>
>>
>> --
>> Steve Severance
>> Director of Engineering
>> Altos Research
>>
>> e. st...@altosresearch.com
>> m. (240) 472 - 9645
>>
>
>  ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
> / Alex

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-02-03 Thread Alexander Bokovoy


On Mon, 03 Feb 2014, Steve Severance wrote:

Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
It now appears to authenticate fine when it posts the session but I have a
new error.

I get an Ipa Error 911 "Missing HTTP referer.  You have to configure
your browser to send HTTP referer header." I assume this is because the
external name doesn't match the internal name. Is there a way to modify
this somewhere?

You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for
details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the
security errata addressing it.

We are deliberately closing cross-site forgery by enforcing
HTTP referrer checks.

Your nginx proxy would be a middle man which we are attempting to
protect against.

Recent discussions on how to allow your use case but still keep the
security tight can be seen here:
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter
part of the thread). Discussion stalled since then.



Thanks.

Steve


On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose  wrote:


On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
> Hi Sumit, That does indeed work. What does that tell us?

I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
I think it does not help much with your original issue. About
ipa-getkeytab, does it work if you specify the server with the
-s/--server option?


bye,
Sumit

>
> Steve
>
>
> On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose  wrote:
>
> > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> > > Hi Everyone,
> > >
> > > I have deployed freeipa inside our production network. I want to be
able
> > to
> > > access the web ui so I am attempting to add it to our nginx edge
> > machine. I
> > > can pass the requests upstream just fine but I am unable to login
using a
> > > username/password. I have enabled password authentication in the
kerberos
> > > section of the freeipa httpd config file. In the logs it looks like
the
> > > authentication succeeds and a ticket is issued. I assume that the
cookie
> > > that is returned (ipa_session) has the authentication information in
it.
> > > The subsequent call to get json data fails and I am prompted to login
> > again.
> > >
> > > I found this thread (
> > >
https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> > > which has instructions on adding ipa.mydomain.com to the keytab.
When I
> > > call ipa-getkeytab it hangs for a bit before returning:
> > ldap_sasl_bind(SIMPLE):
> > > Can't contact LDAP server (-1)
> > >
> > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
> > ldap.mydomain.com
> > >
> > > I get:
> > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > > additional info: SASL(-4): no mechanism available:
> >
> > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
> > GSSAPI ' ?
> >
> > bye,
> > Sumit
> >
> > >
> > > So we seem to have a SASL problem. If I run ldapsearch with -x simple
> > > authentication works just fine.
> > >
> > > Do I need to do something special to enable SASL so I can get the
keytab?
> > > The ipa-getkeytab command does not seem to have an option to use
simple
> > > authentication.
> > >
> > > Thanks.
> > >
> > > Steve
> >
> > > ___
> > > Freeipa-users mailing list
> > > Freeipa-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >





--
Steve Severance
Director of Engineering
Altos Research

e. st...@altosresearch.com
m. (240) 472 - 9645



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-02-03 Thread Steve Severance

Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
It now appears to authenticate fine when it posts the session but I have a
new error.

I get an Ipa Error 911 "Missing HTTP referer.  You have to configure
your browser to send HTTP referer header." I assume this is because the
external name doesn't match the internal name. Is there a way to modify
this somewhere?

Thanks.

Steve


On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose  wrote:

> On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
> > Hi Sumit, That does indeed work. What does that tell us?
>
> I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
> I think it does not help much with your original issue. About
> ipa-getkeytab, does it work if you specify the server with the
> -s/--server option?
>
>
> bye,
> Sumit
>
> >
> > Steve
> >
> >
> > On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose  wrote:
> >
> > > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> > > > Hi Everyone,
> > > >
> > > > I have deployed freeipa inside our production network. I want to be
> able
> > > to
> > > > access the web ui so I am attempting to add it to our nginx edge
> > > machine. I
> > > > can pass the requests upstream just fine but I am unable to login
> using a
> > > > username/password. I have enabled password authentication in the
> kerberos
> > > > section of the freeipa httpd config file. In the logs it looks like
> the
> > > > authentication succeeds and a ticket is issued. I assume that the
> cookie
> > > > that is returned (ipa_session) has the authentication information in
> it.
> > > > The subsequent call to get json data fails and I am prompted to login
> > > again.
> > > >
> > > > I found this thread (
> > > >
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> > > > which has instructions on adding ipa.mydomain.com to the keytab.
> When I
> > > > call ipa-getkeytab it hangs for a bit before returning:
> > > ldap_sasl_bind(SIMPLE):
> > > > Can't contact LDAP server (-1)
> > > >
> > > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
> > > ldap.mydomain.com
> > > >
> > > > I get:
> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > > > additional info: SASL(-4): no mechanism available:
> > >
> > > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
> > > GSSAPI ' ?
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > So we seem to have a SASL problem. If I run ldapsearch with -x simple
> > > > authentication works just fine.
> > > >
> > > > Do I need to do something special to enable SASL so I can get the
> keytab?
> > > > The ipa-getkeytab command does not seem to have an option to use
> simple
> > > > authentication.
> > > >
> > > > Thanks.
> > > >
> > > > Steve
> > >
> > > > ___
> > > > Freeipa-users mailing list
> > > > Freeipa-users@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
>



-- 
Steve Severance
Director of Engineering
Altos Research

e. st...@altosresearch.com
m. (240) 472 - 9645
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-01-31 Thread Steve Severance

Hi Dmitri,

I am using Free Ipa 3.1.5 on Fedora 18. The design basically looks like the
following. All of this is hosted at AWS in our VPC. The nginx
 box is on a web addressable subnet while the FreeIPA box is on a private
subnet that is not internet accessible. My goal is to be able to use the
web UI from our office without having to invest in a hardware VPN
connection. So nginx basically just acts as a reverse proxy and created the
connection on the users behalf to the ipa server. I can login into other
machines I have both in our private data center and in AWS using ipa and
that works great as far as I can tell.

Any more information I can supply? Thanks.

Steve

On Wed, Jan 29, 2014 at 4:18 AM, Dmitri Pal  wrote:

>  On 01/28/2014 05:29 PM, Steve Severance wrote:
>
> Hi Everyone,
>
>  I have deployed freeipa inside our production network. I want to be able
> to access the web ui so I am attempting to add it to our nginx edge
> machine. I can pass the requests upstream just fine but I am unable to
> login using a username/password. I have enabled password authentication in
> the kerberos section of the freeipa httpd config file. In the logs it looks
> like the authentication succeeds and a ticket is issued. I assume that the
> cookie that is returned (ipa_session) has the authentication information in
> it. The subsequent call to get json data fails and I am prompted to login
> again.
>
>  I found this thread (
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com to the keytab. When I
> call ipa-getkeytab it hangs for a bit before returning: 
> ldap_sasl_bind(SIMPLE):
> Can't contact LDAP server (-1)
>
>  Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
> ldap.mydomain.com
>
>  I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>  additional info: SASL(-4): no mechanism available:
>
>  So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
>
>  Do I need to do something special to enable SASL so I can get the
> keytab? The ipa-getkeytab command does not seem to have an option to use
> simple authentication.
>
>  Thanks.
>
>  Steve
>
>
>
> To be able to help a small diagram would be really helpful.
> The error above indicates that there is an entity that tries to connect to
> the LDAP using Kerberos GSSAPI and can't because it either does not have
> kerberos identity or keys or it is misconfigured and can't get to them. The
> diagram of request flow would help to troubleshoot the issue.
>
> What version of FreeIPA you are using? What platform?
>
>  ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-01-29 Thread Dmitri Pal

On 01/28/2014 05:29 PM, Steve Severance wrote:
> Hi Everyone,
>
> I have deployed freeipa inside our production network. I want to be
> able to access the web ui so I am attempting to add it to our nginx
> edge machine. I can pass the requests upstream just fine but I am
> unable to login using a username/password. I have enabled password
> authentication in the kerberos section of the freeipa httpd config
> file. In the logs it looks like the authentication succeeds and a
> ticket is issued. I assume that the cookie that is returned
> (ipa_session) has the authentication information in it. The subsequent
> call to get json data fails and I am prompted to login again.
>
> I found this thread
> (https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com
>  to the keytab. When I call ipa-getkeytab it
> hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't
> contact LDAP server (-1) 
>
> Digging into this if I run: ldapsearch -d 1 -v -H
> ldaps://ldap.mydomain.com  
>
> I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
> So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
>
> Do I need to do something special to enable SASL so I can get the
> keytab? The ipa-getkeytab command does not seem to have an option to
> use simple authentication.
>
> Thanks.
>
> Steve
>
>

To be able to help a small diagram would be really helpful.
The error above indicates that there is an entity that tries to connect
to the LDAP using Kerberos GSSAPI and can't because it either does not
have kerberos identity or keys or it is misconfigured and can't get to
them. The diagram of request flow would help to troubleshoot the issue.

What version of FreeIPA you are using? What platform? 

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-01-29 Thread Sumit Bose

On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> Hi Everyone,
> 
> I have deployed freeipa inside our production network. I want to be able to
> access the web ui so I am attempting to add it to our nginx edge machine. I
> can pass the requests upstream just fine but I am unable to login using a
> username/password. I have enabled password authentication in the kerberos
> section of the freeipa httpd config file. In the logs it looks like the
> authentication succeeds and a ticket is issued. I assume that the cookie
> that is returned (ipa_session) has the authentication information in it.
> The subsequent call to get json data fails and I am prompted to login again.
> 
> I found this thread (
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com to the keytab. When I
> call ipa-getkeytab it hangs for a bit before returning: 
> ldap_sasl_bind(SIMPLE):
> Can't contact LDAP server (-1)
> 
> Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com
> 
> I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:

Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
GSSAPI ' ?

bye,
Sumit

> 
> So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
> 
> Do I need to do something special to enable SASL so I can get the keytab?
> The ipa-getkeytab command does not seem to have an option to use simple
> authentication.
> 
> Thanks.
> 
> Steve

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Deploying freeipa behind nginx

2014-01-28 Thread Steve Severance

Hi Everyone,

I have deployed freeipa inside our production network. I want to be able to
access the web ui so I am attempting to add it to our nginx edge machine. I
can pass the requests upstream just fine but I am unable to login using a
username/password. I have enabled password authentication in the kerberos
section of the freeipa httpd config file. In the logs it looks like the
authentication succeeds and a ticket is issued. I assume that the cookie
that is returned (ipa_session) has the authentication information in it.
The subsequent call to get json data fails and I am prompted to login again.

I found this thread (
https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
which has instructions on adding ipa.mydomain.com to the keytab. When I
call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE):
Can't contact LDAP server (-1)

Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com

I get:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:

So we seem to have a SASL problem. If I run ldapsearch with -x simple
authentication works just fine.

Do I need to do something special to enable SASL so I can get the keytab?
The ipa-getkeytab command does not seem to have an option to use simple
authentication.

Thanks.

Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] deploying FreeIPA

2009-12-14 Thread John Dennis


On 12/12/2009 12:50 AM, jose mora wrote:

hello
how is everyone doing?
I do have a request, can you help me Deploying FreeIPA?
I would apreciate any kind of help
thank you for your time
Jose Mora


We would like to help you but first you need to tell us what you need 
help with.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] deploying FreeIPA

2009-12-14 Thread jose mora

hello
how is everyone doing?
I do have a request, can you help me Deploying FreeIPA?
I would apreciate any kind of help
thank you for your time
Jose Mora


  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying FreeIPA 1.2.2 on RHEL 5

2009-11-05 Thread Loris Santamaria

El jue, 05-11-2009 a las 15:38 -0500, Sam Hartsfield escribió:
> Hello,
> 
> I am interested in deploying FreeIPA along with my company's software
> to allow us to implement Single Sign On. All of our software is
> deployed on Red Hat Enterprise Linux, so I would like to get the
> FreeIPA server to run there (on RHEL 5). I am aware of Red Hat IPA,
> but if I'm not mistaken, it is based on an earlier version that does
> not have the ability to sync to Active Directory.
> 
> Most of the dependencies are available either from the official
> package repositories or from EPEL, and Fedora/389 Directory Server has
> its own repository for Enterpise Linux. However, there are two
> packages that are unavailable: 'mod_nss >= 1.0.7-2' and 'slapi-nis'.

One could just use the relevant .src.rpm from Fedora and recompile them
on RHEL. At least I did that with no problems (*) whatsoever several
times with the .src.rpms from Fedora 9 an 10

You can't use directly rpms from Fedora 11 because the formath has
changed slightly, but you can install the .src.rpm in Fedora, and copy
the contents (spec, sources and patches) to RHEL to rebuild it.

(*) You should edit the ipa.spec and change

BuildRequires:  popt-devel

to 

BuildRequires:  popt


> Looking at the commit (f018c2123c2b0018af5d41ec007ac8ddf0f04d31), it
> appears that an earlier version of mod_nss is okay as long as we don't
> need to pass it through mod_proxy. As far as I can tell, slapi-nis is
> used for providing an NIS interface, which I don't think we need
> (RHEL4 and RHEL5 clients should be able to use LDAP for user
> information). Does this sound accurate, or is there anything I'm
> missing? Would it be sufficient to remove these dependencies from the
> RPM spec (for mod_nss just remove the version restriction) before I
> build the package, or would I need to make other modifications? After
> trying it (installing with 'rpm --nodeps'), it appears to work at
> first glance.
> 
> Are there any other issues with running on RHEL 5 that I should be
> aware of? Any comments on this configuration?
> 
> Thank you,
> Sam Hartsfield
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

-O9 -omg-optimize -fomit-instructions


smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Deploying FreeIPA 1.2.2 on RHEL 5

2009-11-05 Thread Sam Hartsfield

Hello,

I am interested in deploying FreeIPA along with my company's software
to allow us to implement Single Sign On. All of our software is
deployed on Red Hat Enterprise Linux, so I would like to get the
FreeIPA server to run there (on RHEL 5). I am aware of Red Hat IPA,
but if I'm not mistaken, it is based on an earlier version that does
not have the ability to sync to Active Directory.

Most of the dependencies are available either from the official
package repositories or from EPEL, and Fedora/389 Directory Server has
its own repository for Enterpise Linux. However, there are two
packages that are unavailable: 'mod_nss >= 1.0.7-2' and 'slapi-nis'.
Looking at the commit (f018c2123c2b0018af5d41ec007ac8ddf0f04d31), it
appears that an earlier version of mod_nss is okay as long as we don't
need to pass it through mod_proxy. As far as I can tell, slapi-nis is
used for providing an NIS interface, which I don't think we need
(RHEL4 and RHEL5 clients should be able to use LDAP for user
information). Does this sound accurate, or is there anything I'm
missing? Would it be sufficient to remove these dependencies from the
RPM spec (for mod_nss just remove the version restriction) before I
build the package, or would I need to make other modifications? After
trying it (installing with 'rpm --nodeps'), it appears to work at
first glance.

Are there any other issues with running on RHEL 5 that I should be
aware of? Any comments on this configuration?

Thank you,
Sam Hartsfield

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying freeipa behind nginx

Re: [Freeipa-users] Deploying freeipa behind nginx

Re: [Freeipa-users] Deploying freeipa behind nginx

Re: [Freeipa-users] Deploying freeipa behind nginx

Re: [Freeipa-users] Deploying freeipa behind nginx

Re: [Freeipa-users] Deploying freeipa behind nginx

[Freeipa-users] Deploying freeipa behind nginx

Re: [Freeipa-users] deploying FreeIPA

[Freeipa-users] deploying FreeIPA

Re: [Freeipa-users] Deploying FreeIPA 1.2.2 on RHEL 5

[Freeipa-users] Deploying FreeIPA 1.2.2 on RHEL 5

11 matches

Site Navigation

Mail list logo

Footer information