Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Nicola Canepa
If I enable the PAM plugin of 389-ds, I'm able to let users be 
authenticated by PAM, even if the user is not present il LDAP, hence the 
plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a non-existing 
user, it should be created (using the just supplied password).


Nicola

Il 09/07/15 15:20, Alexander Bokovoy ha scritto:

On Thu, 09 Jul 2015, Nicola Canepa wrote:

Thank you Alexander.
If the previous password is not used, I could set an impossible-hash 
password (such as {crypt}*) and let users login authenticating 
trhough PAM?

How would you authenticate then? Remember that it is the hash in
userPassword attribute that is used for actual authentication. If
password-handling plugin cannot calculate to the same hash based on the
plain-text password it was supplied via LDAP bind, how would user
successfully authenticate?

If you migrate this way, you need password hashes, at least.
If you are going to issue users with new passwords, just create all of
them in IPA with these new passwords and ask them to login, at least
once, to IPA self-service.

Or I could put the user-add in the pam_exec script (but only if the 
user does not already exists).

I don't think is is sufficiently good, at least I wouldn't do it this
way.



--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.

The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Alexander Bokovoy

On Thu, 09 Jul 2015, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be 
authenticated by PAM, even if the user is not present il LDAP, hence 
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a 
non-existing user, it should be created (using the just supplied 
password).

I have feeling you are overcomplicating things for yourself.

You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA.

All you need is to create your users in IPA, assign them some temporary
passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html,
set up your web app to authenticate via PAM like
http://www.freeipa.org/page/Web_App_Authentication explains, and you are
done.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Rich Megginson

On 07/09/2015 08:36 AM, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be 
authenticated by PAM, even if the user is not present il LDAP, hence 
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a 
non-existing user, it should be created (using the just supplied 
password).


The 389-ds PAM passthrough auth plugin can't add users.  You would have 
to add some additional functionality to either PAM, or another 389-ds 
plugin.




Nicola

Il 09/07/15 15:20, Alexander Bokovoy ha scritto:

On Thu, 09 Jul 2015, Nicola Canepa wrote:

Thank you Alexander.
If the previous password is not used, I could set an impossible-hash 
password (such as {crypt}*) and let users login authenticating 
trhough PAM?

How would you authenticate then? Remember that it is the hash in
userPassword attribute that is used for actual authentication. If
password-handling plugin cannot calculate to the same hash based on the
plain-text password it was supplied via LDAP bind, how would user
successfully authenticate?

If you migrate this way, you need password hashes, at least.
If you are going to issue users with new passwords, just create all of
them in IPA with these new passwords and ask them to login, at least
once, to IPA self-service.

Or I could put the user-add in the pam_exec script (but only if 
the user does not already exists).

I don't think is is sufficiently good, at least I wouldn't do it this
way.





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Jan Pazdziora
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:
 Hello.
 I was trying Freeipa as an addition and (maybe) future replacement for the
 current SSO solution (custom and only for web apps).
 I was able to authenticate (via pam_exec) LDAP users on the legacy system.
 My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
 users not created by IPA.
 
 I enabled migration mode in Freeipa, so that authenticated users should get
 Kerberos hash created upon first login, but I don't know how to make users
 login without creating them in advance.
 
 Is there a (suggested) way to let users authenticate via Kerberos and create
 users authenticated by PAM upon first login?

Create user where -- in the Web application or in FreeIPA?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Alexander Bokovoy

Nicola,

perhaps it would help if you explain what did you mean by saying below

My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.


When you enabled migration mode and actually migrated users with 'ipa
migrate-ds' command, you will have those users in IPA and they will be
able to authenticate via LDAP with their old passwords.

If your server (where your web app would be running) is enrolled into
IPA, then it would be already running SSSD and set up for using it via
pam_sss. Then configuring your web app to authenticate via PAM stack
(for example, like we explain on 
http://www.freeipa.org/page/Web_App_Authentication)
takes care of properly logging in and updating passwords.

SSSD knows about migration mode and has support for it.

On Thu, 09 Jul 2015, Nicola Canepa wrote:
I don't understand the question: aren't users created by IPA command 
line the same as if they are created via the web GUI?


Nicola

Il 09/07/15 13:05, Jan Pazdziora ha scritto:

On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:

Hello.
I was trying Freeipa as an addition and (maybe) future replacement for the
current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.

I enabled migration mode in Freeipa, so that authenticated users should get
Kerberos hash created upon first login, but I don't know how to make users
login without creating them in advance.

Is there a (suggested) way to let users authenticate via Kerberos and create
users authenticated by PAM upon first login?

Create user where -- in the Web application or in FreeIPA?



--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.

The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Nicola Canepa
OK, I'm sorry for the little information provided: I can't do 
migrate-ds, since I'm not coming from a DS (which can only be another 
LDAP server, I guess).
The only thing I can expect is that users will login to one of the 
applicazions which I put under FreeIPA authentication.
So I mixed the NIS migration documentation (maintaining passwords) 
with the migration mode, hoping it was what I was looking for.


Is there a way so that users are created in FreeIPA once they login in 
this way?

From what you said, I need to use SSSD (I'm going to read the docs ASAP).

Is migration mode only used when I also use ipa migrate-ds?

Thank you very much.

Nicola

Il 09/07/15 14:08, Alexander Bokovoy ha scritto:

Nicola,

perhaps it would help if you explain what did you mean by saying below
My problem is with Kerberos and FreeIPA web GUI, which don't accept 
LDAP

users not created by IPA.


When you enabled migration mode and actually migrated users with 'ipa
migrate-ds' command, you will have those users in IPA and they will be
able to authenticate via LDAP with their old passwords.

If your server (where your web app would be running) is enrolled into
IPA, then it would be already running SSSD and set up for using it via
pam_sss. Then configuring your web app to authenticate via PAM stack
(for example, like we explain on 
http://www.freeipa.org/page/Web_App_Authentication)

takes care of properly logging in and updating passwords.

SSSD knows about migration mode and has support for it.

On Thu, 09 Jul 2015, Nicola Canepa wrote:
I don't understand the question: aren't users created by IPA command 
line the same as if they are created via the web GUI?


Nicola

Il 09/07/15 13:05, Jan Pazdziora ha scritto:

On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:

Hello.
I was trying Freeipa as an addition and (maybe) future replacement 
for the

current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy 
system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept 
LDAP

users not created by IPA.

I enabled migration mode in Freeipa, so that authenticated users 
should get
Kerberos hash created upon first login, but I don't know how to 
make users

login without creating them in advance.

Is there a (suggested) way to let users authenticate via Kerberos 
and create

users authenticated by PAM upon first login?

Create user where -- in the Web application or in FreeIPA?



--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto 
da persona diversa dal destinatario sono proibite la diffusione, la 
distribuzione e la copia. Nel caso riceveste la presente per errore, 
Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal 
Vostro computer, senza utilizzare i dati contenuti. La presente 
comunicazione (comprensiva dei documenti allegati) non avrà valore di 
proposta contrattuale e/o accettazione di proposte provenienti dal 
destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o 
crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo 
accordo da chi può validamente obbligarci. Non deriverà alcuna 
responsabilità precontrattuale a ns. carico, se la presente non sia 
seguita da contratto sottoscritto dalle parti.


The content of the above communication is strictly confidential and 
reserved solely for the referred addressees. In the event of receipt 
by persons different from the addressee, copying, alteration and 
distribution are forbidden. If received by mistake we ask you to 
inform us and to destroy and/or delete from your computer without 
using the data herein contained. The present message (eventual 
annexes inclusive) shall not be considered a contractual proposal 
and/or acceptance of offer from the addressee, nor waiver 
recognizance of rights, debts and/or credits, nor shall it be binding 
when not executed as a subsequent agreement by persons who could 
lawfully represent us. No pre-contractual liability shall apply to us 
when the present communication is not followed by any binding 
agreement between the parties.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o 

Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Nicola Canepa
I don't understand the question: aren't users created by IPA command 
line the same as if they are created via the web GUI?


Nicola

Il 09/07/15 13:05, Jan Pazdziora ha scritto:

On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:

Hello.
I was trying Freeipa as an addition and (maybe) future replacement for the
current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.

I enabled migration mode in Freeipa, so that authenticated users should get
Kerberos hash created upon first login, but I don't know how to make users
login without creating them in advance.

Is there a (suggested) way to let users authenticate via Kerberos and create
users authenticated by PAM upon first login?

Create user where -- in the Web application or in FreeIPA?



--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.

The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Nicola Canepa

Thank you Alexander.
If the previous password is not used, I could set an impossible-hash 
password (such as {crypt}*) and let users login authenticating trhough 
PAM?
Or I could put the user-add in the pam_exec script (but only if the 
user does not already exists).


I'll test both ways.

Nicola

Il 09/07/15 14:44, Alexander Bokovoy ha scritto:

On Thu, 09 Jul 2015, Nicola Canepa wrote:
OK, I'm sorry for the little information provided: I can't do 
migrate-ds, since I'm not coming from a DS (which can only be 
another LDAP server, I guess).
The only thing I can expect is that users will login to one of the 
applicazions which I put under FreeIPA authentication.
So I mixed the NIS migration documentation (maintaining passwords) 
with the migration mode, hoping it was what I was looking for.

If you did create your users the same way as proposed with NIS
migration, then they wouldn't be different from what would have happened
with 'ipa migrate-ds'. End result, you have user entries in LDAP with
passwords set to their hashes in the previous system and no Kerberos
attributes.


Is there a way so that users are created in FreeIPA once they login in
this way?
*You* need to create them. 
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

walks you through that:

---8---8---8---8---8---8---8---8---8---8---8---8---8---8---8 


From your export file, import the users into IPA using the admin tools
and set the original hashed password:

# ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass
---8---8---8---8---8---8---8---8---8---8---8---8---8---8---



--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.

The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Alexander Bokovoy

On Thu, 09 Jul 2015, Nicola Canepa wrote:

Thank you Alexander.
If the previous password is not used, I could set an impossible-hash 
password (such as {crypt}*) and let users login authenticating 
trhough PAM?

How would you authenticate then? Remember that it is the hash in
userPassword attribute that is used for actual authentication. If
password-handling plugin cannot calculate to the same hash based on the
plain-text password it was supplied via LDAP bind, how would user
successfully authenticate?

If you migrate this way, you need password hashes, at least.
If you are going to issue users with new passwords, just create all of
them in IPA with these new passwords and ask them to login, at least
once, to IPA self-service.

Or I could put the user-add in the pam_exec script (but only if the 
user does not already exists).

I don't think is is sufficiently good, at least I wouldn't do it this
way.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Alexander Bokovoy

On Thu, 09 Jul 2015, Nicola Canepa wrote:
OK, I'm sorry for the little information provided: I can't do 
migrate-ds, since I'm not coming from a DS (which can only be 
another LDAP server, I guess).
The only thing I can expect is that users will login to one of the 
applicazions which I put under FreeIPA authentication.
So I mixed the NIS migration documentation (maintaining passwords) 
with the migration mode, hoping it was what I was looking for.

If you did create your users the same way as proposed with NIS
migration, then they wouldn't be different from what would have happened
with 'ipa migrate-ds'. End result, you have user entries in LDAP with
passwords set to their hashes in the previous system and no Kerberos
attributes.


Is there a way so that users are created in FreeIPA once they login in
this way?

*You* need to create them. 
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
walks you through that:

---8---8---8---8---8---8---8---8---8---8---8---8---8---8---8

From your export file, import the users into IPA using the admin tools

and set the original hashed password:

# ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass
---8---8---8---8---8---8---8---8---8---8---8---8---8---8---

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project