Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). I have feeling you are overcomplicating things for yourself. You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA. All you need is to create your users in IPA, assign them some temporary passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html, set up your web app to authenticate via PAM like http://www.freeipa.org/page/Web_App_Authentication explains, and you are done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On 07/09/2015 08:36 AM, Nicola Canepa wrote: If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). The 389-ds PAM passthrough auth plugin can't add users. You would have to add some additional functionality to either PAM, or another 389-ds plugin. Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I'll test both ways. Nicola Il 09/07/15 14:44, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: --->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--- -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: --->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--- -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. Is there a way so that users are created in FreeIPA once they login in this way? From what you said, I need to use SSSD (I'm going to read the docs ASAP). Is migration mode only used when I also use "ipa migrate-ds"? Thank you very much. Nicola Il 09/07/15 14:08, Alexander Bokovoy ha scritto: Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o a
Re: [Freeipa-users] Migrating from custom auth system
Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: > Hello. > I was trying Freeipa as an addition and (maybe) future replacement for the > current SSO solution (custom and only for web apps). > I was able to authenticate (via pam_exec) LDAP users on the legacy system. > My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP > users not created by IPA. > > I enabled migration mode in Freeipa, so that authenticated users should get > Kerberos hash created upon first login, but I don't know how to make users > login without creating them in advance. > > Is there a (suggested) way to let users authenticate via Kerberos and create > users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project