Re: [Freeipa-users] authentication against compat
On Fri, Feb 14, 2014 at 09:36:33AM +0200, Alexander Bokovoy wrote: On Thu, 13 Feb 2014, Steve Dainard wrote: I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. When majority of expected features are already implemented, it is easy to fall into assumption that everything has to be complete from start. That's understandable but we are dealing with a living and evolving project where a feature addition often means integrating across multiple actual free software projects, all with their own priorities and schedules, step by step, or things will never happen. SUDO integration is not an exception here. First we needed to expand SUDO's support for external plugins. When SUDO data was placed in LDAP, it appeared that existing schema isn't really optimal, so FreeIPA schema was designed better (but incompatible with existing one from SUDO LDAP), but required a compatibility part to work with existing SUDO LDAP plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO LDAP schema as it gave SSSD wider coverage of SUDO support. Now we implemented support for native FreeIPA schema. The next step is to integrate configuration of it in ipa-client-install so that clients will get set up properly if there are SUDO rules configured on the server or ipa-client-install was actually given a bless from the admin (via CLI option or answering a question). It takes time and effort. Unsurprisingly, this is a relatively minor feature in the grand picture because we have dozens of such features all asking for attention and time, and our development teams are not expanding infinitely regardless how we all wished. :) Any help is welcome! By the way the native sudo backend is being worked on actively by an external contributor in the form of a thesis. We expect to have it implemented by May. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote: Is SSSD working for IPA sudo now? It was working even before, just with a bit of manual config, as I said in the reply you quoted, you just had to configure 'sudo_provider=ldap' I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. sudo_provider=ipa is included in 1.9.6 and also all recent versions (1.11.x) We're thinking about including a newer version in RHEL-6.6, where the sudo_provider=ipa would be included as well. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? My fedora 20 client doesn't have this option listed, or is it baked in? *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Thu, Feb 13, 2014 at 3:46 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote: Is SSSD working for IPA sudo now? It was working even before, just with a bit of manual config, as I said in the reply you quoted, you just had to configure 'sudo_provider=ldap' I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. sudo_provider=ipa is included in 1.9.6 and also all recent versions (1.11.x) We're thinking about including a newer version in RHEL-6.6, where the sudo_provider=ipa would be included as well. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote: Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? Client side (sssd) My fedora 20 client doesn't have this option listed, or is it baked in? Where exactly do you see the documentation lacking, perhaps the sssd-ipa man page, or the sssd-sudo man page? I agree that docs are important, but my view might be skewed because I know the internals.. All that should be required with 1.9.6 or 1.11.x is: sudo_provider=ipa And enabling the 'sss' module in /etc/nsswitch.conf: sudoers: files sss That's it. Please let us know if you find any bugs in code or docs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. Maybe you're working towards this, but in the meantime it would be great if the options existed in the config files so we immediately know what options are available and can comment/uncomment them rather than searching around man pages for options that might exist. I believe you were looking for a documentation bug: # man sssd-sudo To enable SSSD as a source for sudo rules, *add sss to the sudoers entry* in nsswitch.conf(5). For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users) and then in SSSD, the nsswitch.conf file should contain the following line: * sudoers: files sss* # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus Entry does not exist. *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote: Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? Client side (sssd) My fedora 20 client doesn't have this option listed, or is it baked in? Where exactly do you see the documentation lacking, perhaps the sssd-ipa man page, or the sssd-sudo man page? I agree that docs are important, but my view might be skewed because I know the internals.. All that should be required with 1.9.6 or 1.11.x is: sudo_provider=ipa And enabling the 'sss' module in /etc/nsswitch.conf: sudoers: files sss That's it. Please let us know if you find any bugs in code or docs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/13/2014 06:04 PM, Steve Dainard wrote: I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. Maybe you're working towards this, but in the meantime it would be great if the options existed in the config files so we immediately know what options are available and can comment/uncomment them rather than searching around man pages for options that might exist. I believe you were looking for a documentation bug: # man sssd-sudo To enable SSSD as a source for sudo rules, *add sss to the sudoers entry* in nsswitch.conf(5). For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users) and then in SSSD, the nsswitch.conf file should contain the following line: * sudoers: files sss* # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # #nisplusUse NIS+ (NIS version 3) #nisUse NIS (NIS version 2), also called YP #dnsUse DNS (Domain Name Service) #filesUse the local files #dbUse the local database (.db) files #compatUse NIS on compat mode #hesiodUse Hesiod for user lookups #[NOTFOUND=return]Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus Entry does not exist. *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | /Rethink Traffic/ *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com mailto:jhro...@redhat.com wrote: On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote: Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? Client side (sssd) My fedora 20 client doesn't have this option listed, or is it baked in? Where exactly do you see the documentation lacking, perhaps the sssd-ipa man page, or the sssd-sudo man page? I agree that docs are important, but my view might be skewed because I know the internals.. All that should be required with 1.9.6 or 1.11.x is: sudo_provider=ipa And enabling the 'sss' module in /etc/nsswitch.conf: sudoers: files sss That's it. Please let us know if you find any bugs in code or docs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Managing configuration files is outside of scope of IPA or SSSD. We looked at this at the beginning of the IPA project a got a push back from
Re: [Freeipa-users] authentication against compat
On Thu, 13 Feb 2014, Steve Dainard wrote: I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. When majority of expected features are already implemented, it is easy to fall into assumption that everything has to be complete from start. That's understandable but we are dealing with a living and evolving project where a feature addition often means integrating across multiple actual free software projects, all with their own priorities and schedules, step by step, or things will never happen. SUDO integration is not an exception here. First we needed to expand SUDO's support for external plugins. When SUDO data was placed in LDAP, it appeared that existing schema isn't really optimal, so FreeIPA schema was designed better (but incompatible with existing one from SUDO LDAP), but required a compatibility part to work with existing SUDO LDAP plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO LDAP schema as it gave SSSD wider coverage of SUDO support. Now we implemented support for native FreeIPA schema. The next step is to integrate configuration of it in ipa-client-install so that clients will get set up properly if there are SUDO rules configured on the server or ipa-client-install was actually given a bless from the admin (via CLI option or answering a question). It takes time and effort. Unsurprisingly, this is a relatively minor feature in the grand picture because we have dozens of such features all asking for attention and time, and our development teams are not expanding infinitely regardless how we all wished. :) Any help is welcome! -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. If I understand correctly, you're referring to the client side, are you? Or it is true for the server side as well? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. OK, that's clear now. Sorry I wasn't aware of slapi-nis behaviour:) Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... obsolete. SSSD has some very nice features like off-line cache etc. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 03:04 PM, Petr Spacek wrote: On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... obsolete. SSSD has some very nice features like off-line cache etc. I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Thx, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 09:30 AM, Tamas Papp wrote: On 02/12/2014 03:04 PM, Petr Spacek wrote: On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... obsolete. SSSD has some very nice features like off-line cache etc. I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. Thx, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. https://launchpad.net/~sssd/+archive/updates -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. https://launchpad.net/~sssd/+archive/updates Ah, sorry, realmd is indeed not available for 12.04 because it wasn't written at that point yet. :) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 11:29 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. https://launchpad.net/~sssd/+archive/updates I meant realmd is not in 12.04. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. It was quite pathetic, when last time I tried on ubuntu. I'll try sssd again, if I have spare time. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 05:00 PM, Tamas Papp wrote: On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. It was quite pathetic, when last time I tried on ubuntu. I'll try sssd again, if I have spare time. Thanks, tamas Timo Aaltonen is your man then. ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
Is SSSD working for IPA sudo now? I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. Will. On Wednesday, February 12, 2014 at 2:57 PM, Dmitri Pal wrote: On 02/12/2014 05:00 PM, Tamas Papp wrote: On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. It was quite pathetic, when last time I tried on ubuntu. I'll try sssd again, if I have spare time. Thanks, tamas Timo Aaltonen is your man then. ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/) ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users