Re: [Freeipa-users] authentication against compat

2014-02-17 Thread Jakub Hrozek
On Fri, Feb 14, 2014 at 09:36:33AM +0200, Alexander Bokovoy wrote:
 On Thu, 13 Feb 2014, Steve Dainard wrote:
 I don't think this is an issue of bugs or documentation, more of design.
 Perhaps there's someplace other than a users list this belongs in but:
 
 If IPA is a centrally managed identity and access control system, should
 these configurations not be passed to clients, rather than every client
 needing configuration changes post join? Obviously I can automate config
 changes, but why would I want to? I don't think sudoers priv is a fringe
 case, its pretty much THE case for access/admin control. I cringe to
 compare to a Windows domain, but I don't have to manually tell a domain
 client that it should respect the rules I set on a domain controller, I
 joined it to the domain for this reason.
 When majority of expected features are already implemented, it is easy
 to fall into assumption that everything has to be complete from start.
 That's understandable but we are dealing with a living and evolving
 project where a feature addition often means integrating across multiple
 actual free software projects, all with their own priorities and
 schedules, step by step, or things will never happen.
 
 SUDO integration is not an exception here. First we needed to expand
 SUDO's support for external plugins. When SUDO data was placed in LDAP,
 it appeared that existing schema isn't really optimal, so FreeIPA schema
 was designed better (but incompatible with existing one from SUDO LDAP),
 but required a compatibility part to work with existing SUDO LDAP
 plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO
 LDAP schema as it gave SSSD wider coverage of SUDO support. Now we
 implemented support for native FreeIPA schema. The next step is to
 integrate configuration of it in ipa-client-install so that clients will
 get set up properly if there are SUDO rules configured on the server or
 ipa-client-install was actually given a bless from the admin (via CLI
 option or answering a question).
 
 It takes time and effort. Unsurprisingly, this is a relatively minor
 feature in the grand picture because we have dozens of such features all
 asking for attention and time, and our development teams are not
 expanding infinitely regardless how we all wished. :)
 
 Any help is welcome!

By the way the native sudo backend is being worked on actively by an
external contributor in the form of a thesis. We expect to have it
implemented by May.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Jakub Hrozek
On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote:
 Is SSSD working for IPA sudo now?

It was working even before, just with a bit of manual config, as I said
in the reply you quoted, you just had to configure 'sudo_provider=ldap'

 I saw this From Jakub Horozek in this list a little while back:
 
 Unfortunately with 6.5 there is still no sudo ipa provider, there might
 be with one in 6.6. So in order to download the sudo rules you need to
 configure the LDAP sudo provider manually.

sudo_provider=ipa is included in 1.9.6 and also all recent versions
(1.11.x)

We're thinking about including a newer version in RHEL-6.6, where the
sudo_provider=ipa would be included as well.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Steve Dainard
Is this server or client side where sudo_provider=ipa is included in ver 
1.11.x?

My fedora 20 client doesn't have this option listed, or is it baked in?

*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | *Rethink Traffic*

*Blog http://miovision.com/blog  |  **LinkedIn
https://www.linkedin.com/company/miovision-technologies  |  Twitter
https://twitter.com/miovision  |  Facebook
https://www.facebook.com/miovision*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Thu, Feb 13, 2014 at 3:46 AM, Jakub Hrozek jhro...@redhat.com wrote:

 On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote:
  Is SSSD working for IPA sudo now?

 It was working even before, just with a bit of manual config, as I said
 in the reply you quoted, you just had to configure 'sudo_provider=ldap'

  I saw this From Jakub Horozek in this list a little while back:
 
  Unfortunately with 6.5 there is still no sudo ipa provider, there might
  be with one in 6.6. So in order to download the sudo rules you need to
  configure the LDAP sudo provider manually.

 sudo_provider=ipa is included in 1.9.6 and also all recent versions
 (1.11.x)

 We're thinking about including a newer version in RHEL-6.6, where the
 sudo_provider=ipa would be included as well.

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Jakub Hrozek
On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
 Is this server or client side where sudo_provider=ipa is included in ver 
 1.11.x?

Client side (sssd)

 
 My fedora 20 client doesn't have this option listed, or is it baked in?
 

Where exactly do you see the documentation lacking, perhaps the sssd-ipa
man page, or the sssd-sudo man page? I agree that docs are important,
but my view might be skewed because I know the internals..

All that should be required with 1.9.6 or 1.11.x is:
sudo_provider=ipa

And enabling the 'sss' module in /etc/nsswitch.conf:
sudoers: files sss

That's it. Please let us know if you find any bugs in code or docs.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Steve Dainard
I don't think this is an issue of bugs or documentation, more of design.
Perhaps there's someplace other than a users list this belongs in but:

If IPA is a centrally managed identity and access control system, should
these configurations not be passed to clients, rather than every client
needing configuration changes post join? Obviously I can automate config
changes, but why would I want to? I don't think sudoers priv is a fringe
case, its pretty much THE case for access/admin control. I cringe to
compare to a Windows domain, but I don't have to manually tell a domain
client that it should respect the rules I set on a domain controller, I
joined it to the domain for this reason.

Maybe you're working towards this, but in the meantime it would be great if
the options existed in the config files so we immediately know what options
are available and can comment/uncomment them rather than searching around
man pages for options that might exist.

I believe you were looking for a documentation bug:

# man sssd-sudo
   To enable SSSD as a source for sudo rules, *add sss to the sudoers
entry* in nsswitch.conf(5).

   For example, to configure sudo to first lookup rules in the standard
sudoers(5) file (which
   should contain rules that apply to local users) and then in SSSD,
the nsswitch.conf file
   should contain the following line:

  * sudoers: files sss*

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the db in front of files for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts:  files mdns4_minimal [NOTFOUND=return] dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:files nisplus



Entry does not exist.




*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | *Rethink Traffic*

*Blog http://miovision.com/blog  |  **LinkedIn
https://www.linkedin.com/company/miovision-technologies  |  Twitter
https://twitter.com/miovision  |  Facebook
https://www.facebook.com/miovision*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
  Is this server or client side where sudo_provider=ipa is included in ver
 
  1.11.x?

 Client side (sssd)

 
  My fedora 20 client doesn't have this option listed, or is it baked in?
 

 Where exactly do you see the documentation lacking, perhaps the sssd-ipa
 man page, or the sssd-sudo man page? I agree that docs are important,
 but my view might be skewed because I know the internals..

 All that should be required with 1.9.6 or 1.11.x is:
 sudo_provider=ipa

 And enabling the 'sss' module in /etc/nsswitch.conf:
 sudoers: files sss

 That's it. Please let us know if you find any bugs in code or docs.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Dmitri Pal

On 02/13/2014 06:04 PM, Steve Dainard wrote:
I don't think this is an issue of bugs or documentation, more of 
design. Perhaps there's someplace other than a users list this belongs 
in but:


If IPA is a centrally managed identity and access control system, 
should these configurations not be passed to clients, rather than 
every client needing configuration changes post join? Obviously I can 
automate config changes, but why would I want to? I don't think 
sudoers priv is a fringe case, its pretty much THE case for 
access/admin control. I cringe to compare to a Windows domain, but I 
don't have to manually tell a domain client that it should respect the 
rules I set on a domain controller, I joined it to the domain for this 
reason.


Maybe you're working towards this, but in the meantime it would be 
great if the options existed in the config files so we immediately 
know what options are available and can comment/uncomment them rather 
than searching around man pages for options that might exist.


I believe you were looking for a documentation bug:

# man sssd-sudo
   To enable SSSD as a source for sudo rules, *add sss to the 
sudoers entry* in nsswitch.conf(5).


   For example, to configure sudo to first lookup rules in the 
standard sudoers(5) file (which
   should contain rules that apply to local users) and then in 
SSSD, the nsswitch.conf file

   should contain the following line:

* sudoers: files sss*

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#nisplusUse NIS+ (NIS version 3)
#nisUse NIS (NIS version 2), also called YP
#dnsUse DNS (Domain Name Service)
#filesUse the local files
#dbUse the local database (.db) files
#compatUse NIS on compat mode
#hesiodUse Hesiod for user lookups
#[NOTFOUND=return]Stop searching if not found so far
#

# To use db, put the db in front of files for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts:  files mdns4_minimal [NOTFOUND=return] dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:files nisplus



Entry does not exist.




*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | /Rethink Traffic/

*Blog http://miovision.com/blog  | **LinkedIn 
https://www.linkedin.com/company/miovision-technologies  | Twitter 
https://twitter.com/miovision  | Facebook 
https://www.facebook.com/miovision*


Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, 
ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or 
confidential. If you are not the intended recipient, please delete the 
e-mail and any attachments and notify us immediately.



On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com 
mailto:jhro...@redhat.com wrote:


On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
 Is this server or client side where sudo_provider=ipa is
included in ver 
 1.11.x?

Client side (sssd)


 My fedora 20 client doesn't have this option listed, or is it
baked in?


Where exactly do you see the documentation lacking, perhaps the
sssd-ipa
man page, or the sssd-sudo man page? I agree that docs are important,
but my view might be skewed because I know the internals..

All that should be required with 1.9.6 or 1.11.x is:
sudo_provider=ipa

And enabling the 'sss' module in /etc/nsswitch.conf:
sudoers: files sss

That's it. Please let us know if you find any bugs in code or docs.




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Managing configuration files is outside of scope of IPA or SSSD. We 
looked at this at the beginning of the IPA project a got a push back 
from 

Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Alexander Bokovoy

On Thu, 13 Feb 2014, Steve Dainard wrote:

I don't think this is an issue of bugs or documentation, more of design.
Perhaps there's someplace other than a users list this belongs in but:

If IPA is a centrally managed identity and access control system, should
these configurations not be passed to clients, rather than every client
needing configuration changes post join? Obviously I can automate config
changes, but why would I want to? I don't think sudoers priv is a fringe
case, its pretty much THE case for access/admin control. I cringe to
compare to a Windows domain, but I don't have to manually tell a domain
client that it should respect the rules I set on a domain controller, I
joined it to the domain for this reason.

When majority of expected features are already implemented, it is easy
to fall into assumption that everything has to be complete from start.
That's understandable but we are dealing with a living and evolving
project where a feature addition often means integrating across multiple
actual free software projects, all with their own priorities and
schedules, step by step, or things will never happen.

SUDO integration is not an exception here. First we needed to expand
SUDO's support for external plugins. When SUDO data was placed in LDAP,
it appeared that existing schema isn't really optimal, so FreeIPA schema
was designed better (but incompatible with existing one from SUDO LDAP),
but required a compatibility part to work with existing SUDO LDAP
plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO
LDAP schema as it gave SSSD wider coverage of SUDO support. Now we
implemented support for native FreeIPA schema. The next step is to
integrate configuration of it in ipa-client-install so that clients will
get set up properly if there are SUDO rules configured on the server or
ipa-client-install was actually given a bless from the admin (via CLI
option or answering a question).

It takes time and effort. Unsurprisingly, this is a relatively minor
feature in the grand picture because we have dozens of such features all
asking for attention and time, and our development teams are not
expanding infinitely regardless how we all wished. :)

Any help is welcome!

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Alexander Bokovoy

On Wed, 12 Feb 2014, Tamas Papp wrote:

hi All,

$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
`cat pw`
ldap_bind: Referral (10)
   referrals:
   ldap:///uid=USER,cn=users,cn=accounts,dc=foo




[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
nentries=0 etime=0
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against compat is
also fine.


What is err=10?

slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.

Unfortunately, there is virtually no client software that supports the
referral on bind operation.

In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.


--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:
 hi All,

 $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
 `cat pw`
 ldap_bind: Referral (10)
referrals:
ldap:///uid=USER,cn=users,cn=accounts,dc=foo




 [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
 ::1 to ::1
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
 dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
 nentries=0 etime=0
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
 Non-compat authentication works fine and authorization against compat is
 also fine.


 What is err=10?
 slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
 compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

 In older versions slapi-nis issues LDAP referral to the original LDAP
 entry with the hope that an LDAP client would follow it and perform a
 bind against the referral.

 Unfortunately, there is virtually no client software that supports the
 referral on bind operation.

 In short, you cannot do LDAP bind against compat tree in RHEL before
 7.0.

I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.
If I understand correctly, you're referring to the client side, are you?
Or it is true for the server side as well?


Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Alexander Bokovoy

On Wed, 12 Feb 2014, Tamas Papp wrote:


On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:

hi All,

$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
`cat pw`
ldap_bind: Referral (10)
   referrals:
   ldap:///uid=USER,cn=users,cn=accounts,dc=foo




[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
nentries=0 etime=0
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against compat is
also fine.


What is err=10?

slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.

Unfortunately, there is virtually no client software that supports the
referral on bind operation.

In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.


I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.

It worked with IPA 3.3 because of what I wrote above -- I implemented
LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
referral to the original entry's DN.


If I understand correctly, you're referring to the client side, are you?

No.


Or it is true for the server side as well?

It is purely server-side issue. slapi-nis  0.47.5 does not support
proper authentication against compat tree that LDAP clients understand.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:

 On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:
 hi All,

 $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
 `cat pw`
 ldap_bind: Referral (10)
referrals:
ldap:///uid=USER,cn=users,cn=accounts,dc=foo




 [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
 ::1 to ::1
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
 dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
 nentries=0 etime=0
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
 Non-compat authentication works fine and authorization against
 compat is
 also fine.


 What is err=10?
 slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
 compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

 In older versions slapi-nis issues LDAP referral to the original LDAP
 entry with the hope that an LDAP client would follow it and perform a
 bind against the referral.

 Unfortunately, there is virtually no client software that supports the
 referral on bind operation.

 In short, you cannot do LDAP bind against compat tree in RHEL before
 7.0.

 I forgot to mention, the client would be Ubuntu 12.04 and it
 works/worked with IPA 3.3 and F20.
 It worked with IPA 3.3 because of what I wrote above -- I implemented
 LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
 referral to the original entry's DN.

 If I understand correctly, you're referring to the client side, are you?
 No.

 Or it is true for the server side as well?
 It is purely server-side issue. slapi-nis  0.47.5 does not support
 proper authentication against compat tree that LDAP clients understand.

OK, that's clear now.
Sorry I wasn't aware of slapi-nis behaviour:)


Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:

 On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:
 hi All,

 $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
 `cat pw`
 ldap_bind: Referral (10)
referrals:
ldap:///uid=USER,cn=users,cn=accounts,dc=foo




 [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
 ::1 to ::1
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
 dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
 nentries=0 etime=0
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
 Non-compat authentication works fine and authorization against
 compat is
 also fine.


 What is err=10?
 slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
 compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

 In older versions slapi-nis issues LDAP referral to the original LDAP
 entry with the hope that an LDAP client would follow it and perform a
 bind against the referral.

 Unfortunately, there is virtually no client software that supports the
 referral on bind operation.

 In short, you cannot do LDAP bind against compat tree in RHEL before
 7.0.

 I forgot to mention, the client would be Ubuntu 12.04 and it
 works/worked with IPA 3.3 and F20.
 It worked with IPA 3.3 because of what I wrote above -- I implemented
 LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
 referral to the original entry's DN.

 If I understand correctly, you're referring to the client side, are you?
 No.

 Or it is true for the server side as well?
 It is purely server-side issue. slapi-nis  0.47.5 does not support
 proper authentication against compat tree that LDAP clients understand.

Actually I'd like to authenticate shell users on Ubuntu.

For the records I figured out, that switching from nscd to nslcd did the
trick.


Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Petr Spacek

On 12.2.2014 15:01, Tamas Papp wrote:


On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:


On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:

hi All,

$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
`cat pw`
ldap_bind: Referral (10)
referrals:
ldap:///uid=USER,cn=users,cn=accounts,dc=foo




[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
nentries=0 etime=0
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against
compat is
also fine.


What is err=10?

slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.

Unfortunately, there is virtually no client software that supports the
referral on bind operation.

In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.


I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.

It worked with IPA 3.3 because of what I wrote above -- I implemented
LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
referral to the original entry's DN.


If I understand correctly, you're referring to the client side, are you?

No.


Or it is true for the server side as well?

It is purely server-side issue. slapi-nis  0.47.5 does not support
proper authentication against compat tree that LDAP clients understand.


Actually I'd like to authenticate shell users on Ubuntu.

For the records I figured out, that switching from nscd to nslcd did the
trick.


BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... 
obsolete. SSSD has some very nice features like off-line cache etc.


--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 03:04 PM, Petr Spacek wrote:
 On 12.2.2014 15:01, Tamas Papp wrote:

 On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:

 On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:
 hi All,

 $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h
 localhost -w
 `cat pw`
 ldap_bind: Referral (10)
 referrals:
 ldap:///uid=USER,cn=users,cn=accounts,dc=foo




 [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection
 from
 ::1 to ::1
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
 dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
 nentries=0 etime=0
 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
 Non-compat authentication works fine and authorization against
 compat is
 also fine.


 What is err=10?
 slapi-nis module in RHEL 6.x (and CentOS) does not support bind
 against
 compat tree. We added this feature only in Fedora 20 (and RHEL 7
 beta).

 In older versions slapi-nis issues LDAP referral to the original LDAP
 entry with the hope that an LDAP client would follow it and perform a
 bind against the referral.

 Unfortunately, there is virtually no client software that supports
 the
 referral on bind operation.

 In short, you cannot do LDAP bind against compat tree in RHEL before
 7.0.

 I forgot to mention, the client would be Ubuntu 12.04 and it
 works/worked with IPA 3.3 and F20.
 It worked with IPA 3.3 because of what I wrote above -- I implemented
 LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing
 LDAP
 referral to the original entry's DN.

 If I understand correctly, you're referring to the client side, are
 you?
 No.

 Or it is true for the server side as well?
 It is purely server-side issue. slapi-nis  0.47.5 does not support
 proper authentication against compat tree that LDAP clients understand.

 Actually I'd like to authenticate shell users on Ubuntu.

 For the records I figured out, that switching from nscd to nslcd did the
 trick.

 BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD
 is ... obsolete. SSSD has some very nice features like off-line cache
 etc.

I don't know it.
After a quick look I wasn't able to set it up correctly, 'id USER'
didn't connected to it's socket like with nscd/nlscd, however
nsswitch.conf was configured.
Maybe with the upcoming 14.04 or do you have a working howto for 12.04?


Thx,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Dmitri Pal

On 02/12/2014 09:30 AM, Tamas Papp wrote:

On 02/12/2014 03:04 PM, Petr Spacek wrote:

On 12.2.2014 15:01, Tamas Papp wrote:

On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:

On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:

hi All,

$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h
localhost -w
`cat pw`
ldap_bind: Referral (10)
 referrals:
 ldap:///uid=USER,cn=users,cn=accounts,dc=foo




[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection
from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
nentries=0 etime=0
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against
compat is
also fine.


What is err=10?

slapi-nis module in RHEL 6.x (and CentOS) does not support bind
against
compat tree. We added this feature only in Fedora 20 (and RHEL 7
beta).

In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.

Unfortunately, there is virtually no client software that supports
the
referral on bind operation.

In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.

I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.

It worked with IPA 3.3 because of what I wrote above -- I implemented
LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing
LDAP
referral to the original entry's DN.


If I understand correctly, you're referring to the client side, are
you?

No.


Or it is true for the server side as well?

It is purely server-side issue. slapi-nis  0.47.5 does not support
proper authentication against compat tree that LDAP clients understand.

Actually I'd like to authenticate shell users on Ubuntu.

For the records I figured out, that switching from nscd to nslcd did the
trick.

BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD
is ... obsolete. SSSD has some very nice features like off-line cache
etc.

I don't know it.
After a quick look I wasn't able to set it up correctly, 'id USER'
didn't connected to it's socket like with nscd/nlscd, however
nsswitch.conf was configured.
Maybe with the upcoming 14.04 or do you have a working howto for 12.04?


Please check SSSD web site for guidelines and if you have any questions 
do not hesitate  to ask on the sssd-users list.
SSSD is the best you can get nowadays for the connection of the client 
systems to the central identity stores.

If you plan to use it with IPA you ho not need to configure sssd manually.
ipa-client-install will do the trick. Just install ipa-client package 
and run the command.





Thx,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Jakub Hrozek
On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote:
 I don't know it.
 After a quick look I wasn't able to set it up correctly, 'id USER'
 didn't connected to it's socket like with nscd/nlscd, however
 nsswitch.conf was configured.
 Maybe with the upcoming 14.04 or do you have a working howto for 12.04?
 
 Please check SSSD web site for guidelines and if you have any
 questions do not hesitate  to ask on the sssd-users list.
 SSSD is the best you can get nowadays for the connection of the
 client systems to the central identity stores.
 If you plan to use it with IPA you ho not need to configure sssd manually.
 ipa-client-install will do the trick. Just install ipa-client
 package and run the command.

If realmd is available for your distribution, then I would highly
recommend using it to set up SSSD.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 09:53 PM, Jakub Hrozek wrote:
 On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote:
 I don't know it.
 After a quick look I wasn't able to set it up correctly, 'id USER'
 didn't connected to it's socket like with nscd/nlscd, however
 nsswitch.conf was configured.
 Maybe with the upcoming 14.04 or do you have a working howto for 12.04?
 Please check SSSD web site for guidelines and if you have any
 questions do not hesitate  to ask on the sssd-users list.
 SSSD is the best you can get nowadays for the connection of the
 client systems to the central identity stores.
 If you plan to use it with IPA you ho not need to configure sssd manually.
 ipa-client-install will do the trick. Just install ipa-client
 package and run the command.
 If realmd is available for your distribution, then I would highly
 recommend using it to set up SSSD.

It isn't in 12.04, but will be available in 14.04.
Thanks for suggestion.

tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Alexander Bokovoy

On Wed, 12 Feb 2014, Tamas Papp wrote:


On 02/12/2014 09:53 PM, Jakub Hrozek wrote:

On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote:

I don't know it.
After a quick look I wasn't able to set it up correctly, 'id USER'
didn't connected to it's socket like with nscd/nlscd, however
nsswitch.conf was configured.
Maybe with the upcoming 14.04 or do you have a working howto for 12.04?

Please check SSSD web site for guidelines and if you have any
questions do not hesitate  to ask on the sssd-users list.
SSSD is the best you can get nowadays for the connection of the
client systems to the central identity stores.
If you plan to use it with IPA you ho not need to configure sssd manually.
ipa-client-install will do the trick. Just install ipa-client
package and run the command.

If realmd is available for your distribution, then I would highly
recommend using it to set up SSSD.


It isn't in 12.04, but will be available in 14.04.
Thanks for suggestion.

https://launchpad.net/~sssd/+archive/updates
--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Alexander Bokovoy

On Thu, 13 Feb 2014, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:


On 02/12/2014 09:53 PM, Jakub Hrozek wrote:

On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote:

I don't know it.
After a quick look I wasn't able to set it up correctly, 'id USER'
didn't connected to it's socket like with nscd/nlscd, however
nsswitch.conf was configured.
Maybe with the upcoming 14.04 or do you have a working howto for 12.04?

Please check SSSD web site for guidelines and if you have any
questions do not hesitate  to ask on the sssd-users list.
SSSD is the best you can get nowadays for the connection of the
client systems to the central identity stores.
If you plan to use it with IPA you ho not need to configure sssd manually.
ipa-client-install will do the trick. Just install ipa-client
package and run the command.

If realmd is available for your distribution, then I would highly
recommend using it to set up SSSD.


It isn't in 12.04, but will be available in 14.04.
Thanks for suggestion.

https://launchpad.net/~sssd/+archive/updates

Ah, sorry, realmd is indeed not available for 12.04 because it wasn't
written at that point yet. :)
--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 11:29 PM, Alexander Bokovoy wrote:
 On Wed, 12 Feb 2014, Tamas Papp wrote:

 On 02/12/2014 09:53 PM, Jakub Hrozek wrote:
 On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote:
 I don't know it.
 After a quick look I wasn't able to set it up correctly, 'id USER'
 didn't connected to it's socket like with nscd/nlscd, however
 nsswitch.conf was configured.
 Maybe with the upcoming 14.04 or do you have a working howto for
 12.04?
 Please check SSSD web site for guidelines and if you have any
 questions do not hesitate  to ask on the sssd-users list.
 SSSD is the best you can get nowadays for the connection of the
 client systems to the central identity stores.
 If you plan to use it with IPA you ho not need to configure sssd
 manually.
 ipa-client-install will do the trick. Just install ipa-client
 package and run the command.
 If realmd is available for your distribution, then I would highly
 recommend using it to set up SSSD.

 It isn't in 12.04, but will be available in 14.04.
 Thanks for suggestion.
 https://launchpad.net/~sssd/+archive/updates

I meant realmd is not in 12.04.

tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Tamas Papp

On 02/12/2014 07:30 PM, Dmitri Pal wrote:

 Please check SSSD web site for guidelines and if you have any
 questions do not hesitate  to ask on the sssd-users list.
 SSSD is the best you can get nowadays for the connection of the client
 systems to the central identity stores.
 If you plan to use it with IPA you ho not need to configure sssd
 manually.
 ipa-client-install will do the trick. Just install ipa-client package
 and run the command.

It was quite pathetic, when last time I tried on ubuntu.
I'll try sssd again, if I have spare time.

Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Dmitri Pal

On 02/12/2014 05:00 PM, Tamas Papp wrote:

On 02/12/2014 07:30 PM, Dmitri Pal wrote:

Please check SSSD web site for guidelines and if you have any
questions do not hesitate  to ask on the sssd-users list.
SSSD is the best you can get nowadays for the connection of the client
systems to the central identity stores.
If you plan to use it with IPA you ho not need to configure sssd
manually.
ipa-client-install will do the trick. Just install ipa-client package
and run the command.

It was quite pathetic, when last time I tried on ubuntu.
I'll try sssd again, if I have spare time.

Thanks,
tamas

Timo Aaltonen is your man then. ;-)

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authentication against compat

2014-02-12 Thread Will Sheldon
Is SSSD working for IPA sudo now? I saw this From Jakub Horozek in this list a 
little while back:

Unfortunately with 6.5 there is still no sudo ipa provider, there might
be with one in 6.6. So in order to download the sudo rules you need to
configure the LDAP sudo provider manually.


Will.


On Wednesday, February 12, 2014 at 2:57 PM, Dmitri Pal wrote:

 On 02/12/2014 05:00 PM, Tamas Papp wrote:
  On 02/12/2014 07:30 PM, Dmitri Pal wrote:
   Please check SSSD web site for guidelines and if you have any
   questions do not hesitate to ask on the sssd-users list.
   SSSD is the best you can get nowadays for the connection of the client
   systems to the central identity stores.
   If you plan to use it with IPA you ho not need to configure sssd
   manually.
   ipa-client-install will do the trick. Just install ipa-client package
   and run the command.
   
  
  It was quite pathetic, when last time I tried on ubuntu.
  I'll try sssd again, if I have spare time.
  
  Thanks,
  tamas
  
 
 Timo Aaltonen is your man then. ;-)
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.
 
 
 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/)
 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com)
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users