Re: [Freeipa-users] mod_nss FreeIPA
Hello Alander, Thanks for the links, I hope it is for me possible to install it correct ? The next question is, is it possible to integrate this in a owncloud installation ? This is the Background, to create this webserver for owncloud and with users from IPA ? A hard way . ;-). Am Donnerstag, 26. Mai 2016, 10:01:41 CEST schrieb Alexander Bokovoy: > On Thu, 26 May 2016, Günther J. Niederwimmer wrote: > >Hello Alexander, > > > >Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: > >> On Thu, 26 May 2016, Günther J. Niederwimmer wrote: > >> >Hello, > >> > > >> >can any help to find the correct way to configure a Webserver with IPA. > >> >(mod_nss) > >> > > >> >I can't create a correct DB in /etc/httpd/alias > >> > > >> >I search on the INet and read the install Log from ipa-server but it is > >> >for > >> >me not possible to found a working way :-(. > >> > >> So you want to set up a web server on an IPA client and have this web > >> server to use mod_nss with certificates from IPA CA? > > > >YES YES.. ;-) > > > >You have 100 Points . ;-) > > You have two options: mod_ssl and mod_nss. > For mod_ssl we have it documented: > http://www.freeipa.org/page/Apache_SNI_With_Kerberos > > For mod_nss it is mostly the same except that mod_nss brings working nss > configuration in the rpm package already and all you need is to > initialize NSS database in /etc/httpd/alias. > > Use instructions to setup SSL from > http://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA > > while the page above contains full MediaWiki setup, the MediaWiki part > is isolated and the rest is basically the same for any mod_nss based web > server. Thanks for the help, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
On Thu, 26 May 2016, Günther J. Niederwimmer wrote: Hello Alexander, Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: On Thu, 26 May 2016, Günther J. Niederwimmer wrote: >Hello, > >can any help to find the correct way to configure a Webserver with IPA. >(mod_nss) > >I can't create a correct DB in /etc/httpd/alias > >I search on the INet and read the install Log from ipa-server but it is for >me not possible to found a working way :-(. So you want to set up a web server on an IPA client and have this web server to use mod_nss with certificates from IPA CA? YES YES.. ;-) You have 100 Points . ;-) You have two options: mod_ssl and mod_nss. For mod_ssl we have it documented: http://www.freeipa.org/page/Apache_SNI_With_Kerberos For mod_nss it is mostly the same except that mod_nss brings working nss configuration in the rpm package already and all you need is to initialize NSS database in /etc/httpd/alias. Use instructions to setup SSL from http://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA while the page above contains full MediaWiki setup, the MediaWiki part is isolated and the rest is basically the same for any mod_nss based web server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
Hello Alexander, Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: > On Thu, 26 May 2016, Günther J. Niederwimmer wrote: > >Hello, > > > >can any help to find the correct way to configure a Webserver with IPA. > >(mod_nss) > > > >I can't create a correct DB in /etc/httpd/alias > > > >I search on the INet and read the install Log from ipa-server but it is for > >me not possible to found a working way :-(. > > So you want to set up a web server on an IPA client and have this web > server to use mod_nss with certificates from IPA CA? YES YES.. ;-) You have 100 Points . ;-) Thanks -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
Hello David, Am Donnerstag, 26. Mai 2016, 08:09:17 CEST schrieb David Kupka: > On 26/05/16 07:42, Günther J. Niederwimmer wrote: > > Hello, > > > > can any help to find the correct way to configure a Webserver with IPA. > > (mod_nss) > > > > I can't create a correct DB in /etc/httpd/alias > > > > I search on the INet and read the install Log from ipa-server but it is > > for me not possible to found a working way :-(. > > > > Thanks for a answer ? > > Hello Günther, > > I'm not sure if I understand your question. What I take from you message is: > > I want a IPA webserver with NSSDB in /etc/httpd/alias. ;-) No and Yes. I want a new WEBSERVER on a ipa-client with IPA Certificate ? Afterward I like to create a "DANE" Entry from this Certificate for this webserver ? Bat I fail with the first configuration > The answer then is: > > ipa-server-install creates that DB for apache and populates it with > certificates. So there is nothing to do. Yes, and I can't found the way IPA create this ... > From one of my test servers: > > # certutil -d /etc/httpd/alias/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > EXAMPLE.TEST IPA CA CT,C,C > Signing-Cert u,u,u > > > If this is not what you was asking please try to explain what you want > to achieve with more details. Thanks David for the answer, I have on the Master also Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u .XXX CA CT,C,C and on the replica this, Server-Cert u,u,u .XXX IPA CA CT,C,C ipaCert u,u,u I mean I must have a NSSDB like this from the replica, on my Webserver ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
On Thu, 26 May 2016, Günther J. Niederwimmer wrote: Hello, can any help to find the correct way to configure a Webserver with IPA. (mod_nss) I can't create a correct DB in /etc/httpd/alias I search on the INet and read the install Log from ipa-server but it is for me not possible to found a working way :-(. So you want to set up a web server on an IPA client and have this web server to use mod_nss with certificates from IPA CA? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
On 26/05/16 07:42, Günther J. Niederwimmer wrote: Hello, can any help to find the correct way to configure a Webserver with IPA. (mod_nss) I can't create a correct DB in /etc/httpd/alias I search on the INet and read the install Log from ipa-server but it is for me not possible to found a working way :-(. Thanks for a answer ? Hello Günther, I'm not sure if I understand your question. What I take from you message is: I want a IPA webserver with NSSDB in /etc/httpd/alias. The answer then is: ipa-server-install creates that DB for apache and populates it with certificates. So there is nothing to do. From one of my test servers: # certutil -d /etc/httpd/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u EXAMPLE.TEST IPA CA CT,C,C Signing-Cert u,u,u If this is not what you was asking please try to explain what you want to achieve with more details. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project