convert freeipa (ldap) pass to htpasswd
by Sebastian Kösters
Hi,
maybe one of you guys is able to help me with that.
Please dont ask why, but i have to convert my users ldap pass to htpasswd.
In my ldap setup running at the moment i do it like this:
---
ldapsearch -D 'cn=admin,dc=doman,dc=de' -w $PASS -LLL -x -b
"dc=domain,dc=de" uid=$user | grep userPassword | cut -d ":" -f 3 |
openssl base64 -d
---
with the "openssl base64 -d" part i get a working htpasswd password.
I now tried the same with my freeIPA installation. I am able to get the
ldap pass, but the return of the "openssl base64 -d" command is just empty.
Is there a way to "convert" the pass in my needed format?
BR
Sebastian
7 years
4.5.0+ Rhel 7 support
by Jason Hensley
Is anyone running FreeIPA 4.5.0+ successfully on Rhel7/CentOS7? Are there
any plans to officially support Rhel7/CentOS7?
Thanks,
J
7 years
Fwd: matching rule errors?
by Zak Wolfinger
Running FreeIPA Version 4.2.0
Seeing a lot of these in the slapd error log:
the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
Any clue as to what this means and specifically how to fix it?
Cheers,
Zak Wolfinger
Infrastructure Engineer | Emma®
zak.wolfinger(a)myemma.com <mailto:zak.wolfinger@myemma.com>
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)
Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com <http://myemma.com/?utm_source=%20EmmaSignatures&utm_medium=%20email&utm_c...>
7 years
Re: UI customization: Default values on host addition
by Pavel Vomacka
Hello Steve,
On 05/16/2017 05:21 PM, Steve Huston wrote:
> I've extended the UI for host addition by including a multivalued
> widget which stores puppetVar values (as well as the accompanying
> Python plugin to handle it and schema update in the directory). This
> works well, but I'd like to add one more thing and am not sure how to
> do it.
>
> There are certain variables which are basically always set for every
> host, and so I'd like them to default to those values in the UI, while
> still giving the admin the choice to edit or remove them just like
> they were entered by hand. I'm not sure, however, how to "push"
> values into the UI that way.
Could you please write an example of the variable?
>
> Is there some attribute of a field I can edit to insert a default
> value into the UI, while still allowing that to be removed or edited
> before the user submits the page?
>
>
In case you want to prefill a dialog by default values you can do it by
using that.get_field('fieldname').set_value(['value1']); in open()
method of the dialog. But I'm not sure whether this is what you want. If
not please send an example of what you want to achieve.
HTH
--
Pavel^3 Vomacka
7 years
Re-initialize replica question
by John Bowman
This is technically two issues but hopefully one solution would solve both
problems.
We have a replica that has an EXTREMELY large cldb file and unfortunately
not in a position to be able to grow it.
# pwd
/var/lib/dirsrv/slapd-IPA-US/cldb
# ls -la
-rw------- 1 dirsrv dirsrv 38G May 22 10:40
3f194d88-fc9b11e3-a48ba575-885328fc_5255c5c5000000040000.db4
-rw------- 1 dirsrv dirsrv 27G Aug 3 2016
3f194d88-fc9b11e3-a48ba575-885328fc.ldif
Not certain why this particular replica (non-ca replica) would have about
30gb larger files than the others. It is fairly old has has been running
steadily for the last few years without incident other than the continuous
growth of the .db4 file. My question is if its possible to delete that
file and re-initialize the replica to rebuild it or perhaps another safer
option?
Thanks!
--
John Bowman
john.bowman(a)zayo.com
7 years
Encrypting user's home directory
by Kees Bakker
Hey,
Does anyone have a setup with a FreeIPA server and client PC's where users
have an encrypted HOME directory? I'm having difficulty to set it up. I'd be
grateful if someone could give some hints how to set it up. I have Ubuntu
on the server and on the PC's (and laptops).
What I tried so far.
* enable PAM "Create home directory on login"
* as root convert the home directory with ecryptfs-migrate-home
The first step succeeds, a new home directory is created for the user.
However, in the next step, ecryptfs-migrate-home asks for the passphrase of
the user, but it claims that the passphrase is wrong. The result is that the
migration fails.
I've tried another route
* create a new local user with fake name
* rename the new home directory to match the actual user (also the new
directory in /home/.ecryptfs
The reason for a fake name is that you can't add a local user with the same
name that exists in FreeIPA.
The renaming is doable, but tedious. There are symlinks to be changed and there is
~/.ecryptfs/Private.mnt to be edited.
Anyway, with this latter method I can now login through lightdm, but like I mentioned
it is quiet a clumsy process.
--
Kees
7 years
freeipa ldap + htaccess question
by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
My first try was this:
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
So my first try was this:
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
7 years
Setup and Configuration guide for AIX 6.1/7.1
by Lakshan Jayasekara
Hi All,
Need to setup and configure AIX 6.1 and 7.1 clients on our existing IPA server. Currently all Linux clients have integrated and working fine. If anyone has configured AIX client share me the configuration document, will beneficial for my exercise. On web it contains guide to setup AIX 5.3 and not for latest AIX versions.
Lakshan Jayasekara
Senior Systems Engineer
Mobile: +94 77 294 0396 | Dir: +94 11 235 6949
General:+94 11 235 6949 Ext: 949 | Fax: +94 11 2544346
LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,
“BOC Square”, No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.
http://www.lankaclear.com<http://www.lankaclear.com/>
[cid:image66cf17.JPG@f917de6e.408e315c]
Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System.
[cid:image014da8.JPG@b2f9c489.419d30bf]<http://>
7 years
cannot re-enroll server (mutliple errors)
by Vinny Del Signore
Hello all,
Has anyone seen this issue or have suggestions?
We had FreeIPA configured a few years ago by a team that is now gone.
Several months ago we had an issue where passwords seemed to expire and
authentication started failing for users. For example we were not able to
login to the LDAP server via ssh as an LDAP user, shows "Permission denied
":
[fred@fred ~]$ ssh cr0777kk@biobb-ss
cr0777kk@biobb-ss's password:
Permission denied, please try again.
...
We checked the user status in LDAP and it is not locked and has the correct
permissions. Then we noticed that the server is marked as LOCKED by
kerberos in kerberos log:
[/var/log/krb5kdc.log]
root ldap-p1 ~
# grep biobb-ss /var/log/krb5kdc.log | tail
May 16 15:49:51 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example.com(a)FREEIPA.EXAMPLE.COM for
krbtgt/FREEIPA.EXAMPLE.COM(a)FREEIPA.EXAMPLE.COM, Clients credentials have
been revoked
...
We used to workaround this issue by re-enrolling the server in LDAP DB:
On the LDAP server, we execute these commands:
# kinit <LDAP_Admin>
# ipa host-del biobb-ss.freeipa.example.com
# ipa host-add biobb-ss.freeipa.example.com --password xxxxxxxxxxx
# ipa hostgroup-add-member dev --hosts=biobb-ss.freeipa.example.com
This worked in the past, but now when the second command (to delete the
server from the LDAP DB) fails. And if we re execute the same command it
shows three different errors in the order below:
Here is what we see now:
# ipa host-del host.freeipa.example.com
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
# ipa host-del host.freeipa.example.com
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
# ipa host-del host.freeipa.example.com
# ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
When we restart the IPA services (ipactl restart) we see the following
errors in the errors log:
[18/May/2017:12:04:24 -0500] - 389-Directory/1.2.11.15 B2016.155.1910
starting up
[18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_unwrap_key: failed
to unwrap key for cipher AES
[18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have been
renewed since the key is wrapped. To recover the encrypted contents, keep
the wrapped symmetric key value.
[18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_unwrap_key: failed
to unwrap key for cipher 3DES
[18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have been
renewed since the key is wrapped. To recover the encrypted contents, keep
the wrapped symmetric key value.
[18/May/2017:12:04:24 -0500] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[18/May/2017:12:04:24 -0500] - slapd started. Listening on All
Interfaces port 7389 for LDAP requests
[18/May/2017:12:04:24 -0500] - Listening on All Interfaces port 7390
for LDAPS requests
[18/May/2017:12:04:24 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[18/May/2017:12:04:24 -0500] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-biogendb-p2.wgap.ibm.com-pki-ca" (biogendb-p2:7389):
Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error)
(TLS error -8054:You are attempting to import a cert with the same
issuer/serial as an existing cert, but that is not the same cert.)
[18/May/2017:12:04:27 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[18/May/2017:12:04:33 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[18/May/2017:12:04:45 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
Has anyone seen this issue before? Thank you in advance.
-Vin
7 years
FreeIPA 4.5.0 Rhel7 support
by Jason Hensley
Is anyone running FreeIPA 4.5.0+ successfully on Rhel7/CentOS7? Are there
any plans to officially support Rhel7/CentOS7?
Thanks,
J
7 years