Contribute to a HowTO
by Peter Tselios
Hello,
I have a relatively easy HowTo for Integrating Grafana with FreeIPA as an Authentication Back-end.
So, can you please allow my account write access to the Wiki?
5 years, 6 months
FreeIPA - it it the right solution for me?
by 74cmonty
Hi,
I consider to deploy FreeIPA in my home network.
In this network I run several servers and workstations with both Linux and Windows.
In addition I have setup some Webservices running in containers (LXC).
I have only one public IP and manage the (privately hosted) Webservices with a reverse proxy.
The network architecture includes several networks, e.g. LAN, DMZ, ...
All networks are secured by relevant iptables roules.
I want a central user management strong security management.
This is included in FreeIPA.
In addition FreeIPA includes some network related features, e.g. DNS.
And here starts my problem.
Currently I manage the DNS of my public domain with the domain provider.
If I install FreeIPA I need to shutdown the DNS management with the domain provider and manage this by myself.
Can I shutdown this DNS service before starting FreeIPA installation w/o impacting DNS resolution to my domain?
What happens if FreeIPA is down? Should there be any redundancy?
THX
5 years, 6 months
Error installation "freeipa-letsencrypt": certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
by 74cmonty
Hi,
I have executed script setup.sh from package "freeipa-letsencrypt".
The installation finished with this error message:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140228802354200
ipapython.admintool: INFO: The ipa-certupdate command was successful
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.
What's causing this error?
And how can I fix this?
The file "httpd-csr.der" in working directory (in my case /etc/ssl/ipa-le/) is 0 bytes. Therefore I conclude that the installation was not successful.
[root@ipa freeipa-letsencrypt]# ls -lR /etc/ssl/ipa-le/
/etc/ssl/ipa-le/:
insgesamt 0
drwxr-xr-x. 2 root root 187 3. Nov 19:49 ca
-rw-r-----. 1 root root 0 3. Nov 20:19 httpd-csr.der
/etc/ssl/ipa-le/ca:
insgesamt 24
-rw-r--r--. 1 root root 1220 3. Nov 19:49 DSTRootCAX3.pem
-rw-r--r--. 1 root root 1967 3. Nov 19:49 isrgrootx1.pem
-rw-r--r--. 1 root root 1702 3. Nov 19:49 LetsEncryptAuthorityX1.pem
-rw-r--r--. 1 root root 1675 3. Nov 19:49 LetsEncryptAuthorityX2.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX3.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX4.pem
THX
5 years, 6 months
No httpd service listening on TCP4
by 74cmonty
Hi,
I just completed installation with Fedora 29 in KVM.
The installation finished w/o errors.
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
Checking the open ports I cannot identify any TCP4 port 80,443.
[root@ipa ~]# netstat -tulpen | egrep "80|443"
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 17 56422 3678/java
tcp6 0 0 127.0.0.1:8009 :::* LISTEN 17 53206 3678/java
tcp6 0 0 :::80 :::* LISTEN 0 60216 4570/httpd
tcp6 0 0 :::8080 :::* LISTEN 17 53200 3678/java
tcp6 0 0 :::443 :::* LISTEN 0 60224 4570/httpd
tcp6 0 0 :::8443 :::* LISTEN 17 53204 3678/java
Ports 80,443 are listening on TCP6 only.
How does this happen?
THX
5 years, 6 months
replication sync issues
by Grant Janssen
I have these errors in the syslog of the primary, the syslog on the secondary is clean.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.104092627 -0700] agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389) - Can't locate CSN 5afd9651000200600000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105088278 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389): CSN 5afd9651000200600000 not found, we aren't as up to date, or we purged
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105750108 -0700] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized.
I initiated a resync, but the errors continue to pile up on the primary.
grant@ef-idm02:~[20181030-9:36][#115]$ ipa-replica-manage force-sync --from ef-idm01.production.efilm.com
Directory Manager password: ********
ipa: INFO: Setting agreement cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping tree,cn=config
grant@ef-idm02:~[20181030-9:37][#116]$
thanx
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
5 years, 6 months
Cannot start FreeIPA master - procedure for cleaning up?
by Callum Smith
Dear All,
Running a FreeIPA cluster, the master has fallen over and refuses to get back up:
Failed to read data from service file: Unknown error when retrieving list of services from LDAP: Insufficient access: SASL(-4): no mechanism available: (Unknown authentication method)
I was wondering where the best place for logs is to get myself out of this hole, as it's the "super master" i'd rather not have to delete it, promote another, etc etc.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
5 years, 6 months
Remove ntpd from IPA managed services
by Ian Pilcher
I am having trouble with ntpd on my IPA server. For whatever reason,
chrony seems to work when I manually stop ntpd.
I would like to remove ntpd as an IPA-managed service. I found an old
thread on this list that says I need to remove:
cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
Assuming that this is correct, how do I do that?
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
5 years, 6 months
certmonger Error 77 Problem with the SSL CA cert
by Kees Bakker
Hi,
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger[1813]: 2018-10-22 17:32:14 [1813] Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
Where should I start looking to recover from this?
--
Kees
5 years, 6 months
Deployment without CA
by Henrik Johansson
Hello,
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
Regards
Henrik
5 years, 6 months