Re: Add Subject Alternative Name of HA/LB host to LDAPS servers?
by Daniel Oetken
Why doesn’t terminating SSL on the proxy work with LDAPS? Because it should, and says so too here: https://www.mail-archive.com/haproxy@formilux.org/msg21657.html
Though, I’m looking into the same thing to add SAN to the server certificate and wondering about similar questions. When you look at “ipa-getcert list” you should see the current certificates already, including their settings, so I was thinking to just stop tracking those old ones and create new ones like you did, except with the exact same options as the old ones (+ SAN). But yeah, I’m not sure if there is anything else involved, or if there is a better way. I only started using freeipa recently.
4 years, 9 months
Re: Disabled user accounts
by Alexander Bokovoy
On to, 22 elo 2019, Angus Clarke via FreeIPA-users wrote:
>Hi all
>
>Just an observation really, some of our users complained that their IdM
>login names did not match other systems' - we saw IdM as the easiest
>place to fix this (as opposed to modifying local accounts on hundreds
>of none-IdM enabled *nix boxes around the estate)
You can rename accounts with
ipa user-mod --rename
$ ipa user-mod some-user --rename=another-user
-------------------------
Modified user "some-user"
-------------------------
User login: another-user
....
>Rightly or wrongly, the approach we took was to disable angusc account
>and add new account aclarke using the same UID number.
How did you disable it? 'ipa user-disable'? This just leaves this user
in the tree and marks its account not possible to use for
authentication.
>One of our users spotted this happening occasionally:
>
>
>[aclarke@orabledb ~]$ id
>uid=1234(angusc) gid=1234(aclarke) groups=1234(aclarke),2345(dbas)
>
>We're now deleting the disabled accounts from IdM.
>
>$ rpm -q ipa-server
>ipa-server-4.6.4-10.0.1.el7_6.3.x86_64
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 9 months
Disabled user accounts
by Angus Clarke
Hi all
Just an observation really, some of our users complained that their IdM login names did not match other systems' - we saw IdM as the easiest place to fix this (as opposed to modifying local accounts on hundreds of none-IdM enabled *nix boxes around the estate)
Rightly or wrongly, the approach we took was to disable angusc account and add new account aclarke using the same UID number.
One of our users spotted this happening occasionally:
[aclarke@orabledb ~]$ id
uid=1234(angusc) gid=1234(aclarke) groups=1234(aclarke),2345(dbas)
We're now deleting the disabled accounts from IdM.
$ rpm -q ipa-server
ipa-server-4.6.4-10.0.1.el7_6.3.x86_64
Regards
Angus
4 years, 9 months
Add Subject Alternative Name of HA/LB host to LDAPS servers?
by Jonathan Vaughn
I've seen some guides for doing reverse proxy of SSL using Apache/Nginx
which seem to side step the SSL issue by terminating SSL in the proxy but
that only works for actual HTTPS connections to the FreeIPA UI, not for
LDAPS.
I have got keepalived + HAProxy configured such that accessing
ipa.example.com will go through HAProxy and on to FreeIPA for LDAP(S). LDAP
works perfectly fine, LDAPS works if the client can ignore the SSL
certificate name mismatch (since of course, the SSL certificate will be
ipa-11.example.com or ipa-12.example.com or whatever the FreeIPA server
actually is).
We need this because Atlassian doesn't want to support multiple LDAP host
names in configuration without paying for Crowd (which is a pretty
redundant product when we have FreeIPA already). Additionally, I can't
disable the hostname check for SSL either, which would at least work around
the issue, so we need to get ipa.example.com into each FreeIPA LDAP
server's SSL certificate.
How can I add ipa.example.com as SAN to the SSL certificate used by 389DS
in FreeIPA?
At first I thought maybe I should start with adding HTTP/ipa.example.com as
a principal alias to each HTTP/ipa-(server).example.com and then reissue
the SSL but apparently I can only add the alias to a single principal
(can't have it on multiple servers)...
The basic layout is this:
10.0.0.10 : ipa.example.com (virtual IP / VRRP)
10.0.0.11 : ipa-11.example.com
10.0.0.12 : ipa-12.example.com
HAproxy runs on both ipa-11 and ipa-12 and each instance of HAproxy is
configured to sticky sessions.
Keepalived runs on both ipa-11 and ipa-12, both configured as master but
with ipa-11 set as a higher priority so that nominally all requests go to
ipa-11 unless ipa-11 is down, in which case the virtual IP moves to the
other server.
When connecting to ipa.example.com, connection may end up at either of
ipa-11.example.com or ipa-12.example.com, and we need them both to have
ipa.example.com in addition to their real server name in the SSL
certificate for LDAPS to work correctly. So the certificate for
ipa-11.example.com should include in SAN both ipa-11.example.com and
ipa.example.com, and the certificate for ipa-12.example.com should include
in SAN both ip-12.example.com and ipa.example.com.
4 years, 9 months
Unable to add managed entry
by yousif raed
Hello ,
a while ago I've migrated from an old freeipa server to a new server everything worked fine until about a week ago when i deleted a user to preserved then i moved the user to the stage and i tried to activate the user and an error occurred .
the error is : - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=ittest1,cn=groups,cn=accounts,dc=example,dc=com" for origin entry "uid=ittest1,cn=users,cn=accounts,dc=example,dc=com" (Already exists).
i searched the problem and it turns out that the private group is created but the user is not . and the user is stuck at the stage users and the only way to activate the user is by deleting the private group .
thanks in advance
4 years, 9 months
"NSS Certificate DB" certificate created in new directory after renewal, breaking httpd
by Thomas Kropeit
Over the weekend, my original "NSS Certificate DB" certificate expired. It was automatically renewed, however in a new location:
# ipa-getcert list
Number of certificates and requests being tracked: 10.
Request ID '20180929060059':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-PHYSEC-DE
certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE
subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE
expires: 2021-07-20 14:25:43 UTC
principal name: ldap/master.ipa.physec.de(a)IPA.PHYSEC.DE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-PHYSEC-DE
track: yes
auto-renew: yes
Request ID '20180929060107':
status: MONITORING
ca-error: Unable to determine principal name for signing request.
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE
subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE
expires: 2019-08-17 12:45:50 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
I managed to restart the FreeIPA service by adding `NSSEnforceValidCerts off` to `/etc/httpd/conf.d/nss.conf`. But logging into the webinterface still yields the following error in httpd:
[Mon Aug 19 10:36:05.722736 2019] [:error] [pid 12798] ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[Mon Aug 19 10:36:05.723894 2019] [:error] [pid 12802] SSL Library Error: -12269 The server has rejected your certificate as expired
I have intentionally not copied the new certificate to `/etc/httpd/alias` as I am not aware of all the involved components and fear that this might break something.
My system is running a fully patched CentOS 7.6, running FreeIPA 4.6.4-10.el7.centos.6.
What should I do to resolve this issue, simply replacing the certificates, or is there a better method?
4 years, 9 months
FreeIPA v4.5.0 install lost topology suffixes
by Gavin Williams
Afternoon all
I’ve got a slightly strange one with one of our FreeIPA clusters, whereby the topology suffixes appear to have disappeared.
From what I can see, this is causing replication issues between the hosts, which is causing us issues with bootstrapping new clients against FreeIPA.
I’m not aware of any config changes that have happened on the FreeIPA hosts that could have caused this issue, so am a bit stumped atm.
Is someone able to advise next steps on how to investigate the cause and correct the configuration?
Regards
Gavin
4 years, 9 months
python - ipalib, ipapython and ipaclient and virtual environment
by lune voo
Hello !
I'm trying to create a virtual environment using conda with python 2.6 and
I wanted to know if there was still a place to get the following python
modules related to ipa :
- ipalib
- ipapython
- ipaclient
I'm using an old version of ipa :
# rpm -qa | grep ipa
python-libipa_hbac-1.13.3-60.el6.x86_64
sssd-ipa-1.13.3-60.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.13.3-60.el6.x86_64
ipa-client-3.0.0-47.el6.x86_64
ipa-python-3.0.0-47.el6.x86_64
Is it possible to install the modules ipalib, ipapython and ipaclient for
this old version of ipa and python with pip or conda ?
Thank you in advance for your help.
Best regards.
Lune.
4 years, 9 months
build of 4.6.6 on centos
by lejeczek
hi guys
would you know if above version should build on Centos 7.6?
Or maybe it's officially not supported, as ./configure says:
....
checking supported IPA platform... configure: error: IPA platform centos
is not supported
many thanks, L.
4 years, 9 months
Automounting homeshares partially stopped working
by Ronald Wimmer
Some days ago a strange problem struck us. When colleagues access a
server using an ipa-automounted share from a Windows client they can
logon to such a server using a Kerberos ticket but they cannot access
their NFS-automounted home-share anymore. When they log on with
username/password they can.
When I try the same from my linux client I do not encounter any problems
(using the same users as in the above scenario).
Where should I start digging in order to find out what is going wrong?
Cheers,
Ronald
4 years, 9 months