upgrade to FreeIPA 4.7+ from 4.6
by Ivars Strazdins
Hello,
I am planning FreeIPA servers’ upgrade from Centos 7 with FreeIPA 4.6.8 to Alma Linux 8.5.
Can I just take out replicas one by one and install fresh Alma Linux, then add back with latest FreeIPA on that replica?
Or do I have to take some special precautions?
If FreeIPA version compatibility is not a concern, perhaps it is even possible to do in-place upgrade with ELevate <https://wiki.almalinux.org/elevate/> (Leapp utility) ?
Thank you in advance,
Ivars Strazdins
2 years, 1 month
Unable to create AD trust
by Jeremy Tourville
Hello
I am running CentOS 7.9
FreeIPA 4.6.8
Installed with integrated DNS and CA
A replica will be installed after the trust is established with the AD domain.
When trying to create a trust with AD i get the following error message (it seems to be somewhat random but goes back and forth between these two)
Fetching domains from trusted forest failed
OR
ipa: ERROR: cannot connect to 'https://<server>/ipa/session/json': Gateway Timeout
I have done the following to troubleshoot:
- disable Selinux, which makes no difference
- check firewall ports. for your reference I have the following defined
services: freeipa-ldap, freeiipa-ldaps, http, https, kerberos, ntp, dns, ssh
ports: 749/tcp, 7389/tcp, 8005/tcp, 8009/tcp
- check DNS, it all verifies properly according to 5.2.1.2 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
- enabled debugging per https://www.freeipa.org/page/Active_Directory_trust_setup#Establish_and_v...
- disabled DNSSEC per https://access.redhat.com/solutions/2263991
I do see something of interest in the error_log but I am not sure if this is the problem.
wsgi:error Timeout when reading response headers from daemon process 'ipa': /usr/share/ipa/wsgi.py
ipa: ERROR: Failed to call com.redhat.idm.trust.fetch_domains helper. DBus exception is org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
ipa: ERROR: Helper fetch_domain was called for forest <forest_name_here>, return code is 2
Any assistance you can provide is appreciated!
2 years, 1 month
How to retrieve user's credentials from IPA database?
by Roger Seguin
We have a GUI-based computer program that drives an external device/machine.
By default our software only displays limited information on that external device.
However, when a power user (group defined in /etc) identifies himself by entering their credentials through our software GUI, our software then checks those credentials against /etc/shadow using crypt() and getspnam() and, if succesful, provides extra functions for configuring our external device/machine.
Actually, our software runs on several networked computers and our users, which are all local (defined in /etc), are duplicated on each computer.
This is not ideal and we would rather like to have all users managed by IPA in a central place (dedicated computer as the IPA server) with our software running in IPA clients. Therefore, our software won't be able to check users' credentials using the local /etc/shadow file anymore.
Basically, we would need to be able to query IPA programmatically (C language - or at least a shell script) to check that a username+password is correct.
How can we process?
Thanks
2 years, 1 month
possible to auth FreeIPA users against another LDAP server?
by Jarett DeAngelis
hi everyone,
I am trying (with great difficulty!) to do authn/authz both for an HPC cluster and a number of other Linux machines against our Okta directory service. Okta offers their "Advanced Server Access" product, which is *bonkers* expensive for the ~6 or 7 machines we need to auth with at $10K a year, and Aquera has a plugin for FreeIPA they maintain which will auth FreeIPA against Okta for another $10K a year. this is a small HPC lab and we're just trying to avoid as much credential proliferation as we can.
my hope is that FreeIPA can be configured to auth against Okta's "built in" LDAP service, which is fairly minimal but will validate passwords and return some basic information in response to queries like group membership. then I can join machines to FreeIPA, which will in turn auth against Okta to allow users to log in. is this possible?
thanks!
2 years, 1 month
ERR - log_result - Internal unindexed search
by Kathy Zhu
Happy Monday, List!
On my IPA server, top shows dirsrv using lots of resources, when checking, I
found this:
[root@ipa2 ~]# systemctl status dirsrv(a)EXAMPLE-COM.service -l
...
Mar 28 09:29:56 ipa2.example.com ns-slapd[1945]:
[28/Mar/2022:09:29:56.142846906 -0700] - NOTICE - ldbm_back_search -
Internal unindexed search: source (cn=server,cn=plugins,cn=config) search
base="cn=changelog" scope=2
filter="(&(changenumber>=-1)(targetuniqueid=7315af86-7b1911e8-83e6fb86-bfdbf4a5))"
conn=0 op=0
Mar 28 09:31:14 ipa2.example.com ns-slapd[1945]:
[28/Mar/2022:09:31:14.176933263 -0700] - ERR - log_result - Internal
unindexed search: source (cn=server,cn=plugins,cn=config) search
base="cn=changelog"
filter="(&(changenumber>=-1)(targetuniqueid=7315af86-7b1911e8-83e6fb86-bfdbf4a5))"
etime=78.977553767 nentries=459824 notes=A
Mar 28 09:31:23 ipa2.example.com ns-slapd[1945]:
[28/Mar/2022:09:31:23.311185621 -0700] - NOTICE - ldbm_back_search -
Internal unindexed search: source (cn=server,cn=plugins,cn=config) search
base="cn=changelog" scope=2
filter="(&(changenumber>=-1)(targetuniqueid=7315af86-7b1911e8-83e6fb86-bfdbf4a5))"
conn=0 op=0
...
Googled and found this bug -
https://bugzilla.redhat.com/show_bug.cgi?id=1951020
However, the bug is for Red Hat 8.3 while we are in Centos 7.9:
CentOS Linux release 7.9.2009 (Core)
ipa-*server*.x86_64 4.6.8-5.el7.centos.7
*slapi-nis*.x86_64 0.56.5-3.el7_9
*389*-ds-base.x86_64 1.3.10.2-12.el7_9
*389*-ds-base-libs.x86_64 1.3.10.2-12.el7_9
Any idea of what's going on and how to fix it?
Thanks!
Kathy.
2 years, 1 month
Re: Error "IPA Error 4002: DuplicateEntry"
by Charles P
Hi Florence, I really appreciate your help so far, however I'm till
not getting anywhere trying to fix this issue. I have the audit fail
log enabled but after going through pages and pages logs for days I
can't find any cause for the error. I think I'll just need to cut my
losses and reinstall and start from scratch. :(
Thanks
Charles
On Sat, 12 Mar 2022 at 01:10, Florence Blanc-Renaud <flo(a)redhat.com> wrote:
>
> Hi,
>
> in order to log failing operations in the audit log, you need to configure nsslapd-auditfaillog-logging-enabled: on in the entry cn=config, please see https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
>
> flo
>
> On Fri, Mar 11, 2022 at 12:15 AM Charles P <pillarama(a)gmail.com> wrote:
>>
>> Hi
>> >Just a note: can you confirm that the messages are in the error log
>> (/var/log/dirsrv/slapd-DOMAIN/errors), not in the audit
>> (/var/log/slapd-<DOMAIN>/audit)?
>> Correct - those messages were in /var/log/dirsrv/slapd-DOMAIN/errors.
>>
>> >Those messages are normal and can also be seen on my instance (without any schema extension).
>> Ok good to know, thanks.
>>
>> For some reason the Audit log doesn't seem to get _any_ messages at
>> all when I try to create a new user, however when I change the error
>> log logging level I do get messages in the audit log like below - so
>> the logfile seems to be working:
>>
>> /var/log/dirsrv/slapd-[DOMAIN]-NET/audit
>> -----------------------8<------------------------------------
>> time: 20220311092419
>> dn: cn=config
>> result: 0
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 128
>> -
>> replace: modifiersname
>> modifiersname: cn=directory manager
>> -
>> replace: modifytimestamp
>> modifytimestamp: 20220310225419Z
>> -
>> -----------------------8<------------------------------------
>>
>> >Aren't there any additional logs after those messages? What is in /var/log/dirsrv/slapd-<DOMAIN>/audit if you enable audit log?
>> Not when I try to create a new user, no.
>> Here's the settings matching "audit" - is there a log "level" setting
>> for the audit log, or is it just "on" and "off"? Have I enabled audit
>> logging correctly?
>>
>> nsslapd-auditlog-mode: 600
>> nsslapd-auditlog-logrotationsync-enabled: off
>> nsslapd-auditlog-logrotationsynchour: 0
>> nsslapd-auditlog-logrotationsyncmin: 0
>> nsslapd-auditlog-logrotationtime: 1
>> nsslapd-auditlog-logmaxdiskspace: 100
>> nsslapd-auditlog-maxlogsize: 100
>> nsslapd-auditlog-logexpirationtime: 1
>> nsslapd-auditlog-logrotationtimeunit: week
>> nsslapd-auditlog-maxlogsperdir: 2
>> nsslapd-auditlog-logging-enabled: on
>> nsslapd-auditlog-logging-hide-unhashed-pw: on
>> nsslapd-auditlog-logexpirationtimeunit: month
>> nsslapd-auditlog-logminfreediskspace: 5
>> nsslapd-auditlog: /var/log/dirsrv/slapd-[DOMAIN]-NET/audit
>> nsslapd-auditfaillog-mode: 600
>> nsslapd-auditfaillog-logrotationsync-enabled: off
>> nsslapd-auditfaillog-logrotationsynchour: 0
>> nsslapd-auditfaillog-logrotationsyncmin: 0
>> nsslapd-auditfaillog-logrotationtime: 1
>> nsslapd-auditfaillog-logmaxdiskspace: 100
>> nsslapd-auditfaillog-maxlogsize: 100
>> nsslapd-auditfaillog-logexpirationtime: 1
>> nsslapd-auditfaillog-maxlogsperdir: 2
>> nsslapd-auditfaillog-logging-enabled: off
>> nsslapd-auditfaillog-logging-hide-unhashed-pw: on
>> nsslapd-auditfaillog-logexpirationtimeunit: month
>> nsslapd-auditfaillog-logminfreediskspace: 5
>> nsslapd-auditfaillog-logrotationtimeunit: week
>> nsslapd-auditfaillog: /var/log/dirsrv/slapd-[DOMAIN]-NET/audit
>> nsslapd-auditlog-list: /var/log/dirsrv/slapd-[DOMAIN ]-NET/audit.20211228-1609
>> nsslapd-auditfaillog-list:
>>
>> Thanks again! Really appreciate your time and support.
>>
2 years, 1 month
httpd service failed when Configuring Let's Encrypt Certificate
by GAURAV Pande
Hi Team ,
FreeIPA server version :- 4.6.8
I was trying securing freeipa-server with-lets-encrypt-ssl-certificate and in between the process i noticed that http suddenly failed , Iam listing down the steps that i followed so far (not complete as httpd got dead in between ) .
Iam fairly new to FreeIPA so would appreciate Some help or guidance here . Thanks
1. Taken backup of /var/lib/ipa/
2. Make directory mkdir freeipa-certs
3. cd freeipa-certs
4. Performed below step to get Lets Encrypt CA
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
curl -o $CERT "https://letsencrypt.org/certs/$CERT"
done
5. Install Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
ipa-cacert-manage install $CERT
done
######## Output of step 5 #########
Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
############################################
6. Update local IPA certificate databases with certificates from the server:
sudo ipa-certupdate
At below Stage httpd seems failing :
############# Output of Step 6 ##################################
[gp185132@idm canary-freeipa-certs]$ sudo ipa-certupdate
trying https://idm.ncrcanary.apibox.ml/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://idm.ncrcanary.apibox.ml/ipa/json'
trying https://idm.ncrcanary.apibox.ml/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json'
Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1
###########################################################
2 years, 1 month
no clients records for a zones outside of the domain - ?
by lejeczek
Hi guys
Successful client installation on hosts with fqdn different
from the main domain should result in IPA create A records,
right?
'hosts' are there for such new clients but no A records in
that "outside" zone.
many thanks, L.
2 years, 2 months