Custom ssl cert for freeipa docker
by Leo O
Hello Guys,
I'm would like to use custom ssl certificates for http and ldap, I saw the following:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time?
Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.
9 months, 2 weeks
Visibility/access of Freeipa users to windows on trusted AD
by Francis Augusto Medeiros-Logeay
Hi,
I have searched this everywhere, but can't find it.
I want to grant access to a FreeIPA user to a Windows machine. When I
try to grant the user access on windows, adding it like
FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both
domains, but every place where I see the trusted domain on Windows (for
example when configuring a GPO) I can't search for FreeIPA users.
Is this how it is supposed to be, or how can I see my FreeIPA users on
Windows the same way I see AD users on my freeipa linux clients?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
10 months
Cannot get rid of a replica/agreement
by lejeczek
Hi guys.
Two masters from which third got disconnected in a "dirty"
manner.
-> $ ipa-replica-manage del midway.ccn.priv.dom
Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server love.ccn.priv.dom to
replicate with servers:
midway.ccn.priv.dom
Topology does not allow server midway.ccn.priv.dom to
replicate with servers:
love.ccn.priv.dom
punch.ccn.priv.dom
Topology does not allow server punch.ccn.priv.dom to
replicate with servers:
midway.ccn.priv.dom.
-> $ ipa topologysegment-find domain
-----------------
1 segment matched
-----------------
Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom
Left node: punch.ccn.priv.dom
Right node: love.ccn.priv.dom
Connectivity: both
----------------------------
Number of entries returned 1
-> $ ipa-replica-manage del midway.ccn.priv.dom --force
ipa: WARNING:
/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973:
The subsystem in PKIConnection.__init__() has been
deprecated
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Updating DNS system records
Not allowed on non-leaf entry
I've tried to 'reinitialize' but without success.
Anybody care to share suggestions & thoughts?
many thanks, L.
10 months, 2 weeks
Limiting access to GUI
by Entrepreneur AJ
Hey all,
I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers.
An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with;
# webUI is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
SetHandler None
AllowOverride None
Satisfy Any
Require all granted
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
ExpiresDefault "access plus 0 seconds"
</FilesMatch>
Order allow,deny
Allow from <ADMIN IP RANGE>
</Directory>
Is still allowing anyone with a browser to reach the IPA gui.
We have Keycloak in place for staff and users to update their passwords.
Any pointers? I would personally prefer to firewall it off but that effects other IPA features.
11 months
Do keytabs expire?
by Ronald Wimmer
Hi,
today I found out that some entries in a keytab file seemed to have expired:
Request ticket server HTTP/mwc.linux.mydomain.at(a)LINUX.MYDOMAIN.AT kvno
4 not found in keytab; keytab is likely out of date
Fetching the keytab again with ipa-getkeytab fixed the problem. But why
is this happening? Do keytab entries expire? I have not set any custom
password or ticket policies.
Regards,
Ronald
12 months
Disabled Domain fills IPA client sssd logs
by Ronald Wimmer
We do face the problem that we disabled a domain we do not need and that
this particular domain fills up sssd logs on the client side. Especially
sssd_nss.log. How could we possibly avoid this behavior?
Cheers,
Ronald
1 year
ipa-replica-install -- cannot get past [26/41]: creating DS keytab
by Jonathon Jenkins
Greetings,
I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes.
I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights.
particulars:
centos 7 3.10.0-957.1.3.el7.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-server-dns-4.6.4-10.el7.centos.noarch
ipa-client-common-4.6.4-10.el7.centos.noarch
* Note: anonymized output below
ipapython.ipautil: DEBUG stderr=
ipalib.backend: DEBUG Created connection context.ldap2_139891568509776
ipaserver.install.service: DEBUG duration: 7 seconds
ipaserver.install.service: DEBUG [26/41]: creating DS keytab
[26/41]: creating DS keytab
ipalib.frontend: DEBUG raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229')
ipalib.frontend: DEBUG service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.frontend: DEBUG raw: host_show(u'<ipa-replica-host>', version=u'2.229')
ipalib.frontend: DEBUG host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab'
ipalib.install.sysrestore: DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>
ipapython.ipautil: DEBUG Process finished, return code=9
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
ipaserver.install.service: DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
super(DsInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipaserver.install.service: DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
[error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipalib.backend: DEBUG Destroyed connection context.ldap2_139891548583120
ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/ipa/default.conf'
ipalib.install.sysrestore: DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main
replica_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install
fstore=fstore)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds
setup_pkinit=not options.no_pkinit,
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica
self.start_creation(runtime=30)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
super(DsInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
1 year, 2 months
FreeIPA-Kubernetes Setup
by Ronald Wimmer
Hi,
are there any plans (or maybe ongoing work already) to let FreeIPA run
in a K8s environment?
Cheers,
Ronald
1 year, 2 months
Different results with search in replicas
by danila kuzovlev
Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different:
ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat, example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
But, if I make search with "Subtree" cope to the first one, I can see entries in answer:
ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat, example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10.
This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work.
Thanks.
1 year, 3 months
Configuration of server on DO droplet in Docker container and clients behind router's NAT
by Georgiy Odisharia
Hi there,
I know that it is not secure but I have exposed to the internet FreeIPA instance for uniform logging between all my machines. They're reside at my home network behind OpenWRT-based router (behind NAT). Public IP address of router is getting via ISP's DHCP.
I want to properly set up FreeIPA server in Docker container running on the DigitalOcean droplet, set up DNS entries in DigitalOcean panel, and properly set up client for allowing LDAP authentication (sssd.conf, krb5.conf and so on).
I don't know where to start and debug so if anybody will help me in general I would be highly appreciated.
1 year, 3 months