Lets Encrypt scripts for multiple principals and Web/LDAP
by Antonia Stevens
Hi,
Thought I should introduce myself and post a link to some recent work which
might be relevant for some of you.
My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA
user.
We recently had a need to get proper certs for IPA servers in AWS which
means they have multiple IPs/DNS Names/Principals, since I could not find
anything I hacked together a couple of bash scripts to make it a bit easier.
https://github.com/antevens/letsencrypt-freeipa
Thanks for all the great work and depending on my schedule I might try to
contribute a bit more going forward.
Antonia Stevens
@antevens
a(a)antevens.com
https://github.com/antevens/
6 years, 1 month
IPA's NTP service
by Tibor Dudlák
Hello FreeIPA-devel list fellow beings!
I would like to continue the discussion started in [1], and find its
solution.
While using the Single-Sign-on authentication provided via an MIT Kerberos
KDC there must not be any significant clock skew between server and
clients so a time synchronization service is required.
Red Hat Enterprise Linux is about to deprecate ntpd service and will
support chronyd instead. This will happen in release 8 and by this time we
should agree on some changes in IPA - whether to remove or replace the already
used ntpd service. I would like to sum up this change in a design page but
there should be an agreement first.
IPA, as is, checks the system configuration and if there is an NTP service
configured and running then it forces ntpd, meaning it disables any other
NTP service. It also alters its configuration, and restarts the NTP service
instance.
We may now want to consider, as the time sync service change is required,
to NOT configure a service that is not a part of the identity management
such as NTP, and leave it to system/IPA administrators.
IPA install script may only check wheter there is an NTP service running
and if not, it would ask the administrator to configure it before the IPA
installation.
Upgrade of IPA might be more complicated because there will be the ntpd
service entry in LDAP, and the service will be up and running. I would
suggest that we do not remove any working ntpd service already configured
but only disown it from IPA's LDAP tree.
I will be glad for any input from you people and hopefully there will be an
acceptable solution for this soon :)
Thanks!
[1]
https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html
--
Tibor Dudlák
Identity management - FreeIPA
Brno, TPB-C, 2C407
Red Hat
6 years, 1 month
[freeipa PR#1474][opened] Prepare migration of mod_nss NSSDB to sql format
by tiran
URL: https://github.com/freeipa/freeipa/pull/1474
Author: tiran
Title: #1474: Prepare migration of mod_nss NSSDB to sql format
Action: opened
PR body:
"""
This is a reduced version of PR #1458, just refactoring and additional SQL format support without an actual migration. This bits and pieces are useful for master and 4.6. The missing pieces are only relevant for 4.6 support on rawhide.
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1474/head:pr1474
git checkout pr1474
6 years, 2 months
[freeipa PR#1449][opened] WIP: Switch from mod_nss to mod_ssl
by rcritten
URL: https://github.com/freeipa/freeipa/pull/1449
Author: rcritten
Title: #1449: WIP: Switch from mod_nss to mod_ssl
Action: opened
PR body:
"""
New installs using an IPA CA should work
Upgrades should work
Not tested and some known to not work:
- CA-less install
- promoting a replica
- promoting a replica CA-less
- backup and restore (particularly edge cases like restoring from a mod_nss backup)
This PR is meant to to obtain status of current patches and as a jumping-off point to finish the rest of the transition.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1449/head:pr1449
git checkout pr1449
6 years, 2 months