About using group-find in python
by lune voo
Hello everyone.
I'm trying to perform the equivalent of an ipa group-find command directly
in python.
So I use the api.Command :
api.Command[command](**params)
What I would like to know is which parameter should I use if I am searching
for groups for which the name ends with the string "_toto" ?
Best regards.
Lune
5 years, 7 months
Cannot import certificate signed by MS-CA - subject mismatch
by Peter Tselios
Hello,
I want to use the company's MS-CA as the single CA and thus I had to change the FreeIPA certificate.
The process was smooth until the point of importing the certificate in the FreeIPA.
I got this:
===============================================
ipa-cacert-manage renew --external-cert-file=./ms-crt.pem
Importing the renewed CA certificate, please wait
Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
===============================================
The documentation is very clear: FreeIPA issues CSRs in UTF8.
The MS-CA uses PRINTABLESTRING in the subject and the issuer.
The MS admins/engineer do not want to change this to UTF 8, so, I am a little bit stuck here.
Is there anyway to configure FreeIPA to issue the CSR in PRINTABLESTRING and import it?
Or the only acceptable by FreeIPA format is UTF8?
5 years, 7 months
issues while switching to other root CA
by Wim Vinckier
Hi All,
We are using our own (selfsigned) root CA for our installations. We just
started to use ipa and after exploring the possibilities we want to switch
to the root CA we normally use. According to [1] it should be done using
these instruction [2]. When we tray to renew the certificate we get this
error:
[root@ipa ~]# ipa-cacert-manage renew
--external-cert-file=/root/Certificate_Authority.pem
--external-cert-file=root.cer
t
Importing the renewed CA certificate, please wait
CA certificate chain in /root/Certificate_Authority.pem, root.cert is
incomplete: missing certificate with subject 'CN=Example SCRL'
The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
[1]
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
--
I would love to change the world, but they wont give me the source code.
5 years, 7 months
CSR misses Country information
by Peter Tselios
Hello,
I generated a CSR from the CLI in order to be signed by an MS-CA.
The MS-CA complains about missing country information, which is a mandatory field.
I checked the CSR and the subject line is:
subject=O = INMLXD.EXAMPLE.COM, CN = Certificate Authority
So, no country, no city, nothing.
How do I add those information in the FreeIPA? What is the configuration file used by the cert-part of it?
5 years, 7 months
Web UI always in self service mode no matter what role a user belongs to
by kwtygrys
Hi
I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every time I try to access the Web UI as one of those users I always get the WebUI in self-service mode, ie. I can not take advantage of the privileges/permissions these users have. I only get the WebUI administration mode when logging in as admin.
Is there anything I am missing in terms of configuration?
Regards
Kristof
5 years, 7 months
Auth issue on a specific service
by Sylvain Coutant
Hi list,
I'm pretty new to FreeIPA, playing with it since a few weeks only. I miss
some experience troubleshooting and I'm currently stuck on a weird issue.
We installed 3 servers, each linked with the two others. We have about
Linux servers and Linux workstations enrolled. The servers manage rights
for several services, including an OpenVPN gateway.
OpenVPN is configured to auth through PAM, using a service named
"vpn-users". HBAC rules allow legitimate users to authenticate or not
against this service.
/etc/pam.d/vpn-users:
@include common-account
Everything was fine until I had to change my password because of expiration
... Since I changed it, I experience weird behavior. I'm admin, and HBAC
allows anything to me. For resilience, I'm also a member of authorized
vpn-users group. No change was made on the IPA servers at all beside normal
user configuration.
Now, I can't anymore auth on our 'vpn-users' service. All other users are
fine.
On the VPN server (Ubuntu 18.04), /var/log/auth.log :
Sep 19 13:41:46 stgi-01 openvpn[2676]: pam_sss(vpn-users:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=xxx
Sep 19 13:41:46 stgi-01 openvpn[2676]: pam_sss(vpn-users:auth): received
for user xxx: 17 (Failure setting user credentials)
On the IPA servers (CentOS 7):
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): AS_REQ (8
etypes {18 17 20 19 16 23 25 26}) x.x.x.x: NEEDED_PREAUTH:
xxx(a)AUTH.EXAMPLE.COM for krbtgt/AUTH.EXAMPLE.COM(a)AUTH.EXAMPLE.COM,
Additional pre-authentication required
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): closing down fd
11
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1452](info): AS_REQ (8
etypes {18 17 20 19 16 23 25 26}) x.x.x.x: NEEDED_PREAUTH:
xxx(a)AUTH.EXAMPLE.COM for krbtgt/AUTH.EXAMPLE.COM(a)AUTH.EXAMPLE.COM,
Additional pre-authentication required
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1452](info): closing down fd
11
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): preauth
(encrypted_challenge) verify failure: Incorrect password in encrypted
challenge
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): AS_REQ (8
etypes {18 17 20 19 16 23 25 26}) x.x.x.x: PREAUTH_FAILED:
xxx(a)AUTH.EXAMPLE.COM for krbtgt/AUTH.EXAMPLE.COM(a)AUTH.EXAMPLE.COM,
Incorrect password in encrypted challenge
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): closing down fd
11
IPA server packages:
ipa-common.noarch 0:4.5.4-10.el7.centos.3 ipa-server.x86_64
0:4.5.4-10.el7.centos.3
ipa-server-common.noarch 0:4.5.4-10.el7.centos.3
ipa-server-dns.noarch 0:4.5.4-10.el7.centos.3
Guess what ? Whatever it says, the password I use for this auth should be
right ... ;)
I tried to force cache invalidation everywhere (OpenVPN server, all IPAs)
using sss_cache -E. All servers were even rebooted ! I also changed again
my password. Nothing does. I have access to all other services that
authenticates on the IPAs (sudo, su, xdm login, etc.) using that password.
This service is the only one that sucks.
Could anyone around help us understand what's going on ? I miss that VPN
access ;)
Thanks in advance folks !
5 years, 7 months
NFS4+Krb5 random EIO errors
by Gary Molenkamp
We are seeing random EIO errors when opening files on workstation
clients that, so far, can only be resolved with a reboot of the client.
Environment:
2x replicated IPA servers, Centos 7.5 w/ freeipa 4.5.4-10.el7
NFS server: Centos 7.5
Clients: Mostly Fedora 28, but we've had the same error on Centos 7.5
systems as well. User home accounts are automounted with nfs4+krb5
Scenario:
Upon login, the home directory is always mounted cleanly and
successfully traversed through subdirectories (cd, ls, etc). On an
affected system any attempts to open/read a file will result in
"Input/output error". An strace of the open actually shows the EIO at
the openat syscall:
stat(".bash_profile", {st_mode=S_IFREG|0644, st_size=193, ...}) = 0
openat(AT_FDCWD, ".bash_profile", O_RDONLY) = -1 EIO (Input/output error)
This will then happen for every user that tries to use the workstation.
We've tried restarting every service on the client to attempt to reset
it (ie sssd, gssd, etc) but only a reboot will restore the NFS
functionality. The one other symptom I noticed, is that on an affected
workstation, the klist no longer contains the nfs/ principle for the nfs
server. ie:
Good workstation: gary#> klist -a
Ticket cache: KEYRING:persistent:410400721:krb_ccache_xyvXIky
Default principal: gary@<MYDOMAIN>
Valid starting Expires Service principal
2018-09-18 15:24:44 2018-09-19 15:24:44 nfs/fileserver@<MYDOMAIN>
2018-09-18 15:24:44 2018-09-19 15:24:44 nfs/fileserver@
2018-09-18 15:24:44 2018-09-19 15:24:44 krbtgt/<MYDOMAIN>@<MYDOMAIN>
Bad workstation: gary#> klist
Ticket cache: KEYRING:persistent:410400721:krb_ccache_nY9m2vU
Default principal: gary@<MYDOMAIN>
Valid starting Expires Service principal
2018-09-19 07:25:38 2018-09-20 07:25:38 krbtgt/<MYDOMAIN>@<MYDOMAIN>
Any help, pointers would be appreciated.
Thanks
Gary.
--
Gary Molenkamp Computer Science/Science Technology Services
Systems Administrator University of Western Ontario
molenkam(a)uwo.ca http://www.csd.uwo.ca
(519) 661-2111 x86882 (519) 661-3566
5 years, 7 months
Re: Need assistance setting up auth-ldap with Freeipa
by Morgan Cox
Just a note : It is now working !! (after several hands of smashing my
head against the desk)
In the end I disabled BINDDN and PASSWORD and set TLSEnable yes, and
RequireGroup false
Below is a working config in case it helps anyone else...
Thanks @ Rob Crittenden for your help previously
--------------------------------
<LDAP>
# LDAP server URL
URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN dc=morgan,dc=kvm
# Bind Password
# Password "test_123"
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
#TLSCipherSuite
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
</LDAP>
<Authorization>
# Base DN
#BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm"
BaseDN "dc=morgan,dc=kvm"
# User Search Filter
SearchFilter "(uid=%u)"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm"
SearchFilter "(cn=ipausers)"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
-----------------------------------
5 years, 7 months
Re: zabbix for monitoring FreeIPA server?
by Tony Brian Albers
Hi Neal,
Thanks a bunch, I'll look into using your solution. Seems better than
just asking 389ds if it's ok ;)
/tony
On Wed, 2018-09-19 at 11:32 +0000, Neal Harrington wrote:
> Hi Tony,
>
>
> I'm monitoring using the following userparameter (basically run
> "ipactl status" and grep out lines which are known good so only
> errors are returned):
>
>
> UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v
> "(INFO\: The ipactl command was successful$|: RUNNING$)"
>
>
> ipactl needs root access so I have a file in /etc/sudoers.d/zabbix
> with these lines to allow the zabbix user to sudo the ipactl status
> command only without a password:
>
>
> ## Allow zabix to query ipa status
> Defaults:zabbix !requiretty
> zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
>
> The final challenge I had was selinux which I had to create a custom
> rule for (but most people seem to just disable selinux).
>
>
> Then just create a trigger to alert if the returned value contains
> any characters. eg this matches on any char apart from whitespace:
>
> {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
>
>
> If anyone else has a better way to do this I'd be interested to hear
> it.
>
>
> Regards,
>
> Neal.
>
>
>
>
> ________________________________
> From: Tony Brian Albers via FreeIPA-users <freeipa-users(a)lists.fedora
> hosted.org>
> Sent: 24 August 2018 10:50
> To: freeipa-users(a)lists.fedorahosted.org
> Cc: Tony Brian Albers
> Subject: [Freeipa-users] zabbix for monitoring FreeIPA server?
>
> Hi guys,
>
> Anyone got this working?
>
> And if so, how did you do it?
>
> I know I can monitor the components separately, but if you know of
> anything that can do it easier I'd be happy to know about it.
>
> /tony
> --
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste
> d.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin
> es
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-
> users(a)lists.fedorahosted.org/message/WGYZNKOBXBHHVCGA66GTFVDOG3WJOG5T
> /
--
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
5 years, 7 months
Need assistance setting up auth-ldap with Freeipa
by Morgan Cox
Hi.
I have been trying to integrate openvpn with Freeipa, general integration
(i.e using IPA user password) works fine, my issue is connecting it with
2FA (OTP), without writing an external script it is not possible to use OTP
+ IPA + openvpn as there is no mechanism to ask for 2nd factor in openvpn
and only sshd is setup is setup for 2nd factor - reason are explained in
this reddit post ->
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_t...
I was advised however that openvpn-auth-ldap can be used as its setup so
you can input PASS+OTPTOKEN as the password field,
What I do not understand what to enter in the /etc/openvpn/auth/ldap.conf
config, I was advised I could get the data I need using ldapsearch with
similar syntax to
# ldapsearch -ZZ -W -L ldap://ipa.example.org -b dc=example,dc=org -D
uid=testuser,cn=users,cn=accounts,dc=example,dc=org
However I found using this syntax I just got the error
" ldap_start_tls: Operations error (1), additional info: SSL connection
already established"
I have found working commands to query LDAP such as
# ldapsearch -LL -Y GSSAPI
However I am really not sure what info I need to get.
The config for auth-ldap is at the end of the message, the only parts I
think I know are
(btw the ipa server is called ipa1.morgan.kvm)
---
URL ldap://ipa1.morgan.kvm
TLSCACertFile /etc/ipa/ca.crt
---
(this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc
Can anyone help ?
The config is below
--------------
<LDAP>
# LDAP server URL
URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
--------------
5 years, 7 months