Log into web UI with AD user?
by Charles Ulrich
Hello,
I'm setting up a test instance of FreeIPA with a one-way trust to the organization's AD. So far, that all appears to be working. I can run LDAP queries to look up users, I can log into the test instance via Kerberos, it's all golden. What I would like to next is to add certain external AD users to the "admins" FreeIPA group so that these users can log into the FreeIPA web UI and perform administrative actions the same as the built-in "admin" user can. So far I spent about a day reading docs, googling, and trying things out but haven't yet made this work. Here is what I've done so far:
In Identity -> Groups, I added a new group called "admins_external", being careful to select "External" when creating it. I then added the external user (user(a)example.net, say) to that group. Next, I added the "admins_external" group to the built-in "admins" group. Based on what little I know so far, I would expect that this would be enough, but when I log into the FreeIPA UI, it only shows the user's profile. There is no way to do anything else.
I thought that maybe I needed an HBAC rule or two, so I created one to allow users in group "admin" access to any host via any service. I then disabled the "allow_all" HBAC rule. Still no dice.
For fun, I added a "native" FreeIPA user and put that user in the "admins_external" group. When logging into the UI with that user, it seems to have all of the admin functionality, unlike the external users.
If I'm missing something obvious, let me know. Fine by me if you point me towards some documentation, but I would ask that you be very specific about what I should read since as I already said, I have already done quite a lot of research on this. :)
Thanks,
Charles
5 years, 2 months
Replica creation using 'ipa-replica-prepare' to generate replica file,is supported only in 0-level IPA domain.
by TomK
Hello,
Would someone please point me to a concise list of steps I can use here?
Running 1.) and 2.) yields various errors and I would like to try a
known set of working commands to get a replica going in this state
before posting with errors:
# ipa-replica-prepare ipa04.abc.xyz.123 --ip-address 192.168.0.20 -p
"PASS01"
Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.
The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.
To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified
'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
5 years, 2 months
CentOS 7 ipa upgrade causes pki-tomcatd not to start CA
by Jason Wood
Upgraded from CentOS 7.5 to 7.6 which includes IPA upgrade.from 4.5.4-10 to 4.6.4-10 upgrade was done via yum upgrade
Upgrade went fine. I see no alarming errors in the logs. It stopped and started all the servers did the ipa upgrade. All was fine once completed.
Reboot and now pki-tomcatd CA will not start. Tomcat starts, gets all the way to were it should start the CA and doesn't. No errors, Debug doesn't show any blatant errors. It does have "Repository: Server not completely started. Returning .." which is the closest thing I see to an error.
All the certs are in monitoring state. None are expired. Domain is not quite a year old. PKI is communicating to LDAP without issues. Validated that. Also checked for and replication errors. There are none.
This is happening on all 4 systems. In the exact same way. DNS is up, we can authenticate, kerbrose is working. Can search LDAP via SSL and non-SSL Rebooted into the older kernel just to make sure. Reverted back to an old CS.cfg also, no different. I'm at a complete loss. Most other posts and pages about this all deal with expired certs. And the one that wasn't (from Redhat) was about replication conflicts. Nothing is panning out.
Fully patched CentOS Linux release 7.6.1810 (Core)
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-client-common-4.6.4-10.el7.centos.noarch
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-server-dns-4.6.4-10.el7.centos.noarch
libipa_hbac-1.16.2-13.el7.x86_64
python2-ipaclient-4.6.4-10.el7.centos.noarch
python2-ipalib-4.6.4-10.el7.centos.noarch
python2-ipaserver-4.6.4-10.el7.centos.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.16.2-13.el7.x86_64
sssd-ipa-1.16.2-13.el7.x86_64
krb5-pkinit-1.15.1-34.el7.x86_64
pki-base-10.5.9-6.el7.noarch
pki-base-java-10.5.9-6.el7.noarch
pki-ca-10.5.9-6.el7.noarch
pki-kra-10.5.9-6.el7.noarch
pki-server-10.5.9-6.el7.noarch
pki-tools-10.5.9-6.el7.x86_64
5 years, 2 months
Help with webapps and expired passwords
by Jeff Goddard
Hi,
I find myself in situation described in this thread:
https://serverfault.com/questions/716556/freeipa-ldap-refuse-auth-for-use...
Basically we have enabled the FreeIPA LDAP back end to authenticate our
uses to various web applications (Confluence, jira, rundeck, etc.) as well
as our VPN. What I'm finding is that users with expired passwords are still
able to access all of the services. I see there is an issue in development (
https://pagure.io/freeipa/issue/1539) but it looks to be a complex issue
that doesn't seem prudent to wait for. Does anyone have a script or
pointers on how I can search for expired passwords and disable the user
accounts if they are expired? Or is there another method to accomplish
having users with expired passwords get denied access to VPN and web
services if their password is expired?
Thanks,
Jeff
5 years, 2 months
Modsecurity for admin account lockout protection
by Andrey Bondarenko
Hello,
in a situation when freeipa is exposed interface to the internet, there
would be bolts trying to bruteforce admin account that made it locked. I
come with modsecurity setting for the nss.conf:
SecRule ARGS:user "@contains admin" "id:1234,deny,status:403"'
Admin user is no longer avaliable from UI, Kerberos
login is not affected, cli and WebUI login for other users are not
affected. Can it brake something?
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
5 years, 2 months
Use of certificates is failing
by Pierre Labanowski
Hello,
I have some issues with certificate management.
2 important points of the recent information:
- after a longstanding loss of the certification authority. The
certification authority was deleted and a new one was created.
https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-l...
<https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-l...>
( very big thx )
- For http and ldap, i use 3rd part certificates (
/ipa-server-certinstall /)
So far, I've noticed 2 problems :
1°) ipa-server-upgrade : failed
Impossible to upgrade the server.
i have a 401 error return when the upgrade script wants to access the url:
> GET request https://freeipa4.exemple.fr:8443/ca/rest/account/login
> ...
> response status 401
for this problem, I followed this information :
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
certificate on //etc/pki/pki-tomcat/alias///is the same pkiuser on the
LDAP server
internaldb.ldapauth.authtype=SslClientAuth
so I don't know why I have a 401 error.
//
2°) ipa cert-request --principal : failed
ipa: ERROR: impossible de se connecter à
« https://freeipa4.exmple.fr:443/ca/eeca/ca/profileSubmitSSLClient » :
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate
this is strange because on this port 443 i use a 3rd part certificates
do you have any idea what the problem is? I'm lost I don't know what to
look for anymore.
thank you in advance
Pierre
here are some excerpts from the log
-----
IPA server version 4.4.0. API version 2.213
-----
ipaupgrade.log :
'''
2019-01-29T16:48:21Z DEBUG request GET
https://freeipa4.exemple.fr:8443/ca/rest/account/login
2019-01-29T16:48:21Z DEBUG request body ''
2019-01-29T16:48:21Z DEBUG NSSConnection init freeipa4.exemple.fr
2019-01-29T16:48:21Z DEBUG Connecting: XX.XX.XX.XX:0
2019-01-29T16:48:21Z DEBUG approved_usage = SSL Server intended_usage =
SSL Server
2019-01-29T16:48:21Z DEBUG cert valid True for
"CN=freeipa4.exemple.fr,O=exemple.FR"
2019-01-29T16:48:21Z DEBUG handshake complete, peer = XX.XX.XX.XX:8443
2019-01-29T16:48:21Z DEBUG Protocol: TLS1.2
2019-01-29T16:48:21Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
2019-01-29T16:48:21Z DEBUG approved_usage = SSL Server intended_usage =
SSL Server
2019-01-29T16:48:21Z DEBUG cert valid True for
"CN=freeipa4.exemple.fr,O=exemple.FR"
2019-01-29T16:48:21Z DEBUG handshake complete, peer = XX.XX.XX.XX:8443
2019-01-29T16:48:21Z DEBUG Protocol: TLS1.2
2019-01-29T16:48:21Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
2019-01-29T16:48:21Z DEBUG response status 401
2019-01-29T16:48:21Z DEBUG response headers {'content-length': '964',
'content-language': 'fr', 'expires': 'Thu, 01 Jan 1970 01:00:00 CET',
'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Tue,
29 Jan 2019 16:48:21 GMT', 'content-type': 'text/html;charset=utf-8',
'www-authenticate': 'Basic realm="C}
2019-01-29T16:48:21Z DEBUG response body '<html><head><title>Apache
Tomcat/7.0.69 - Rapport d\'\'erreur</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3 {font'
2019-01-29T16:48:21Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2019-01-29T16:48:21Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1863, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1785, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 336, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1984, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1990, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py",
line 2060, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate
to CA REST API'))
2019-01-29T16:48:21Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Échec de l'authentification auprès de
l'API REST de l'AC
-------
# getcert list
Number of certificates and requests being tracked: 5.
-------
5 years, 2 months
DNS A record for IPA server is not created
by Dmitry Perets
Hi,
With ipa-server 4.6.4-10.el7_6.2 on RHEL7, I see the following issue....
My host name is a bit long, of a form: idm01.site01.poc.my.network.com
I am installing a fresh new IPA server on this host, with DNS server.
Running ipa-server-install without arguments.
During installation I can specify the DNS zone to create.
If I specify poc.my.network.com, then I get the following error:
ipapython.dnsutil: ERROR DNS query for idm01.site01.poc.my.network.com.
1 failed: All nameservers failed to answer the query
idm01.site01.poc.my.network.com. IN A: Server 127.0.0.1 UDP port 53
answered SERVFAIL
I can see that the A record for the IPA server itself (idm01.site01) wasn't
created during installation.
But if I leave the default DNS zone (site01.poc.my.network.com), then
everything works fine, the record is created (the record name in that case
is just idm01).
Of course, I can create the record manually, and it seems to work fine. But
is it expected?
Any other issues that I should expect with my non-default zone...?
--
Regards,
Dmitry Perets.
"The more one knows, the less opinions he shares"
-- Wilhelm Schwebel
5 years, 2 months
external ocsp ?
by veer Schlansky
My company's PIV/AD credintial is user(a)example.com. We set up our IPA
credintial as user(a)linux.example.com
example.com and linux.example.com are completedly seperated domain/realms,
no trust or interaction whatsoever.
I took the user and CA certs on the PIV card and put them into ipa. I was
able to authenticate to ipa webui with my PIV card.
My question is does ipa do online certificate status protocol check for the
user(a)example.com cert? Any way to verify that?
Thanks.
5 years, 2 months
Error: "has a RID that is larger than the ldap_idmap_range_size"
by SOLER SANGUESA Miguel
Hello again,
I have resolved the problem myself.
Following https://access.redhat.com/solutions/659243 the sssd cache must be erased using:
service sssd stop; rm -f /var/lib/sss/db/*; service sssd start
seems that the way I used "sss_cache -E" doesn't work on this.
Thanks & Regards.
From: SOLER SANGUESA Miguel
Sent: Monday, February 04, 2019 12:46
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Subject: Error: "has a RID that is larger than the ldap_idmap_range_size"
hello,
I have a IDM cluster (Master + Replica) verison 4.5.4 on REHL 7.4. I have created a trust with an AD 2016 domain AD.COMPANY.ORG. Some users are working properly, but I created a new AD user and it is not working. Checking on the sssd logs I found:
[sdap_idmap_sid_to_unix] (0x0040): Object SID [S-1-5-21-XXXXXXXXX-2674911608-YYYYYYYY-208726] has a RID that is larger than the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an explanation of how to resolve this issue.
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-XXXXXXXXX-2674911608-YYYYYYYY-208726] to a UNIX ID
[sssd[be[ipa.AD.COMPANY.ORG]]] [sdap_save_user] (0x0020): Failed to save user [user(a)AD.COMPANY.ORG]
[sssd[be[ipa.AD.COMPANY.ORG]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I've googled it and I found that the range for default has 200000 size, and as the last number of the SID (in this case 208726) is the used for the ID, it is bigger than the range so it is normal the error.
The problem is that I have modified the range size:
# ipa idrange-mod --range-size=600000
Range name: AD.COMPANY.ORG_id_range
-------------------------------------------
Modified ID range "AD.COMPANY.ORG_id_range"
-------------------------------------------
Range name: AD.COMPANY.ORG_id_range
First Posix ID of the range: 1467600000
Number of IDs in the range: 600000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-185866794-2674911608-285463921
Range type: Active Directory domain range
I have restarted IPA service, reset sssd cache and I get the same error.
Any idea why it is still failling?
Thanks & Regards.
5 years, 2 months
Error: "has a RID that is larger than the ldap_idmap_range_size"
by SOLER SANGUESA Miguel
hello,
I have a IDM cluster (Master + Replica) verison 4.5.4 on REHL 7.4. I have created a trust with an AD 2016 domain AD.COMPANY.ORG. Some users are working properly, but I created a new AD user and it is not working. Checking on the sssd logs I found:
[sdap_idmap_sid_to_unix] (0x0040): Object SID [S-1-5-21-XXXXXXXXX-2674911608-YYYYYYYY-208726] has a RID that is larger than the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an explanation of how to resolve this issue.
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-XXXXXXXXX-2674911608-YYYYYYYY-208726] to a UNIX ID
[sssd[be[ipa.AD.COMPANY.ORG]]] [sdap_save_user] (0x0020): Failed to save user [user(a)AD.COMPANY.ORG]
[sssd[be[ipa.AD.COMPANY.ORG]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I've googled it and I found that the range for default has 200000 size, and as the last number of the SID (in this case 208726) is the used for the ID, it is bigger than the range so it is normal the error.
The problem is that I have modified the range size:
# ipa idrange-mod --range-size=600000
Range name: AD.COMPANY.ORG_id_range
-------------------------------------------
Modified ID range "AD.COMPANY.ORG_id_range"
-------------------------------------------
Range name: AD.COMPANY.ORG_id_range
First Posix ID of the range: 1467600000
Number of IDs in the range: 600000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-185866794-2674911608-285463921
Range type: Active Directory domain range
I have restarted IPA service, reset sssd cache and I get the same error.
Any idea why it is still failling?
Thanks & Regards.
5 years, 2 months