Add a new ObjectClass / Attributes / Help
by Karim Bourenane
Hello
I would like to authenticate applications with users via IPA. I can't find
a Redhat tutorial (unless I'm wrong ??).
Can you give me a link with a tutorial please ?
My freeipa version is 4.5.4
Mr Karim Bourenane
4 years, 4 months
Application-specific password or OTP disable for specific external applications
by Furkan İnciroğlu
We use FreeIPA for all our services. OTP is very useful on web but when we try to login on mobile we cannot get OTP password from Google Authenticator or FreeOTP mobile app. For example; if you want to login your mail on mobile you cannot enter your OTP password on the login screen. How can I disable OTP just for mail service. Anybody have any idea?
4 years, 4 months
Doing SSO on a non-IPA joined OS X system
by Alex Corcoles
So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it
worked!
I've seen some guides about joining an OS X system to FreeIPA, but I don't
think I want that (we are not currently joining work OS X systems to a
domain, but I suppose we will soon- and I guess joining two domains would
be hairy), but I'm wondering if it's not crazy to kinit, get my Kerberos
tickets and get SSO for https/ssh?
While having a ticket seems to not be enough to get SSH/Firefox to work,
I'm wondering if it's viable to get it to work or if it's a waste of time
because it cannot work or has serious limitations. It's mostly for learning
purposes...
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
4 years, 4 months
Custom attributes error
by Boris Cheperis
Hi,
I have a set of custom attributes that were successfully used with FreeIPA version 4.2.
Now I’m trying to make them work in the latest version but keep getting an error:
ipalib.backend: DEBUG: Created connection context.ldap2_139877799582288
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DATAROBOT-COM.socket <ldapi://%2fvar%2frun%2fslapd-DATAROBOT-COM.socket> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f37d5fc15a8>
ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file employee-a.ldif
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run
ldapi=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema
_dn, new_schema = ldap.schema.subentry.urlfetch(url)
File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch
ldif_file = urllib.urlopen(uri)
File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/lib64/python2.7/urllib.py", line 208, in open
return getattr(self, name)(url)
File "/usr/lib64/python2.7/urllib.py", line 461, in open_file
return self.open_ftp(url)
File "/usr/lib64/python2.7/urllib.py", line 520, in open_ftp
host = socket.gethostbyname(host)
ipapython.admintool: DEBUG: The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known
ipapython.admintool: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details:
IOError: [Errno socket error] [Errno -2] Name or service not known
ipapython.admintool: ERROR: The ipa-ldap-updater command failed.
So far I tried version 4.6.4 and 4.7.2.
Here are the ldif files that are used for adding attributes and objectless information.
employee-attrs.ldif:
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.128424792425578037463837247958458780603.1
NAME 'github'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: ( 2.25.128424792425578037463837247958458780603.2
NAME 'squad'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
employee-objectclass.ldif
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 2.25.128424792425578037463837247958458780603.100
NAME 'Employee' SUP person
STRUCTURAL
MAY ( github $ squad )
X-ORIGIN 'Extending FreeIPA')
4 years, 4 months
systemd thinks it or something wants ipa service
by lejeczek
hi guys
I have no ipa configured, not even a client set up and yet I see
something constantly wants IPA:
May 09 16:06:19 swir.private. systemd[1]: ipa.service: main process
exited, code=exited, status=6/NOTCONFIGURED
May 09 16:06:19 swir.private. systemd[1]: Failed to start Identity,
Policy, Audit.
May 09 16:06:19 swir.private. systemd[1]: Unit ipa.service entered
failed state.
May 09 16:06:19 swir.private. systemd[1]: ipa.service failed.
^[May 09 16:06:49 swir.private. systemd[1]: Starting Identity, Policy,
Audit...
May 09 16:06:49 swir.private. ipactl[42053]: IPA is not configured (see
man pages of ipa-server-install for help)
May 09 16:06:49 swir.private. systemd[1]: ipa.service: main process
exited, code=exited, status=6/NOTCONFIGURED
May 09 16:06:49 swir.private. systemd[1]: Failed to start Identity,
Policy, Audit.
May 09 16:06:49 swir.private. systemd[1]: Unit ipa.service entered
failed state.
May 09 16:06:49 swir.private. systemd[1]: ipa.service failed.
May 09 16:07:20 swir.private. systemd[1]: Starting Identity, Policy,
Audit...
May 09 16:07:20 swir.private. ipactl[42275]: IPA is not configured (see
man pages of ipa-server-install for help)
May 09 16:07:20 swir.private. systemd[1]: ipa.service: main process
exited, code=exited, status=6/NOTCONFIGURED
May 09 16:07:20 swir.private. systemd[1]: Failed to start Identity,
Policy, Audit.
May 09 16:07:20 swir.private. systemd[1]: Unit ipa.service entered
failed state.
May 09 16:07:20 swir.private. systemd[1]: ipa.service failed.
May 09 16:07:51 swir.private. systemd[1]: Starting Identity, Policy,
Audit...
May 09 16:07:51 swir.private. ipactl[42503]: IPA is not configured (see
man pages of ipa-server-install for help)
May 09 16:07:51 swir.private. systemd[1]: ipa.service: main process
exited, code=exited, status=6/NOTCONFIGURED
May 09 16:07:51 swir.private. systemd[1]: Failed to start Identity,
Policy, Audit.
May 09 16:07:51 swir.private. systemd[1]: Unit ipa.service entered
failed state.
May 09 16:07:51 swir.private. systemd[1]: ipa.service failed.
Is that normal and if not then what can be the problem?
many thanks, L.
4 years, 4 months
host does not match the primary host name - installing replica
by lejeczek
hi guys,
this must be something trivial and I must have gone blind, can you spot
what I missed?
$ ipa-replica-install --setup-dns --no-forwarders --ip-address=10.5.8.65
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR The host name rider.xxx does not match the
primary host name rider-ring8.xxx. Please check /etc/hosts or DNS name
resolution
$ host -r 10.5.8.97
97.8.5.10.in-addr.arpa domain name pointer rider.xxx.
97.8.5.10.in-addr.arpa domain name pointer rider-ring8.xxx.
$ host -r 10.5.8.49
49.8.5.10.in-addr.arpa domain name pointer whale.xxx.
49.8.5.10.in-addr.arpa domain name pointer whale-ring8.xxx.
$ host rider-ring8..
rider-ring8. has address 10.5.8.97
$ host rider..
rider. has address 10.5.8.97
Primary hostname of the box replica-install complains of is rider.xxx.
Why IPA thinks it is rider-ring8.xxx ?
What can be wrong?
many thanks, L.
4 years, 4 months
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)
by H. Frenzel
Hi,
trying to delete a host failed with "Unable to communicate with CMS
(500)"
# ipa host-del foo.bar.local
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (500)
Checking the pki logs shows "Subsystem unavailable"
# /var/log/pki/pki-tomcat/localhost.YYYY-MM-DD.log
SEVERE: Exception Processing /ca/rest/certs/search
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Trying to troubleshoot it with help of
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
shows an authentication error on LDAP
(/var/log/pki/pki-tomcat/ca/debug), but debug it further failed in the
part "Check the subsystemCert cert-pki-ca"
The 1st command works:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:9f:ff:01:6c
...
# grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | cut -d=
-f2 > /tmp/pwdfile.txt
But then the private key can't been read:
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'NSS Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
It looks as it's there:
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa f7eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX79c Server-Cert
cert-pki-ca
< 1> rsa 7e4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX164 NSS
Certificate DB:caSigningCert cert-pki-ca
< 2> rsa f40XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX978 Server-Cert
cert-pki-ca
< 3> rsa 097XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXcca NSS
Certificate DB:subsystemCert cert-pki-ca
< 4> rsa 28cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8f9 (orphan)
< 5> rsa 602XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX400 NSS
Certificate DB:ocspSigningCert cert-pki-ca
< 6> rsa b28XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9fe NSS
Certificate DB:auditSigningCert cert-pki-ca
< 7> rsa 91cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXb13 (orphan)
What could be wrong here?
Thanks in advance & b/r
H.
4 years, 4 months
commercial certificate expired
by Adrian HY
Hello all,
My commercial certificate has expired today. The pki-tomcatd Service has
stopped and I can´t to login at the web-gui.
Is it possible to revert the original self signed certificate ?
Thanks.
4 years, 4 months
Trying to renew a revoked certificate
by Timothy Geier
Hello all,
After going through rather nasty cert renewal issues ~2 years ago, I
made sure to watch the next round of renewals very
closely. Fortunately, just about everything renewed on schedule and
automatically (a few certs needed the fix at
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...
due to Invalid cookie: '' errors, though).
The only remaining issue is with one cert that's showing the following:
Request ID '20170609034302':
status: MONITORING
ca-error: Server at "http://$SERVER:8080/ca/ee/ca/profileSubmit" \
replied: Certificate serial number {0} to be renewed is revoked. \
Cannot renew a revoked certificate
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias', \
nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias', \
nickname='Server-Cert cert-pki-ca', \
token='NSS Certificate DB'
<snip>
Said server is a CA replica and this cert has fortunately not yet
expired yet (it has until about the end of the month)..after digging
into it some more, I found the cert in the web interface where
Revocation reason 4
was listed. That indicates that it was superseded (according to RFC
5280) but I don't know when or why this cert was revoked.
Do I just need to use ipa-getcert request on 'Server-Cert cert-pki-ca'
in /etc/pki/pki-tomcat/alias to create/install a new cert or is there
something else that should be done here?
Thanks,
4 years, 4 months
