FreeIPA-users February 2020

freeipa-users@lists.fedorahosted.org

64 participants
104 discussions

Confusion on LDAP changes for NIS automounts
by Russell Jones 07 Feb '20

07 Feb '20

I have followed this documentation for enabling an automount to show up for a NIS client that is bound to FreeIPA, and it worked as expected and the NIS client can see the automount: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht… I then went back and dumped the entire ldap tree out of curiosity to see my changes I just added, and they are not there. If I search for the keys "nis-base" or "nis-domain" for example, it's no where to be found. Where did this change actually go? I feel like I'm going crazy! :) Thanks for the help in furthering my understanding!

3 5

NIS client bound to FreeIPA, passwd file is asterisks instead of hash
by Russell Jones 06 Feb '20

06 Feb '20

I have a client bound to FreeIPA using NIS, however when doing a "ypcat passwd" the password fields are an asterisk (*) instead of a password hash. The NIS integration docs are a bit sparse - am I missing something to allow NIS clients to authenticate against FreeIPA as an actual NIS client? Is that supported?

2 2

MediaWiki and FreeIPA ?
by White, Daniel E. (GSFC-770.0)[NICS] 06 Feb '20

06 Feb '20

I have been trying various LDAP extensions without success. Most Google-able information is years old. Anyone use this : https://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

2 2

suggestion for password policy
by Charles Hedrick 06 Feb '20

06 Feb '20

The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to allow you to specify a database of forbidden passwords. We’ve done this using a plugin, but I’d rather not have to write C code to implement policy.

2 8

Command to export sub-ca certificate
by Jakob Ackermann 05 Feb '20

05 Feb '20

The client is joined to the IPA domain and gets a certificate from the sub-ca `puppet` with `ipa-getcert request -x puppet`. In order to have the puppet agent to be able to talk to puppet server I need the puppet sub-ca certificate. How can I distribute the sub-ca certificate to the client? Running `ipa-certupdate` did not work. Thanks

4 4

VMware vCenter Single Sign-On
by White, Daniel E. (GSFC-770.0)[NICS] 05 Feb '20

05 Feb '20

Reference Links: 12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - [RFE] support for RFC 4530 entryUUID attribute [NEEDINFO] Product: Red Hat Enterprise Linux 8 Reported: 2006-12-19 19:40 UTC by Victoriano Giralt Modified: 2020-01-17 05:47 UTC (History) 01/04/2012 https://pagure.io/389-ds-base/issue/137 #137 No support for RFC 4530 entryUUID attribute Last Modified 10/18/2017 04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/ 01/30/2019 https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_fr… 04/04/2016 https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-… 06/20/2017 https://kb.vmware.com/s/article/2064977 VMware Knowledge Base: OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977) 11/22/2018 https://www.freeipa.org/page/V4/Data_transformation I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat Identity Manager (FreeIPA v4.6.5) Group permissions from LDAP do not work in vSphere. Period. It tells me, " "Unable to login because you do not have permission on any vCenter server systems connected to this client" I can associate an LDAP user to a vSphere role at the global level, but that won’t scale very far. QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB description ? I do not believe that such a critter exists unless it is a home-grown, custom cobbled together monstrosity that would be a nightmare to maintain. This was my point to VMware support. They support Active Directory. They should support FreeIPA because their "OpenLDAP" setup probably does not exist. I am looking for any recent information anyone may have about getting this to work. I am also looking for more detail to support my claim to VMware that they need to support FreeIPA. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

3 4

ipa-restore and the issues
by Ian Kumlien 05 Feb '20

05 Feb '20

Hi, Due to issues, I'm trying to do a partial restore of all the "important bits" But if I do ipa-restore --online --data --backend=userRoot $BACKUP I end up in a semiworking environment - the webui doen't work - kinit does... ipa doesn't etc.. What fields in LDAP would i have to save and replace to get this working?

2 1

FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
by Wulf C. Krueger 05 Feb '20

05 Feb '20

Hello, my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start: ---- # ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl ---- Logs: ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log There's nothing listening on ports 389 and 636, though. Help would be highly appreciated. Best regards, Wulf

6 24

pki-tomcat doesn't start, it can't update certificate
by Serge Barkov 04 Feb '20

04 Feb '20

I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED The first thing I found a certificate expired and I changed date back in time before expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat doesn't work. getcert list shows all certificates are well but this one no: Request ID '20171110140549': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa0.domain.com,O=DOMAIN.COM expires: 2019-10-31 14:05:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes [root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /ca/agent/ca/profileReview</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/agent/ca/profileReview</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="lin e"><h3>Apache Tomcat/8.0.46</h3></bod What can I do to make pki-tomcat work? How to repair the certificate?

3 13

Does anyone use phpldapadmin on FreeIPA/RH-IdM ?
by White, Daniel E. (GSFC-770.0)[NICS] 04 Feb '20

04 Feb '20

I am just curious to browse the LDAP information. Contrarywise, does anyone have any suggestions for a free, lightweight way to browse LDAP information in FreeIPA/RH-IdM ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

3 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2020