February 2020 - FreeIPA-users - Fedora Mailing-Lists

Re: Is there any documentation for the ipapython library ?

by White, Daniel E. (GSFC-770.0)[NICS]

Many thanks for the ansible pointer, Alexander. As far as API automation, I see two immediate use-cases (and I will file an issue) 1. Some bundled commands for use by IdM admins for user management: Add a user along with all the necessary additional permissions. These would use the admin-user's current keytab. 2. Information gathering scripts. Is it possible to set up a read-only service keytab for this ? I want to use Python to be able to capture and process the responses without all the extra console output of the command line. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Alexander Bokovoy <abokovoy(a)redhat.com> Date: Wednesday, February 12, 2020 at 01:42 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Daniel White <daniel.e.white(a)nasa.gov>, Rob Crittenden <rcritten(a)redhat.com> Subject: [EXTERNAL] Re: [Freeipa-users] Re: Is there any documentation for the ipapython library ? On ti, 11 helmi 2020, Rob Crittenden via FreeIPA-users wrote: White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: I would like to create some python automation scripts using it. Only the limited docs within the file(s) themselves + usage found elsewhere within IPA. We are trying to keep the API more stable than the past by deprecating things we move but there is no guarantee (I've been bitten myself by this in the past). So use with care. Please also file tickets at pagure.io/freeipa/issues describing your intended use of API. We are planning to create a simpler API on top of existing one to make sure it is not preventing us to refactor internals where possible. Knowing use cases would help a lot. Also, ansible-freeipa project should provide you a healthy base for automation. It does have wrappers for many objects already, beyond just installing the servers and clients. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

2 years, 6 months

2
1
0 / 0

Re: Is there any documentation for the ipapython library ?

by White, Daniel E. (GSFC-770.0)[NICS]

Thanks for the warning, Rob. I shall proceed with caution. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden <rcritten(a)redhat.com> Date: Tuesday, February 11, 2020 at 18:57 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Daniel White <daniel.e.white(a)nasa.gov> Subject: [EXTERNAL] Re: [Freeipa-users] Is there any documentation for the ipapython library ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: I would like to create some python automation scripts using it. Only the limited docs within the file(s) themselves + usage found elsewhere within IPA. We are trying to keep the API more stable than the past by deprecating things we move but there is no guarantee (I've been bitten myself by this in the past). So use with care. rob

2 years, 6 months

1
0
0 / 0

Is there any documentation for the ipapython library ?

by White, Daniel E. (GSFC-770.0)[NICS]

I would like to create some python automation scripts using it. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

2 years, 6 months

3
2
0 / 0

Policy-based DNS zone update by network range

by Vinícius Ferrão

Hello, I wasn't able to find any documentation regarding this specific topic, so I don’t even know if this is support. Consider that my FreeIPA server have two network interfaces: eth0 on 192.168.0.0/16 eth1 on 172.16.0.0/12 I would like the Dynamic DNS to register in different DNS domain zones: 192.168.0.0/16 would be: example.com<http://service.example.com> 172.16.0.0/12 would be: management.example.com<http://management.example.com> What happens now is that everything is registered to the same zone. So the same record have two IP entries, and this isn’t wasn’t I’m looking for. Anyway to solve this? Thanks,

2 years, 6 months

1
0
0 / 0

unsubscribe me please

by Devin Roark

see subject

2 years, 6 months

1
0
0 / 0

DNS to parent domain. How?

by Nicholas DeMarco

I'm probably not using the correct terminology, so giving me a starting point would be great. FreeIPA is authoritative for / master of 'identity.demarcohome.com'. Our common domain is 'demarcohome.com', and a BIND9 server is authoritative within our internal network for that zone. DiG-ging 'demarcohome.com' shows it's not authoritative outside our network. If there's a better way to do this dual / split personality DNS that *is straightforward for a mere mortal*, please share it. Otherwise, how do I make FreeIPA respond to queries for '*.demarcohom.com' records. I've already made a forward zone for 'demarcohome.com' and populated it with a few records. Querying the ipa server for those records returns no answer. I'd show some command line examples, but I'm still working through the ipa dns commands. Here's a DiG query for a server with a record in zone ' demarcohome.com': [nick@ipa1 ~]$ dig vcenter.demarcohome.com ; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> vcenter.demarcohome.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33303 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 789ce7f015d2b67d5abfa8635e42b601057c47bc7fc1b041 (good) ;; QUESTION SECTION: ;vcenter.demarcohome.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 11 09:11:13 EST 2020 ;; MSG SIZE rcvd: 80

2 years, 6 months

1
0
0 / 0

ipa-ca-install fails on directory manager password

by Nicholas DeMarco

After successfully promoting an IPA server to a replica, ipa-ca-install fails with "Directory Manager password is invalid" This noob would appreciate a command and example to verify I have the correct directory manager password. I've looked through this page: https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpas... but haven't been successful in getting dsconf or ldapmodify to work. server: ipa1.identity.demarcohome.com. instance: slapd-IDENTITY-DEMARCOHOME-COM # dsconf -D "cn=Directory Manager" slapd-IDENTITY-DEMARCOHOME-COM directory_manager password_change Error: Could not find configuration for instance: slapd-IDENTITY-DEMARCOHOME-COM

2 years, 6 months

2
5
0 / 0

ipa ad trust ldap signing

by Rob Verduijn

Hello , Next month microsoft is going to enforce ldap signing. https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 Will this have an impact on ipa domain with an ad trust ? Rob

2 years, 6 months

1
0
0 / 0

Additional Check for checkipaconsistency - KRA

by Jochen Hein

Hallo, right now checkipaconsistency reports an error when not all IPA servers havew AD trust enabled. My first two IPA servers running CentOS 7 do have KRA enabled, but installing KRA on a new CentOS 8 replica failed. Would it be useful to check that in checkipaconsistency? If yes, here's my first shot at it. diff --git a/checkipaconsistency/freeipaserver.py b/checkipaconsistency/freeipaserver.py index bdefe70..a58419b 100644 --- a/checkipaconsistency/freeipaserver.py +++ b/checkipaconsistency/freeipaserver.py @@ -49,6 +49,7 @@ class FreeIPAServer(object): self.ghosts = None self.bind = None self.msdcs = None + self.kra = None self.replicas = None self.healthy_agreements = False @@ -94,6 +95,7 @@ class FreeIPAServer(object): self.conflicts = self._count_ldap_conflicts() self.ghosts = self._ghost_replicas() self.bind = self._anon_bind() + self.kra = self._kra() self.msdcs = self._ms_adtrust() self.replicas, self.healthy_agreements = self._replication_agreements() @@ -385,6 +387,25 @@ class FreeIPAServer(object): self._log.debug(r) return r + def _kra(self): + self._log.debug('Checking KRA...%s' % self._fqdn) + r = False + results = self._search( + 'cn=KRA,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % ( self._fqdn , self._base_dn), + '(ipaConfigString=*)', + ['ipaConfigString'] + ) + self._log.debug(results) + if type(results) == list and len(results) > 0: + #dn, attrs = results[0] + + #e = attrs['ipaConfigString'][1].decode('utf-8') + #r = e['enabledService'].decode('utf-8') + r = True + else: + r = False + return r + def _ms_adtrust(self): self._log.debug('Checking for MS ADTrust DNS records...') record = '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.%s' % self._domain diff --git a/checkipaconsistency/main.py b/checkipaconsistency/main.py index 858b89a..242418e 100755 --- a/checkipaconsistency/main.py +++ b/checkipaconsistency/main.py @@ -134,6 +134,7 @@ class Main(object): ('ghosts', 'Ghost Replicas'), ('bind', 'Anonymous BIND'), ('msdcs', 'Microsoft ADTrust'), + ('kra', 'KRA Status'), ('replicas', 'Replication Status') ]) @@ -156,7 +157,7 @@ class Main(object): parser.add_argument('-n', nargs='?', dest='nagios_check', help='Nagios plugin mode', default='not_set', choices=['', 'all', 'users', 'susers', 'pusers', 'hosts', 'services', 'ugroups', 'hgroups', 'ngroups', 'hbac', 'sudo', 'zones', 'certs', 'conflicts', 'ghosts', 'bind', - 'msdcs', 'replicas']) + 'msdcs', 'kra', 'replicas']) parser.add_argument('-w', '--warning', type=int, dest='warning', default=1, help='number of failed checks before warning (default: %(default)s)') parser.add_argument('-c', '--critical', type=int, dest='critical', Jochen -- This space is intentionally left blank.

2 years, 6 months

1
0
0 / 0

How to restrict FreeIPA's from registering external IPs on DNS?

by Vinícius Ferrão

Hello, My FreeIPA server have two IP addresses. It registers itself with the internal and the external addresses. There’s a way to only register the IPs from the internal interfaces? Example: ipa-ca A 172.26.255.254 A 146.164.29.90 nodacabeca A 146.164.29.90 A 172.26.255.254 I only want the entries from the network 172.26.0.0/16. Thanks, V.

2 years, 6 months

2
2
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2020