How to configure freeipa hidden replica
by Monkey Bizness
Hi,
I'll add a hidden replica to do all the management stuff.
Notably I would like to backup all configuration (dns, ca, users,
groups, hosts, ad trust etc...).
1st question : Is it possible?
2nd question : Is it a good idea?
3rd question : does that replica need to have all the features from the
other replicas enabled?
For instance, to backup dns config but not serving as a dns server,
should the dns feature still be enabled?
Thanks you
Monkey
1 year, 11 months
FreeIPA Bastion Adding a new Shema
by G Col
Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the command line, but seemed not to work as expected.
I provide the steps below:
cd /usr/share/ipa
ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is customised on the template below. **********************
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1
NAME 'authKey'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
-
add: objectClasses
objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1
NAME '*****Account'
SUP top
AUXILIARY
MAY (authKey)
X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: *************************
2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness
2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208
2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8>
2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif
2021-10-20T09:43:21Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run
ldapi=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema
_dn, new_schema = ldap.schema.subentry.urlfetch(url)
File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch
ldif_file = urllib.urlopen(uri)
File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/lib64/python2.7/urllib.py", line 210, in open
return getattr(self, name)(url)
File "/usr/lib64/python2.7/urllib.py", line 463, in open_file
return self.open_ftp(url)
File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp
host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
IOError: [Errno socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information
All the best,
gcol
1 year, 11 months
Unable to install FreeIPA when crypto-policy = FUTURE
by Jeffrey van Pelt
Hi all,
Currently I'm setting up a FreeIPA instance on EL8 with the
crypto-policy set to FUTURE.
When running the ipa-server-install program, it errors out when setting
up the PKI infrastructure.
Below is the command I ran:
```
ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg
--setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U
```
As this command already shows, I already have some PKI override settings
to ensure all created keys are 4096 bits long:
```
[CA]
pki_ca_signing_key_size=4096
[DEFAULT]
pki_admin_key_size=4096
pki_audit_signing_key_size=4096
pki_sslserver_key_size=4096
pki_subsystem_key_size=4096
```
And even despite these settings, the command errors out giving me the
message as below:
```
..truncated..
[22/28]: enabling CA instance
[23/28]: migrating certificate profiles to LDAP
[24/28]: importing IPA certificate profiles
[error] NetworkError: cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
So _some_ certificate _somewhere_ is not strong enough, but I can't find
which one it is and how to ensure it's strengthened sufficiently.
When I check the log file it shows basically the same message (except
with a lot of Python stacktraces with 'NetworkError')
When I revert the crypto-policy back to DEFAULT the command as shown
above will succeed.
Anyone have a clue? :)
Cheers!
--
Kind regards,
Jeff
1 year, 11 months
Deletion from distribution list
by Guillermo Colmena
Hi I would like to be removed from the distribution list. Let me know if
there is anything I can do.
Best regards,
Guillermo
1 year, 11 months
ipahealth keeps complaining even after re-initialize
by Kees Bakker
Hi,
This morning we ran into a problem after updating 386-base to 1.4.4.17 (hoping to solve a trimming [1] issue).
The ns-slapd server ended up in a deadlock so I had to revert.
Since then we have ipahealthcheck reporting CRITICAL "is not in synchronization" errors. Also, in one of the replica's there is a message "Incremental update failed and requires administration action". Although I'm the administrator myself I wasn't quite sure what to do. Somewhere I read that I should do a re-initialize. One of the three replica's/masters is still behaving normal (I hope). So I took that one as the source for the re-initialize.
I did do bot commands ipa-replica-manage and ipa-csreplica-manage with re-initialize. Both commands succeeded.
However, ipahealth check keeps complaining. I would like to know where else I should look to figure out the problem.
[
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "d44af6bf-f7e4-44de-b9c6-f32398ecf7f9",
"when": "20211018104930Z",
"duration": "0.103066",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (linge.example.com-to-iparep4.example.com) under \"dc=example,dc=com\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "239ad7db-8067-4623-b950-5237bef711f6",
"when": "20211018104930Z",
"duration": "0.103075",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metorotte.example.com) under \"dc=example,dc=com\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "b5fc5f97-08cb-4d26-88cf-33dc04f8498f",
"when": "20211018104930Z",
"duration": "0.103077",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catorotte.example.com) under \"o=ipaca\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "e633752c-6d5e-4fb7-91e2-218cb514dd61",
"when": "20211018104930Z",
"duration": "0.103078",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (linge.example.com-to-iparep4.example.com) under \"o=ipaca\" is not in synchronization."
}
}
]
[1] https://github.com/389ds/389-ds-base/pull/4895
--
Kees
1 year, 11 months
firewall rules for AD trust
by iulian roman
Hello everybody,
I have an Idm setup configured with AD trust. I would like to know if the systems in DMZ need to have firewall ports opened only for IPA servers or they need to access AD domain controllers as well ? Apparently, only with the rules for the IPA servers the authentication does not work.
Thanks,
iulian
1 year, 11 months
Re: Problems after replacing SSL certificates
by Muhammed Ali Yeter
Hello, I’ve been suffocating the same problem. I applied ipa-server-certinstall without adding ca first. I applied your steps and added my ca.crt to /etc/ipa/ca.crt and /etc/ipa/nssdb with certutil, after than I run ipa-certupdate and it fails again.
[root@xxx ~]# certutil -d sql:/etc/ipa/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Xxx IPA CA CT,C,C
globalsign CT,C,C
After this I ran ipa-certupdate and it says
cannot connect to 'any of the configured servers’: …. (List of my ipaservers goes here)
The ipa-certupdate command failed.
Should I do this process for all servers, or I am missing something? Related to this problem I am having login failure at the web ui. Would it work if I created a new db and added my GlobalSign ca there? Do I need the self signed ipa ca?
Thanks.
1 year, 11 months
FreeIPA trust with Samba AD DC - It possible in 2021
by Jakub Novak
Hi.
Is possible create trust between FreeIPA (v. 4.9.6) and Samba AD DC (v. 4.13.5)?
I'm tried create trust via this command:
ipa -d -v trust-add --type ad --two-way=true ad.idp.t.dom --admin Administrator --password
(same command working correctly with Microsoft AD, but i need with Samba AD DC)
but allways I'm getting this error:
ipa: ERROR: an internal error has occurred
Is it even possible to create trust between them? What do I need to do?
Thanks
1 year, 11 months
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1)
by Natxo Asenjo
hi,
I have a lab test with fedora 34 (latest patches) and everything works ok
except the CA,
# ipa -d cert-find
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: importing all plugin modules in
ipaclient.remote_plugins.schema$af90c5da...
ipa: DEBUG: importing plugin module
ipaclient.remote_plugins.schema$af90c5da.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal '
admin(a)L.EXAMPLE.ORG', cookie:
'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d'
ipa: DEBUG: setting session_cookie into context
'ipa_session=MagBearerToken=oPsa86TucvUeZr9Ci3U1%2bRngbEyOxqkT55jYVP7d0%2b8nRDN2oemtH9vhs%2f1t8Skcz7uP0mbPdH2%2fnVYD8hdqtG0LMeml%2blPGNJjjJCEaQY0%2fjESuTTwACqY56q%2bWVXcfYIi22z0jjS%2foo7edWI0VvSi1OFcPMYiGAjCneS2uRxzFbXKtNeHcviqhRYubdy%2fOHJ5R34QJSZdiNXsDc0CAHA%3d%3d;'
ipa: DEBUG: trying https://kdc.l.example.org/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140261006164032
ipa: DEBUG: raw: cert_find(None, version='2.243')
ipa: DEBUG: cert_find(None, version='2.243')
ipa: DEBUG: [try 1]: Forwarding 'cert_find/1' to json server '
https://kdc.l.example.org/ipa/session/json'
ipa: DEBUG: New HTTP connection (kdc.l.example.org)
ipa: DEBUG: Destroyed connection context.rpcclient_140261006164032
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Start tag expected, '<' not found, line 1, column 1)
In apache that is the error as well, in pki I see this:
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Searching
for certificates
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService:
Request class: CertSearchRequest
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService:
Request format: application/xml
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService:
XML request:
<?xml version='1.0' encoding='UTF-8'?>
<CertSearchRequest><serialNumberRangeInUse>true</serialNumberRangeInUse><subjectInUse>false</subjectInUse><matchExactly>false</matchExactly><revokedByInUse>false</revokedByInUse><revokedOnInUse>false</revokedOnInUse><revocationReasonInUse>false</revocationReasonInUse><issuedByInUse>false</issuedByInUse><issuedOnInUse>false</issuedOnInUse><validNotBeforeInUse>false</validNotBeforeInUse><validNotAfterInUse>false</validNotAfterInUse><validityLengthInUse>false</validityLengthInUse><certTypeInUse>false</certTypeInUse></CertSearchRequest>
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search
filter: (certstatus=*)
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: filter: (certStatus=*)
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: Search
results: 11
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: filter: (certStatus=*)
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=1,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=3,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=4,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=5,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=6,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=8,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=9,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=10,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO:
DBVirtualList: dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService:
Response format: application/json
2021-10-15 19:40:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: PKIService:
Response class: CertDataInfos
The xml request looks ok (valid xml).
Googling finds some bugs with mod_deflate, but turning it off breaks httpd.
Any idea how to fix it??
Regards,
Natxo
--
--
Groeten,
natxo
1 year, 11 months
