From jrobertm8 at yahoo.com Mon Aug 3 04:09:04 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Mon, 3 Aug 2009 12:09:04 +0800 (SGT) Subject: [Freeipa-users] ldif import Message-ID: <676912.58461.qm@web76301.mail.sg1.yahoo.com> Guys, I want to know, how do I change aci's for the members of the database. For example, I don't want a member of a group to be able to search the database.? Thanks. John Robert Mendoza -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Aug 3 13:31:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Aug 2009 09:31:18 -0400 Subject: [Freeipa-users] ldif import In-Reply-To: <676912.58461.qm@web76301.mail.sg1.yahoo.com> References: <676912.58461.qm@web76301.mail.sg1.yahoo.com> Message-ID: <4A76E6A6.70003@redhat.com> John Robert Mendoza wrote: > Guys, > > I want to know, how do I change aci's for the members of the database. > For example, I don't want a member of a group to be able to search the > database. Thanks. > > John Robert Mendoza > To do this you would need to also disable anonymous access (the 389 default) which would have a rather broad impact. You would have to create a user that nss_ldap would use to bind to the server and other LDAP applications assume that anonymous binds will work as well. I took a brief look at this but we have no instructions currently on how to do this. Just so I understand, you want a particular group to not be able to search at all? Your subject differs from the question too, was there something else as well? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jrobertm8 at yahoo.com Mon Aug 10 08:22:57 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Mon, 10 Aug 2009 16:22:57 +0800 (SGT) Subject: [Freeipa-users] replication error Message-ID: <395781.83572.qm@web76301.mail.sg1.yahoo.com> Hi to all, I believe that this bug has been reported but is there any way I can persist replication of freeipa servers in fedora 11.? It seems that when I try to setup replication with another machine with {{{ipa-replica-install}}}, it does not continue to finish but halts when the directory server restarts.? I read that this has been a bug with regards to the certificates. Is there anyway I can do push through with replication. Thanks. John Robert Mendoza Get your new Email address! Grab the Email name you've always wanted before someone else does! http://mail.promotions.yahoo.com/newdomains/ph/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jnilsson at uci.edu Mon Aug 10 16:27:53 2009 From: jnilsson at uci.edu (Jonathan Nilsson) Date: Mon, 10 Aug 2009 09:27:53 -0700 Subject: [Freeipa-users] replication error In-Reply-To: <395781.83572.qm@web76301.mail.sg1.yahoo.com> References: <395781.83572.qm@web76301.mail.sg1.yahoo.com> Message-ID: <4b9c9ec70908100927u74f4b933xbf670f986d7612f6@mail.gmail.com> I successfully setup replication between two Fedora 11 FreeIPA v1.2.1-5 servers using the patch in comment #5 from this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=509111 As an additional note, I realize that comment #5 is supposedly for Fedora 10, however I was unable to use either of Rob Crittenden's patches that he references in comments #3 and #4 from that same bug report. This is because he references a file that does not exist in my installation: /usr/lib/python2.6/site-packages/ipaserver/install/certs.py Instead, I patched this file which is similar, but not exactly the same: /usr/lib/python2.6/site-packages/ipaserver/certs.py I was able to find the function "find_root_cert(self, nickname):" and add the single line ' return "CA certificate" ' as the patch states. -- Jonathan Nilsson On Mon, Aug 10, 2009 at 01:22, John Robert Mendoza wrote: > Hi to all, > > I believe that this bug has been reported but is there any way I can > persist replication of freeipa servers in fedora 11. It seems that when I > try to setup replication with another machine with > {{{ipa-replica-install}}}, it does not continue to finish but halts when the > directory server restarts. I read that this has been a bug with regards to > the certificates. Is there anyway I can do push through with replication. > Thanks. > > > > John Robert Mendoza > ------------------------------ > Bring your friends to the fun. > Invite your friends from Hotmail, Gmail to Yahoo! Mail today! > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From m.s.hannessen at drecomm.nl Tue Aug 11 13:01:07 2009 From: m.s.hannessen at drecomm.nl (Mark Hannessen) Date: Tue, 11 Aug 2009 15:01:07 +0200 Subject: [Freeipa-users] Change Password From Web App Message-ID: <200908111501.07658.m.s.hannessen@drecomm.nl> Hi List, Does anyone know if it is possible to change the password of a use from an web application other then FreeIPA itself? In some of the web apps we have we want to integrate the ability for users to change their password. But since FreeIPA uses kerberos as well, i am not sure how safe it would be to do this directly through LDAP. Does anyone have any hints on how to best approach this? Kind Regards, Mark Hannessen From support at drecomm.nl Tue Aug 11 12:20:02 2009 From: support at drecomm.nl (Mark Hannessen) Date: Tue, 11 Aug 2009 14:20:02 +0200 Subject: [Freeipa-users] Change Password From Web App Message-ID: <200908111420.03028.support@drecomm.nl> Hi List, Does anyone know if it is possible to change the password of a use from an web application other then FreeIPA itself? In some of the web apps we have we want to integrate the ability for users to change their password. But since FreeIPA uses kerberos as well, i am not sure how safe it would be to do this directly through LDAP. Does anyone have any hints on how to best approach this? Kind Regards, Mark Hannessen From rcritten at redhat.com Tue Aug 11 14:26:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Aug 2009 10:26:28 -0400 Subject: [Freeipa-users] Change Password From Web App In-Reply-To: <200908111501.07658.m.s.hannessen@drecomm.nl> References: <200908111501.07658.m.s.hannessen@drecomm.nl> Message-ID: <4A817F94.8030201@redhat.com> Mark Hannessen wrote: > Hi List, > > Does anyone know if it is possible to change the password of a use from an web > application other then FreeIPA itself? > > In some of the web apps we have we want to integrate the ability for users to > change their password. But since FreeIPA uses kerberos as well, i am not sure > how safe it would be to do this directly through LDAP. > > Does anyone have any hints on how to best approach this? Whenever a password is changed we update all passwords (LDAP, kerberos, etc). So you can do a password change over LDAP and this will also update the kerberos key. If you change another user's password (e.g. admin reset) then that user will need to change their password on the first kinit. You can change your own password without requiring a reset. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From fabian.lema at gmail.com Tue Aug 11 18:53:29 2009 From: fabian.lema at gmail.com (=?ISO-8859-1?Q?Fabi=E1n_Lema?=) Date: Tue, 11 Aug 2009 15:53:29 -0300 Subject: [Freeipa-users] ssh sso and automounted NFSv4 home directories Message-ID: <948f345d0908111153o73671653vcea4c59f75e906@mail.gmail.com> Hello, I am trying to configure ssh for sso, following instructions in the "Client Configuration Guide". After I retrieve the keytab for the host/... principal, ssh works without passwords, but as the kerberos credentials are not forwarded (I think) the user is not able to access the home directory that's automounted from a NFSv4 witch kerberos enabled. Could not chdir to home directory /home/testj: Permission denied -bash: /home/testj/.bash_profile: Permission denied -bash-4.0$ ls -l /home total 8 drwxr-x--x 31 testj otros 4096 2009-08-11 15:33 testj -bash-4.0$ logout -bash: /home/testj/.bash_logout: Permission denied The automounted home directories work ok when a user login in a workstation (gdm or text console), and if I don't retrieve the host/ principal, ssh also works (asking for password). I believe this has something to do with ssh not forwarding kerberos ticket or something like that. Please, can anyone help me with this? Thanks From rcritten at redhat.com Tue Aug 11 20:33:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Aug 2009 16:33:18 -0400 Subject: [Freeipa-users] ssh sso and automounted NFSv4 home directories In-Reply-To: <948f345d0908111153o73671653vcea4c59f75e906@mail.gmail.com> References: <948f345d0908111153o73671653vcea4c59f75e906@mail.gmail.com> Message-ID: <4A81D58E.1020701@redhat.com> Fabi?n Lema wrote: > Hello, > I am trying to configure ssh for sso, following instructions in the > "Client Configuration Guide". After I retrieve the keytab for the > host/... principal, ssh works without passwords, but as the kerberos > credentials are not forwarded (I think) the user is not able to access > the home directory that's automounted from a NFSv4 witch kerberos > enabled. > > Could not chdir to home directory /home/testj: Permission denied > -bash: /home/testj/.bash_profile: Permission denied > -bash-4.0$ ls -l /home > total 8 > drwxr-x--x 31 testj otros 4096 2009-08-11 15:33 testj > -bash-4.0$ logout > -bash: /home/testj/.bash_logout: Permission denied > > > The automounted home directories work ok when a user login in a > workstation (gdm or text console), and if I don't retrieve the host/ > principal, ssh also works (asking for password). > I believe this has something to do with ssh not forwarding kerberos > ticket or something like that. > Please, can anyone help me with this? You could try adding the -K flag to ssh. This will enable kerberos delegation. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From m.s.hannessen at drecomm.nl Wed Aug 12 11:30:04 2009 From: m.s.hannessen at drecomm.nl (Mark Hannessen) Date: Wed, 12 Aug 2009 13:30:04 +0200 Subject: [Freeipa-users] Change Password From Web App In-Reply-To: <4A817F94.8030201@redhat.com> References: <200908111501.07658.m.s.hannessen@drecomm.nl> <4A817F94.8030201@redhat.com> Message-ID: <200908121330.04623.m.s.hannessen@drecomm.nl> Thank you very much, Sounds perfect to me. I am however still running into a problem. I tried changing the password using MD5 $coded = array('userpassword' => "{MD5}" . base64_encode( pack( "H*", md5( $newpassword ) ) ) ); And using CLEAR $coded = array('userpassword' => "{CLEAR}$newpassword"); But both resulted into my user not being able to login in anymore. What kind of input does freeipa expect for userpassword? Kind Regards, Mark Hannessen On Tuesday 11 August 2009 04:26:28 pm Rob Crittenden wrote: > Mark Hannessen wrote: > > Hi List, > > > > Does anyone know if it is possible to change the password of a use from > > an web application other then FreeIPA itself? > > > > In some of the web apps we have we want to integrate the ability for > > users to change their password. But since FreeIPA uses kerberos as well, > > i am not sure how safe it would be to do this directly through LDAP. > > > > Does anyone have any hints on how to best approach this? > > Whenever a password is changed we update all passwords (LDAP, kerberos, > etc). So you can do a password change over LDAP and this will also > update the kerberos key. > > If you change another user's password (e.g. admin reset) then that user > will need to change their password on the first kinit. You can change > your own password without requiring a reset. > > rob From ssorce at redhat.com Wed Aug 12 12:00:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Aug 2009 08:00:07 -0400 Subject: [Freeipa-users] Change Password From Web App In-Reply-To: <200908121330.04623.m.s.hannessen@drecomm.nl> References: <200908111501.07658.m.s.hannessen@drecomm.nl> <4A817F94.8030201@redhat.com> <200908121330.04623.m.s.hannessen@drecomm.nl> Message-ID: <1250078407.4022.9.camel@localhost.localdomain> On Wed, 2009-08-12 at 13:30 +0200, Mark Hannessen wrote: > Thank you very much, > Sounds perfect to me. > > I am however still running into a problem. > I tried changing the password using MD5 > > $coded = array('userpassword' => "{MD5}" . base64_encode( pack( "H*", md5( > $newpassword ) ) ) ); > > And using CLEAR > > $coded = array('userpassword' => "{CLEAR}$newpassword"); > > But both resulted into my user not being able to login in anymore. > What kind of input does freeipa expect for userpassword? The preferred method for changing the password is to use the ldappassword operation. Alternatively just add the plaintext password w/o any prefix. Simo. From bkyoung at gmail.com Thu Aug 13 19:19:23 2009 From: bkyoung at gmail.com (Brandon Young) Date: Thu, 13 Aug 2009 14:19:23 -0500 Subject: [Freeipa-users] slapi-nis help Message-ID: <824ffea00908131219n51f9d88aie5bca27b8983a9a1@mail.gmail.com> Hi all, I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing the NIS gateway functionality. I am having difficulties, and am not even sure I'm performing the correct steps. I am using Fedora 11 x86_64 with all the updates available as of today. Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides slapi-nis-0.15 (which is not hte newest, but I *think* should be fine).. I configured ipa server unattended with the following command: [root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!' --hostname=freeipa.example.org -N --no-host-dns -u admin -U At this point, I can kinit as the admin user and perform ldap searches on the tree. I took the example ldif file from /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it as described in the getting started guide here (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt), which is devoid of specific instructions for *how* to add the ldif entries. I futzed around with openldap's ldapadd tool, and can't figure out how to obtain the necessary access rights to make the updates. As nearly as I can tell, the only administrative user is uid=admin,cn=users,cn=accounts,dc=example,dc=org. If I do a simple bind as that user it fails: [root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x Enter LDAP Password: adding new entry "cn=NIS Server, cn=plugins, cn=config" ldap_add: Insufficient access (50) Why? Am I using the wrong account? Should I know about another account to do this? As nearly as I can tell, there aren't any other accounts. Is this the wrong tool to use? I poked around and found the ipa-ldap-modify command. After modified the original example ldif file from this: dn: cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: NIS Server nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so nsslapd-plugininitfunc: nis_plugin_init nsslapd-plugintype: object nsslapd-pluginenabled: on nsslapd-pluginid: nis-server nsslapd-pluginversion: 0.15 nsslapd-pluginvendor: redhat.com nsslapd-plugindescription: NIS Server Plugin nis-tcp-wrappers-name: nis-server ... to this: dn: cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: nsSlapdPlugin add: objectclass: extensibleObject add: cn: NIS Server add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so add: nsslapd-plugininitfunc: nis_plugin_init add: nsslapd-plugintype: object add: nsslapd-pluginenabled: on add: nsslapd-pluginid: nis-server add: nsslapd-pluginversion: 0.15 add: nsslapd-pluginvendor: redhat.com add: nsslapd-plugindescription: NIS Server Plugin add: nis-tcp-wrappers-name: nis-server Now, issuing the command [root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif Directory Manager password: Says it adds the entries. No indication of a problem. BUT, if I ldapsearch -b "cn=config", I don't see the new entry. Should I? At any rate, when I attempt to restart dirsrv, I get the following: [root at freeipa ~]# service dirsrv restart Shutting down dirsrv: EXAMPLE-ORG... [ OK ] Starting dirsrv: EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / nisserver-plugin.so: cannot open shared object file: No such file or directory [13/Aug/2009:11:42:03 -0500] - Could not open library "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / nisserver-plugin.so" for plugin NIS Server [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server, cn=plugins, cn=config" [FAILED] *** Warning: 1 instance(s) failed to start So, ipa-ldap-updater did *something*. I have no idea why the plugin path is getting mangled the way it is, though. Symlinking doesn't seem to fix the issue, either. I'm stumped, and suspect I'm doing something completely boneheaded. Does anyone else have this working? Any guidance would be greatly appreciated. -- Brandon From rcritten at redhat.com Thu Aug 13 19:38:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Aug 2009 15:38:58 -0400 Subject: [Freeipa-users] slapi-nis help In-Reply-To: <824ffea00908131219n51f9d88aie5bca27b8983a9a1@mail.gmail.com> References: <824ffea00908131219n51f9d88aie5bca27b8983a9a1@mail.gmail.com> Message-ID: <4A846BD2.6020606@redhat.com> Brandon Young wrote: > Hi all, > > I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing > the NIS gateway functionality. I am having difficulties, and am not > even sure I'm performing the correct steps. > > I am using Fedora 11 x86_64 with all the updates available as of > today. Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides > slapi-nis-0.15 (which is not hte newest, but I *think* should be > fine).. > > I configured ipa server unattended with the following command: > > [root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n > example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!' > --hostname=freeipa.example.org -N --no-host-dns -u admin -U > > > At this point, I can kinit as the admin user and perform ldap searches > on the tree. I took the example ldif file from > /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it > as described in the getting started guide here > (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt), > which is devoid of specific instructions for *how* to add the ldif > entries. I futzed around with openldap's ldapadd tool, and can't > figure out how to obtain the necessary access rights to make the > updates. As nearly as I can tell, the only administrative user is > uid=admin,cn=users,cn=accounts,dc=example,dc=org. If I do a simple > bind as that user it fails: > > [root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D > "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x > Enter LDAP Password: > adding new entry "cn=NIS Server, cn=plugins, cn=config" > ldap_add: Insufficient access (50) > > Why? Am I using the wrong account? Should I know about another > account to do this? As nearly as I can tell, there aren't any other > accounts. Is this the wrong tool to use? > > I poked around and found the ipa-ldap-modify command. After modified > the original example ldif file from this: > > dn: cn=NIS Server, cn=plugins, cn=config > objectclass: top > objectclass: nsSlapdPlugin > objectclass: extensibleObject > cn: NIS Server > nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so > nsslapd-plugininitfunc: nis_plugin_init > nsslapd-plugintype: object > nsslapd-pluginenabled: on > nsslapd-pluginid: nis-server > nsslapd-pluginversion: 0.15 > nsslapd-pluginvendor: redhat.com > nsslapd-plugindescription: NIS Server Plugin > nis-tcp-wrappers-name: nis-server > > > ... to this: > > dn: cn=NIS Server, cn=plugins, cn=config > add: objectclass: top > add: objectclass: nsSlapdPlugin > add: objectclass: extensibleObject > add: cn: NIS Server > add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so > add: nsslapd-plugininitfunc: nis_plugin_init > add: nsslapd-plugintype: object > add: nsslapd-pluginenabled: on > add: nsslapd-pluginid: nis-server > add: nsslapd-pluginversion: 0.15 > add: nsslapd-pluginvendor: redhat.com > add: nsslapd-plugindescription: NIS Server Plugin > add: nis-tcp-wrappers-name: nis-server > > > Now, issuing the command > > [root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif > Directory Manager password: > > > Says it adds the entries. No indication of a problem. BUT, if I > ldapsearch -b "cn=config", I don't see the new entry. Should I? > > At any rate, when I attempt to restart dirsrv, I get the following: > > [root at freeipa ~]# service dirsrv restart > Shutting down dirsrv: > EXAMPLE-ORG... [ OK ] > Starting dirsrv: > EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable > Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv / > plugins / nisserver-plugin.so: cannot open shared object file: No such > file or directory > [13/Aug/2009:11:42:03 -0500] - Could not open library > "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / > nisserver-plugin.so" for plugin NIS Server > [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server, > cn=plugins, cn=config" > [FAILED] > *** Warning: 1 instance(s) failed to start > > > > So, ipa-ldap-updater did *something*. I have no idea why the plugin > path is getting mangled the way it is, though. Symlinking doesn't > seem to fix the issue, either. I'm stumped, and suspect I'm doing > something completely boneheaded. Does anyone else have this working? > Any guidance would be greatly appreciated. With ldapadd or ldapmodify you want to use the Directory Manager credentials, so this would have worked: % ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif You don't see the entries under cn=config because you need to be Directory Manager to see them: % ldapsearch -x -D "cn=directory manager" -W -b "cn=config" I'd have to see what the config entry looks like to see why it isn't starting. IIRC DS prints a rather odd message when it can't load a plugin, though this looks particularly strange. It could be that the updater didn't write the entry properly. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bkyoung at gmail.com Thu Aug 13 22:04:30 2009 From: bkyoung at gmail.com (Brandon Young) Date: Thu, 13 Aug 2009 17:04:30 -0500 Subject: [Freeipa-users] slapi-nis help In-Reply-To: <4A846BD2.6020606@redhat.com> References: <824ffea00908131219n51f9d88aie5bca27b8983a9a1@mail.gmail.com> <4A846BD2.6020606@redhat.com> Message-ID: <824ffea00908131504n2bb36ffbrac13770181b5a6e8@mail.gmail.com> Aha! That worked, and the ldapadd was successful, and the ldapsearch revealed the new entries, and the dirsrv restarted! Now I can see ypserv when I look at rpcinfo. Thank you very much, Rob. -- Brandon On Thu, Aug 13, 2009 at 2:38 PM, Rob Crittenden wrote: > Brandon Young wrote: >> >> Hi all, >> >> I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing >> the NIS gateway functionality. ?I am having difficulties, and am not >> even sure I'm performing the correct steps. >> >> I am using Fedora 11 x86_64 with all the updates available as of >> today. ?Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides >> slapi-nis-0.15 (which is not hte newest, but I *think* should be >> fine).. >> >> I configured ipa server unattended with the following command: >> >> [root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n >> example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!' >> --hostname=freeipa.example.org -N --no-host-dns -u admin -U >> >> >> At this point, I can kinit as the admin user and perform ldap searches >> on the tree. ?I took the example ldif file from >> /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it >> as described in the getting started guide here >> >> (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt), >> which is devoid of specific instructions for *how* to add the ldif >> entries. ?I futzed around with openldap's ldapadd tool, and can't >> figure out how to obtain the necessary access rights to make the >> updates. ?As nearly as I can tell, the only administrative user is >> uid=admin,cn=users,cn=accounts,dc=example,dc=org. ?If I do a simple >> bind as that user it fails: >> >> [root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D >> "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x >> Enter LDAP Password: >> adding new entry "cn=NIS Server, cn=plugins, cn=config" >> ldap_add: Insufficient access (50) >> >> Why? ?Am I using the wrong account? ?Should I know about another >> account to do this? ?As nearly as I can tell, there aren't any other >> accounts. ?Is this the wrong tool to use? >> >> I poked around and found the ipa-ldap-modify command. ?After modified >> the original example ldif file from this: >> >> dn: cn=NIS Server, cn=plugins, cn=config >> objectclass: top >> objectclass: nsSlapdPlugin >> objectclass: extensibleObject >> cn: NIS Server >> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so >> nsslapd-plugininitfunc: nis_plugin_init >> nsslapd-plugintype: object >> nsslapd-pluginenabled: on >> nsslapd-pluginid: nis-server >> nsslapd-pluginversion: 0.15 >> nsslapd-pluginvendor: redhat.com >> nsslapd-plugindescription: NIS Server Plugin >> nis-tcp-wrappers-name: nis-server >> >> >> ... to this: >> >> dn: cn=NIS Server, cn=plugins, cn=config >> add: objectclass: top >> add: objectclass: nsSlapdPlugin >> add: objectclass: extensibleObject >> add: cn: NIS Server >> add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so >> add: nsslapd-plugininitfunc: nis_plugin_init >> add: nsslapd-plugintype: object >> add: nsslapd-pluginenabled: on >> add: nsslapd-pluginid: nis-server >> add: nsslapd-pluginversion: 0.15 >> add: nsslapd-pluginvendor: redhat.com >> add: nsslapd-plugindescription: NIS Server Plugin >> add: nis-tcp-wrappers-name: nis-server >> >> >> Now, issuing the command >> >> [root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif >> Directory Manager password: >> >> >> Says it adds the entries. ?No indication of a problem. ?BUT, if I >> ldapsearch -b "cn=config", I don't see the new entry. ?Should I? >> >> At any rate, when I attempt to restart dirsrv, I get the following: >> >> [root at freeipa ~]# service dirsrv restart >> Shutting down dirsrv: >> ? ?EXAMPLE-ORG... ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?] >> Starting dirsrv: >> ? ?EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable >> Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv / >> plugins / nisserver-plugin.so: cannot open shared object file: No such >> file or directory >> [13/Aug/2009:11:42:03 -0500] - Could not open library >> "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / >> nisserver-plugin.so" for plugin NIS Server >> [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server, >> cn=plugins, cn=config" >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [FAILED] >> ?*** Warning: 1 instance(s) failed to start >> >> >> >> So, ipa-ldap-updater did *something*. ?I have no idea why the plugin >> path is getting mangled the way it is, though. ?Symlinking doesn't >> seem to fix the issue, either. ?I'm stumped, and suspect I'm doing >> something completely boneheaded. ?Does anyone else have this working? >> Any guidance would be greatly appreciated. > > With ldapadd or ldapmodify you want to use the Directory Manager > credentials, so this would have worked: > > % ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif > > You don't see the entries under cn=config because you need to be Directory > Manager to see them: > > % ldapsearch -x -D "cn=directory manager" -W -b "cn=config" > > I'd have to see what the config entry looks like to see why it isn't > starting. IIRC DS prints a rather odd message when it can't load a plugin, > though this looks particularly strange. It could be that the updater didn't > write the entry properly. > > rob > From thunta at tma.com.vn Fri Aug 14 10:56:43 2009 From: thunta at tma.com.vn (Thu Nguyen Thi Anh) Date: Fri, 14 Aug 2009 17:56:43 +0700 Subject: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Message-ID: Thanks Rob very much. I will try of course on the test system :) -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tue 6/30/2009 12:58 AM To: Thu Nguyen Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Thu Nguyen wrote: > Dear all, > > > > I did use OpenLDAP for our system which used to authenticate all web > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > like to replace it by FreeIPA. Would you please instruct (step-by-step > if possible) how to migrate all data/structures from OpenLDAP to FreeIPA? > We don't currently have instructions on how to do this. Basically what you need to do is: - install freeIPA - get an ldif dump of your OpenLDAP server - remove any unneeded structural and configuration options from the ldif - convert this ldif to the IPA DIT - load the ldif You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa When converting to our DIT you'll also need to ensure that the user entries are set up properly. This means having: - the krbprincipalname attribute set to @ - update the objectclass list - set gidnumber to the ipausers group You'll end up with a bunch of users that will work with simple auth but don't have kerberos keys yet so kinit will fail. You'll need to create some mechanism where they authenticate using their user password in order to get kerberos keys. And of course, do this on a test system first to make sure I haven't missed something :-) rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From fujyhluo at yahoo.com Wed Aug 19 18:53:24 2009 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Wed, 19 Aug 2009 11:53:24 -0700 (PDT) Subject: [Freeipa-users] Error on "Setting up Multi-Master Replication" Message-ID: <652641.19662.qm@web110410.mail.gq1.yahoo.com> Dear All, I am having some trouble to "Setting up Multi-Master Replication". ipa-replica-install complains about "CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpCwijw4 -f /usr/share/ipa/indices.ldif' returned non-zero exit status 68" Here are the steps I did. * on IPA master server ** /usr/sbin/ipa-replica-prepare ips-replicate-server ** scp /var/lib/ipa/ips-replicate-server root at ips-replicate-server:/var/lib/ipa * on IPA replicate server ** install IPA software. I did NOT run ipa-server-install ** /usr/sbin/ipa-replica-install -N /var/lib/ipa/ips-replicate-server Directory Manager (existing master) password: Configuring directory server: [1/16]: creating directory server user [2/16]: creating directory server instance [3/16]: adding default schema [4/16]: enabling memberof plugin [5/16]: enabling referential integrity plugin [6/16]: enabling distributed numeric assignment plugin [7/16]: configuring uniqueness plugin [8/16]: creating indices root : CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpCwijw4 -f /usr/share/ipa/indices.ldif' returned non-zero exit status 68 [9/16]: configuring ssl for ds instance [10/16]: configuring certmap.conf [11/16]: restarting directory server root : CRITICAL Failed to restart the directory server. See the installation log for details. Thanks in advacne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rcritten at redhat.com Wed Aug 19 19:24:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Aug 2009 15:24:10 -0400 Subject: [Freeipa-users] Error on "Setting up Multi-Master Replication" In-Reply-To: <652641.19662.qm@web110410.mail.gq1.yahoo.com> References: <652641.19662.qm@web110410.mail.gq1.yahoo.com> Message-ID: <4A8C515A.2000005@redhat.com> Fu-Jyh Luo wrote: > Dear All, > > I am having some trouble to "Setting up Multi-Master Replication". ipa-replica-install complains about "CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpCwijw4 -f /usr/share/ipa/indices.ldif' returned non-zero exit status 68" > Here are the steps I did. > > * on IPA master server > ** /usr/sbin/ipa-replica-prepare ips-replicate-server > ** scp /var/lib/ipa/ips-replicate-server root at ips-replicate-server:/var/lib/ipa > * on IPA replicate server > ** install IPA software. I did NOT run ipa-server-install > ** /usr/sbin/ipa-replica-install -N /var/lib/ipa/ips-replicate-server > Directory Manager (existing master) password: > > Configuring directory server: > [1/16]: creating directory server user > [2/16]: creating directory server instance > [3/16]: adding default schema > [4/16]: enabling memberof plugin > [5/16]: enabling referential integrity plugin > [6/16]: enabling distributed numeric assignment plugin > [7/16]: configuring uniqueness plugin > [8/16]: creating indices > root : CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpCwijw4 -f /usr/share/ipa/indices.ldif' returned non-zero exit status 68 > [9/16]: configuring ssl for ds instance > [10/16]: configuring certmap.conf > [11/16]: restarting directory server > root : CRITICAL Failed to restart the directory server. See the installation log for details. > > > Thanks in advacne What version of IPA are you using and what Linux distribution? Can you attach /var/log/ipareplica-install.log? You might want to check that log real quick before sending to ensure it doesn't have any private information you might not want to disclose (IP addresses, hostnames, passwords, etc). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From fujyhluo at yahoo.com Wed Aug 19 20:15:40 2009 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Wed, 19 Aug 2009 13:15:40 -0700 (PDT) Subject: [Freeipa-users] Error on "Setting up Multi-Master Replication" Message-ID: <435879.19893.qm@web110401.mail.gq1.yahoo.com> > What version of IPA are you using and what Linux > distribution? IPA 1.2.1 and CentOS 5.3 64Bits > Can you attach /var/log/ipareplica-install.log? You might > want to check that log real quick before sending to ensure > it doesn't have any private information you might not want > to disclose (IP addresses, hostnames, passwords, etc). See attachment. Fu __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log Type: application/octet-stream Size: 8276 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 19 20:22:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Aug 2009 16:22:45 -0400 Subject: [Freeipa-users] Error on "Setting up Multi-Master Replication" In-Reply-To: <435879.19893.qm@web110401.mail.gq1.yahoo.com> References: <435879.19893.qm@web110401.mail.gq1.yahoo.com> Message-ID: <4A8C5F15.3000009@redhat.com> Fu-Jyh Luo wrote: >> What version of IPA are you using and what Linux >> distribution? > IPA 1.2.1 and CentOS 5.3 64Bits > >> Can you attach /var/log/ipareplica-install.log? You might >> want to check that log real quick before sending to ensure >> it doesn't have any private information you might not want >> to disclose (IP addresses, hostnames, passwords, etc). > See attachment. > Ok, there are 2 problems. The first is that an index already exists for some reason so creating the indices in the ldif is failing. Not a fatal issue really but looks like a bug. The bigger issue is that the PKCS#12 file for the DS that it is trying to load either doesn't contain the CA or isn't trusting it for some reason. Did you provide your own PKCS#12 files for IPA or are you using the default, self-signed CA? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From fujyhluo at yahoo.com Wed Aug 19 21:33:41 2009 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Wed, 19 Aug 2009 14:33:41 -0700 (PDT) Subject: [Freeipa-users] Error on "Setting up Multi-Master Replication" In-Reply-To: <4A8C5F15.3000009@redhat.com> Message-ID: <39588.41389.qm@web110403.mail.gq1.yahoo.com> > Ok, there are 2 problems. The first is that an index > already exists for some reason so creating the indices in > the ldif is failing. Not a fatal issue really but looks like > a bug. > > The bigger issue is that the PKCS#12 file for the DS that > it is trying to load either doesn't contain the CA or isn't > trusting it for some reason. Did you provide your own > PKCS#12 files for IPA or are you using the default, > self-signed CA? I am using the default self-signed CA. Do you have suggestion how to fix it? Thanks, Fu From bkyoung at gmail.com Wed Aug 19 21:50:44 2009 From: bkyoung at gmail.com (Brandon Young) Date: Wed, 19 Aug 2009 16:50:44 -0500 Subject: [Freeipa-users] More slapi-nis help Message-ID: <824ffea00908191450g1c94d872j9637a8f95c160b73@mail.gmail.com> Hi all. I have been dinking with this a few minutes at a time since last week, and am having a problem, still. I have gone over my nis-plugin.ldif file and verified that nis-domain matches everywhere (at first it didn't), and that once the dirsrv successfully starts I can see with 'rpcinfo -p' that ypserv is bound to some port (it changes each time I reboot, but no biggie; I'm not running a firewall). I can check from a remote host (again with rpcinfo) and see the ypserv service is available. However, when I try to 'ypcat passwd', from a host that is configured to use the freeipa server as its NIS server, it doesn't return anything. If I further do something like: 'ypcat -h freeipakc01 -d someorg passwd', it eventually times out and says "No such map passwd.byname. Reason: Can't communicate with portmapper". "Aha," I think. A clue. Alas, I verified that the rpcbind service is still running. Both host.allow and host.deny are empty (thus allowing all connections). Rebooting doesn't help. Here is my ldif I uploaded to setup the nis-plugin: dn: cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: NIS Server nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so nsslapd-plugininitfunc: nis_plugin_init nsslapd-plugintype: object nsslapd-pluginenabled: on nsslapd-pluginid: nis-server nsslapd-pluginversion: 0.15 nsslapd-pluginvendor: redhat.com nsslapd-plugindescription: NIS Server Plugin nis-tcp-wrappers-name: nis-server dn: nis-domain=someorg+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: extensibleObject nis-domain: someorg nis-map: passwd.byname nis-base: cn=users, dc=some-org, dc=org nis-secure: no dn: nis-domain=someorg+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: extensibleObject nis-domain: someorg nis-map: passwd.byuid nis-base: cn=users, dc=some-org, dc=org nis-secure: no dn: nis-domain=someorg+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: extensibleObject nis-domain: someorg nis-map: group.byname nis-base: cn=groups, dc=some-org, dc=org nis-secure: no dn: nis-domain=someorg+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: extensibleObject nis-domain: someorg nis-map: group.bygid nis-base: cn=groups, dc=some-org, dc=org nis-secure: no dn: nis-domain=someorg+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: extensibleObject nis-domain: someorg nis-map: group.upg nis-base: cn=users, dc=some-org, dc=org nis-filter: (objectclass=posixAccount) nis-key-format: %{uid} nis-value-format: %{uid}:*:%{gidNumber}:%{uid} nis-secure: no nis-disallowed-chars: :, dn: nis-domain=someorg+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: extensibleObject nis-domain: someorg nis-map: netid.byname nis-base: cn=users, dc=some-org, dc=org nis-secure: no Here's the output of rpcinfo: [root at freeipa freeipa]# rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 45003 status 100024 1 tcp 54515 status 100004 2 tcp 710 ypserv 100004 2 udp 710 ypserv 100011 1 udp 875 rquotad 100011 2 udp 875 rquotad 100011 1 tcp 875 rquotad 100011 2 tcp 875 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100021 1 udp 48842 nlockmgr 100021 3 udp 48842 nlockmgr 100021 4 udp 48842 nlockmgr 100021 1 tcp 57232 nlockmgr 100021 3 tcp 57232 nlockmgr 100021 4 tcp 57232 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100005 1 udp 38415 mountd 100005 1 tcp 44539 mountd 100005 2 udp 38415 mountd 100005 2 tcp 44539 mountd 100005 3 udp 38415 mountd 100005 3 tcp 44539 mountd Surely I am missing something obvious. Insight would be appreciated. Has anyone else gotten this to work? -- Brandon From nalin at redhat.com Wed Aug 19 22:19:16 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 19 Aug 2009 18:19:16 -0400 Subject: [Freeipa-users] More slapi-nis help In-Reply-To: <824ffea00908191450g1c94d872j9637a8f95c160b73@mail.gmail.com> References: <824ffea00908191450g1c94d872j9637a8f95c160b73@mail.gmail.com> Message-ID: <20090819221916.GA21324@redhat.com> On Wed, Aug 19, 2009 at 04:50:44PM -0500, Brandon Young wrote: > I have been dinking with this a few minutes at a time since last week, > and am having a problem, still. I have gone over my nis-plugin.ldif > file and verified that nis-domain matches everywhere (at first it > didn't), and that once the dirsrv successfully starts I can see with > 'rpcinfo -p' that ypserv is bound to some port (it changes each time I > reboot, but no biggie; I'm not running a firewall). I can check from > a remote host (again with rpcinfo) and see the ypserv service is > available. However, when I try to 'ypcat passwd', from a host that is > configured to use the freeipa server as its NIS server, it doesn't > return anything. If I further do something like: 'ypcat -h > freeipakc01 -d someorg passwd', it eventually times out and says "No > such map passwd.byname. Reason: Can't communicate with portmapper". > "Aha," I think. A clue. Alas, I verified that the rpcbind service is > still running. Both host.allow and host.deny are empty (thus allowing > all connections). Rebooting doesn't help. > > Here is my ldif I uploaded to setup the nis-plugin: > > dn: cn=NIS Server, cn=plugins, cn=config > objectclass: top > objectclass: nsSlapdPlugin > objectclass: extensibleObject > cn: NIS Server > nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so > nsslapd-plugininitfunc: nis_plugin_init > nsslapd-plugintype: object > nsslapd-pluginenabled: on > nsslapd-pluginid: nis-server > nsslapd-pluginversion: 0.15 > nsslapd-pluginvendor: redhat.com > nsslapd-plugindescription: NIS Server Plugin > nis-tcp-wrappers-name: nis-server I notice you don't have a "nsslapd-pluginarg0" set here, so the plugin's going to use the first reserved port it can bind to ("rpcinfo -p" will tell you which one it settled on -- your example output showed it landed on 710) to receive client requests. If you're running a firewall on the NIS server, is that port open? > dn: nis-domain=someorg+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config > objectclass: top > objectclass: extensibleObject > nis-domain: someorg > nis-map: passwd.byname > nis-base: cn=users, dc=some-org, dc=org > nis-secure: no That looks right to me. The default settings for maps named 'passwd.byname' configure the plugin to expect that entries which should appear in the map will match the filter "(objectClass=posixAccount)" and will have a single value for at least these attributes: uid, uidNumber, gidNumber and it would prefer to also see these: userPassword, gecos (or cn), homeDirectory, loginShell Do the user entries meet these requirements? If not, you'll need to override the default settings for the map to have it make use of what's there. HTH, Nalin From bkyoung at gmail.com Thu Aug 20 01:21:23 2009 From: bkyoung at gmail.com (Brandon Young) Date: Wed, 19 Aug 2009 20:21:23 -0500 Subject: [Freeipa-users] More slapi-nis help In-Reply-To: <20090819221916.GA21324@redhat.com> References: <824ffea00908191450g1c94d872j9637a8f95c160b73@mail.gmail.com> <20090819221916.GA21324@redhat.com> Message-ID: <824ffea00908191821u6911985kce885d5ac48dec1@mail.gmail.com> On Wed, Aug 19, 2009 at 5:19 PM, Nalin Dahyabhai wrote: > On Wed, Aug 19, 2009 at 04:50:44PM -0500, Brandon Young wrote: >> I have been dinking with this a few minutes at a time since last week, >> and am having a problem, still. ?I have gone over my nis-plugin.ldif >> file and verified that nis-domain matches everywhere (at first it >> didn't), and that once the dirsrv successfully starts I can see with >> 'rpcinfo -p' that ypserv is bound to some port (it changes each time I >> reboot, but no biggie; I'm not running a firewall). ?I can check from >> a remote host (again with rpcinfo) and see the ypserv service is >> available. ?However, when I try to 'ypcat passwd', from a host that is >> configured to use the freeipa server as its NIS server, it doesn't >> return anything. ?If I further do something like: 'ypcat -h >> freeipakc01 -d someorg passwd', it eventually times out and says "No >> such map passwd.byname. Reason: Can't communicate with portmapper". >> "Aha," I think. ?A clue. ?Alas, I verified that the rpcbind service is >> still running. ?Both host.allow and host.deny are empty (thus allowing >> all connections). ?Rebooting doesn't help. >> >> Here is my ldif I uploaded to setup the nis-plugin: >> >> dn: cn=NIS Server, cn=plugins, cn=config >> objectclass: top >> objectclass: nsSlapdPlugin >> objectclass: extensibleObject >> cn: NIS Server >> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so >> nsslapd-plugininitfunc: nis_plugin_init >> nsslapd-plugintype: object >> nsslapd-pluginenabled: on >> nsslapd-pluginid: nis-server >> nsslapd-pluginversion: 0.15 >> nsslapd-pluginvendor: redhat.com >> nsslapd-plugindescription: NIS Server Plugin >> nis-tcp-wrappers-name: nis-server > > I notice you don't have a "nsslapd-pluginarg0" set here, so the plugin's > going to use the first reserved port it can bind to ("rpcinfo -p" will > tell you which one it settled on -- your example output showed it landed > on 710) to receive client requests. ?If you're running a firewall on the > NIS server, is that port open? > I am not running a firewall. If I probe portmapper from a remote host (again, using 'rpcinfo -p freeipa', where freeipa is the name of the server) I can see ypserv running on port 710. Am I correct in understanding that it is unnecessary to set the nsslapd-pluginarg0 to a specific port, since I am not running a firewall on the server? >> dn: nis-domain=someorg+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config >> objectclass: top >> objectclass: extensibleObject >> nis-domain: someorg >> nis-map: passwd.byname >> nis-base: cn=users, dc=some-org, dc=org >> nis-secure: no > > That looks right to me. > > The default settings for maps named 'passwd.byname' configure the plugin > to expect that entries which should appear in the map will match the > filter "(objectClass=posixAccount)" and will have a single value for at > least these attributes: > ?uid, uidNumber, gidNumber Every user entry in the database has a single value for each of those three attributes > and it would prefer to also see these: > ?userPassword, gecos (or cn), homeDirectory, loginShell > All these attributes are also set (except userPassword, in some cases). I used ipa-adduser to add every user, and supplied all required fields for each entry, which set all these attributes (though did not *require* passwords. Some entries do have passwords set, though). > Do the user entries meet these requirements? ?If not, you'll need to > override the default settings for the map to have it make use of what's > there. > > HTH, > Any other ideas what I might look at? Is there a log file I can turn to? Perhaps a way to put the server/plugin in debug mode to see if an NIS request is even being serviced? As nearly as I can tell (without breaking out wireshark) the ypserv plugin/service is not even acknowledging requests from a client that can otherwise ping the server and probe it with rpcinfo. The steps I took were: 1. Insert ldif entries defining the plugin and mappings (as described in the previous email) 2. restart dirsrv 3. verify rpcbind has bound ypserv to some ports 4. reconfigure an existing NIS client to point at the new NIS server 5. attempt a ypcat of passwd Sounds easy. The getting started guide doesn't seem to detail any additional steps. Are there missing steps? Did I miss a step detailed somewhere? Should it just work? I feel like I must be missing something very basic. > Nalin > From fujyhluo at yahoo.com Thu Aug 20 14:04:23 2009 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Thu, 20 Aug 2009 07:04:23 -0700 (PDT) Subject: [Freeipa-users] Error on "Setting up Multi-Master Replication" In-Reply-To: <4A8C5F15.3000009@redhat.com> Message-ID: <135172.22842.qm@web110406.mail.gq1.yahoo.com> hi Rob, Thanks for your information. I did NOT have experience with IPA but your information help me to fix this issue. Here are things I did. # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate ,, Server-Cert CTu,Cu,u # slapd-SN-FDA-GOV]# certutil -d . -M -n "CA certificate" -t "CTu,u,Cu" # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert CTu,Cu,u CA certificate CT,,C # /etc/init.d/dirsrv start Starting dirsrv: SN-FDA-GOV... [ OK ] However, that was NOT good enough. I have do it for /etc/httpd/alias as well. # certutil -d /etc/httpd/alias/ -M -n "CA certificate" -t "CT,,C" # certutil -d /etc/httpd/alias/ -M -n "Server-Cert" -t "u,u,u" Thanks, Fu > Ok, there are 2 problems. The first is that an index > already exists for some reason so creating the indices in > the ldif is failing. Not a fatal issue really but looks like > a bug. > > The bigger issue is that the PKCS#12 file for the DS that > it is trying to load either doesn't contain the CA or isn't > trusting it for some reason. Did you provide your own > PKCS#12 files for IPA or are you using the default, > self-signed CA? From nalin at redhat.com Thu Aug 20 14:19:59 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 20 Aug 2009 10:19:59 -0400 Subject: [Freeipa-users] More slapi-nis help In-Reply-To: <824ffea00908191821u6911985kce885d5ac48dec1@mail.gmail.com> References: <824ffea00908191450g1c94d872j9637a8f95c160b73@mail.gmail.com> <20090819221916.GA21324@redhat.com> <824ffea00908191821u6911985kce885d5ac48dec1@mail.gmail.com> Message-ID: <20090820141959.GA27874@redhat.com> On Wed, Aug 19, 2009 at 08:21:23PM -0500, Brandon Young wrote: > I am not running a firewall. If I probe portmapper from a remote host > (again, using 'rpcinfo -p freeipa', where freeipa is the name of the > server) I can see ypserv running on port 710. Am I correct in > understanding that it is unnecessary to set the nsslapd-pluginarg0 to > a specific port, since I am not running a firewall on the server? Yes, you're correct. The plugin won't register with the portmapper if it isn't able to bind to the ports, so you can also assume it's listening. > Any other ideas what I might look at? Is there a log file I can turn > to? Perhaps a way to put the server/plugin in debug mode to see if an > NIS request is even being serviced? As nearly as I can tell (without > breaking out wireshark) the ypserv plugin/service is not even > acknowledging requests from a client that can otherwise ping the > server and probe it with rpcinfo. > > The steps I took were: > > 1. Insert ldif entries defining the plugin and mappings (as described > in the previous email) > 2. restart dirsrv > 3. verify rpcbind has bound ypserv to some ports > 4. reconfigure an existing NIS client to point at the new NIS server > 5. attempt a ypcat of passwd > > Sounds easy. The getting started guide doesn't seem to detail any > additional steps. Are there missing steps? Did I miss a step > detailed somewhere? Should it just work? I feel like I must be > missing something very basic. It really should just work the way you've set it up. I must be missing something, too. You should be able to crank up the logging level of the server to the point where the module's logs will start being saved to disk by setting "nsslapd-errorlog-level" to 65536 in "cn=config". Expect a massive slowdown when you do this, because the plugin actually logs quite a lot of messages, and this log level sends all plugin-based messages to the log file. The module's messages will all be marked as coming from the "nis-plugin". HTH, Nalin From rachid.zarouali at nic.fr Mon Aug 24 16:06:39 2009 From: rachid.zarouali at nic.fr (Rachid Zarouali) Date: Mon, 24 Aug 2009 18:06:39 +0200 Subject: [Freeipa-users] freeipa V2 release date ? Message-ID: <20090824160639.GH24341@syrius.nic.fr> hy all, i've put my interest in freeipa project, i've seen on the website the 2.0 release should be available on april/may 2009, so i'm wondering if the release date of the 2.0 has been modified on any roadmap and if so , when it will be release ? Thanks, Rachid From rachid.zarouali at nic.fr Mon Aug 24 16:07:55 2009 From: rachid.zarouali at nic.fr (Rachid Zarouali) Date: Mon, 24 Aug 2009 18:07:55 +0200 Subject: [Freeipa-users] connecting freeipa server with free radius Message-ID: <20090824160755.GI24341@syrius.nic.fr> hello :) does anyone has successfully connected freeipa server with a radius server ? if so , is there any howto/doc?.... that may help me doing it myself ? Thanks for your help, Rachid From dpal at redhat.com Mon Aug 24 16:19:04 2009 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Aug 2009 12:19:04 -0400 Subject: [Freeipa-users] freeipa V2 release date ? In-Reply-To: <20090824160639.GH24341@syrius.nic.fr> References: <20090824160639.GH24341@syrius.nic.fr> Message-ID: <4A92BD78.3010500@redhat.com> Rachid Zarouali wrote: > hy all, > i've put my interest in freeipa project, i've seen on the website the 2.0 release should be available on april/may 2009, > so i'm wondering if the release date of the 2.0 has been modified on any roadmap and if so , when it will be release ? > > Sorry, my fault for not keeping the roadmap updated. Unfortunately there is no a clear release schedule for IPA v2. We are actively working on it and corresponding related but independent components (SSSD). There is a chance that we will hit functional complete milestone before the end of the year. I need to clean a lot of items that have been deferred or dropped from the PRD to reflect the actual scope of the project. Also it is not clear that there will be no new features we would consider implementing before the release. This will/might affect our functionally complete dates. > Thanks, > Rachid > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Mon Aug 24 16:22:52 2009 From: jdennis at redhat.com (John Dennis) Date: Mon, 24 Aug 2009 12:22:52 -0400 Subject: [Freeipa-users] connecting freeipa server with free radius In-Reply-To: <20090824160755.GI24341@syrius.nic.fr> References: <20090824160755.GI24341@syrius.nic.fr> Message-ID: <4A92BE5C.8060406@redhat.com> On 08/24/2009 12:07 PM, Rachid Zarouali wrote: > hello :) > does anyone has successfully connected freeipa server with a radius server ? > if so , is there any howto/doc?.... that may help me doing it myself ? Supporting radius is on our roadmap, but won't likely be part of v2. Our plan is to use FreeRADIUS. Connecting IPA and FreeRADIUS in a basic configuration is not difficult if all you want to do is PAP (just enable the krb5 module). However supporting 802.1 as well as Windows supplicants is likely to require some work on our end. There is also the issue of Web GUI support for radius management and desirable features such as group membership tests, time of day authorization, authorization based on NAS type and location (e.g. VPN vs. wireless, etc.), revocation of access (CoA), bandwidth controls, etc. These complications are reasons why Radius is lower on our priority list. However, one thing which will help us is getting a better understanding of out the hundreds of ways radius can be deployed and managed which are the ones are most important to support. What do you want in terms of radius support from IPA? Would you be willing to contribute to this area? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Mon Aug 24 17:12:08 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Aug 2009 13:12:08 -0400 Subject: [Freeipa-users] freeipa V2 release date ? In-Reply-To: <20090824160639.GH24341@syrius.nic.fr> References: <20090824160639.GH24341@syrius.nic.fr> Message-ID: <1251133928.27122.0.camel@localhost.localdomain> On Mon, 2009-08-24 at 18:06 +0200, Rachid Zarouali wrote: > hy all, > i've put my interest in freeipa project, i've seen on the website the 2.0 release should be available on april/may 2009, > so i'm wondering if the release date of the 2.0 has been modified on any roadmap and if so , when it will be release ? Hi Rachid, at the moment we do not have a firm release date yet, but we are working to have something out by winter time. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Tue Aug 25 16:08:08 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 25 Aug 2009 12:08:08 -0400 Subject: [Freeipa-users] connecting freeipa server with free radius In-Reply-To: <20090825075627.GM24341@syrius.nic.fr> References: <20090824160755.GI24341@syrius.nic.fr> <4A92BE5C.8060406@redhat.com> <20090825075627.GM24341@syrius.nic.fr> Message-ID: <4A940C68.2040903@redhat.com> Hello Richard, Rachid Zarouali wrote: > Thanks for the answer John, > > let me explain what we want to do : > we have several network equipments (firewall, router....) > on which we want to add a radius authentification using freeradius. > to have a central authentification system (network, servers...) > i'm searching for a way to connect freeradius to the ipa system. > > like it can be done between openldap and freeradius. > > am i clear ? > if not let me know i'll put more details. > > Devil is in details. What kind of authentication methods you are planning to use (hardware supports)? Outer methods, inner methods? What would be the credential the user would use to authenticate? Is it IPA user's kerberos password? Do you plan to use radius for authentication only or you also want to configure the user session and/or device via RADIUS response to authentication? Thank you Dmitri From rachid.zarouali at nic.fr Wed Aug 26 11:29:36 2009 From: rachid.zarouali at nic.fr (Rachid Zarouali) Date: Wed, 26 Aug 2009 13:29:36 +0200 Subject: [Freeipa-users] connecting freeipa server with free radius In-Reply-To: <4A940C68.2040903@redhat.com> References: <20090824160755.GI24341@syrius.nic.fr> <4A92BE5C.8060406@redhat.com> <20090825075627.GM24341@syrius.nic.fr> <4A940C68.2040903@redhat.com> Message-ID: <20090826112936.GF6366@syrius.nic.fr> Hello Dimitri, I'll try to answer your questions the best i can :-) Basically we plain to use the ldap ipa password. at first we want to use radius for authentication only. i'm not sure about what you call outer/inner methods :( the base of the authentication is the project is the ipa ldap on which we try to connect a freeradius server which is used to authenticate admin's on router/firewall ..... am i clear ? sorry if not, i'm a far better system architect than a network guy :) On Tue, Aug 25, 2009 at 12:08:08PM -0400, Dmitri Pal wrote: > Hello Richard, > > Rachid Zarouali wrote: > > Thanks for the answer John, > > > > let me explain what we want to do : > > we have several network equipments (firewall, router....) > > on which we want to add a radius authentification using freeradius. > > to have a central authentification system (network, servers...) > > i'm searching for a way to connect freeradius to the ipa system. > > > > like it can be done between openldap and freeradius. > > > > am i clear ? > > if not let me know i'll put more details. > > > > > Devil is in details. What kind of authentication methods you are > planning to use (hardware supports)? > Outer methods, inner methods? What would be the credential the user > would use to authenticate? > Is it IPA user's kerberos password? > Do you plan to use radius for authentication only or you also want to > configure the user session and/or device via RADIUS response to > authentication? > > Thank you > Dmitri From jdennis at redhat.com Wed Aug 26 13:32:52 2009 From: jdennis at redhat.com (John Dennis) Date: Wed, 26 Aug 2009 09:32:52 -0400 Subject: [Freeipa-users] connecting freeipa server with free radius In-Reply-To: <20090826081604.GD6366@syrius.nic.fr> References: <20090824160755.GI24341@syrius.nic.fr> <4A92BE5C.8060406@redhat.com> <20090825075627.GM24341@syrius.nic.fr> <4A940C68.2040903@redhat.com> <20090826081604.GD6366@syrius.nic.fr> Message-ID: <4A953984.1000503@redhat.com> On 08/26/2009 04:16 AM, Rachid Zarouali wrote: > Hello Dimitri, > I'll try to answer your questions the best i can :-) > > Basically we plain to use the ldap ipa password. > at first we want to use radius for authentication only. > > i'm not sure about what you call outer/inner methods :( > the base of the authentication is the project is the ipa ldap > on which we try to connect a freeradius server which is used to authenticate admin's on router/firewall ..... > > am i clear ? If it's just admin access on a router/firewall I don't see a problem at the moment. You should be able to use PAP on the router/firewall, it encrypts the plaintext password and sends it to the freeradius server which decrypts resulting in the plaintext password. The freeradius server would then be configured to use Kerberos, it uses the plaintext password and obtains a TGT (i.e. it does a kinit on behalf of the user) if this is successful the radius authentication is successful. All this should work "out of the box" for both IPA and FreeRADIUS (although you'll have to edit the FreeRADIUS config to enable krb5). We're not thrilled with this solution because the radius server sees a plaintext password (although it's encrypted during transport). The security is adequate but not ideal. Safer authentication methods require us to do more integration work between IPA and FreeRADIUS, which at the moment is a deferred work item. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Aug 26 15:16:28 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 26 Aug 2009 11:16:28 -0400 Subject: [Freeipa-users] connecting freeipa server with free radius In-Reply-To: <4A953984.1000503@redhat.com> References: <20090824160755.GI24341@syrius.nic.fr> <4A92BE5C.8060406@redhat.com> <20090825075627.GM24341@syrius.nic.fr> <4A940C68.2040903@redhat.com> <20090826081604.GD6366@syrius.nic.fr> <4A953984.1000503@redhat.com> Message-ID: <4A9551CC.9010605@redhat.com> John Dennis wrote: > On 08/26/2009 04:16 AM, Rachid Zarouali wrote: >> Hello Dimitri, >> I'll try to answer your questions the best i can :-) >> >> Basically we plain to use the ldap ipa password. >> at first we want to use radius for authentication only. >> >> i'm not sure about what you call outer/inner methods :( >> the base of the authentication is the project is the ipa ldap >> on which we try to connect a freeradius server which is used to >> authenticate admin's on router/firewall ..... >> >> am i clear ? > > If it's just admin access on a router/firewall I don't see a problem > at the moment. You should be able to use PAP on the router/firewall, > it encrypts the plaintext password and sends it to the freeradius > server which decrypts resulting in the plaintext password. The > freeradius server would then be configured to use Kerberos, it uses > the plaintext password and obtains a TGT (i.e. it does a kinit on > behalf of the user) if this is successful the radius authentication is > successful. All this should work "out of the box" for both IPA and > FreeRADIUS (although you'll have to edit the FreeRADIUS config to > enable krb5). > > We're not thrilled with this solution because the radius server sees a > plaintext password (although it's encrypted during transport). The > security is adequate but not ideal. Safer authentication methods > require us to do more integration work between IPA and FreeRADIUS, > which at the moment is a deferred work item. I agree with John, PAP would most likely work in this case but as John mentioned would not be ideal from security point of view. Before we lock on lowest common denominator which is PAP let us see if there is anything we can do to make it a bit more secure. Your routers and firewalls have a set of the authentication methods they support. PAP is the basic method. There are also more advanced so called EAP methods (Extensible Authentication Protocol) . Those EAP methods usually establish a tunnel and then pass the authentication inside this tunnel. In the pure RADIUS case without EAP PAP will use a shared secret known by your end point and RADIUS server to hash the password using reversible hashing algorithm. Shared secrets should be pretty long to avoid dictionary attacks. I would not be comfortable with them being less then 128 bit of entropy (random alphanumeric with punctuation 20 character shared secrets would do). But this is still not as comfortable as SSL for example. So there is an EAP method that allows passing your password inside the SSL encrypted blob (PEAP). The SSL can be just a tunnel or an authenticated tunnel (the client and server can mutually authenticate each other during the handshake). So this would be an outer method. Inside SSL tunnel you can pass clear text password, PAP, CHAP etc. In this case PAP will be an inner method. So the first step is to determine what auth methods your routes and firewalls support. The RADIUS servers support a lot of different inner and outer methods. So may be PAP can be tunneled using PEAP or some other method supported both by your routers and RADIUS server. This needs to be investigated. When we know what the routers are capable of we would be able to advice if there any more secure configuration than just PAP. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From fujyhluo at yahoo.com Thu Aug 27 14:14:30 2009 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Thu, 27 Aug 2009 07:14:30 -0700 (PDT) Subject: [Freeipa-users] howto Control user and group login access to individual or groups of machines In-Reply-To: <4A953984.1000503@redhat.com> Message-ID: <44689.34880.qm@web110415.mail.gq1.yahoo.com> Dear All, I would like to control user and group login access to individual or groups of machines. How to do it with FreeIPA? Here is some information http://directory.fedoraproject.org/wiki/Howto:Netgroups Thanks in advance Fu From dpal at redhat.com Thu Aug 27 14:26:54 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 27 Aug 2009 10:26:54 -0400 Subject: [Freeipa-users] howto Control user and group login access to individual or groups of machines In-Reply-To: <44689.34880.qm@web110415.mail.gq1.yahoo.com> References: <44689.34880.qm@web110415.mail.gq1.yahoo.com> Message-ID: <4A9697AE.9000306@redhat.com> Fu-Jyh Luo wrote: > Dear All, > > I would like to control user and group login access to individual or groups of machines. How to do it with FreeIPA? > > Here is some information > http://directory.fedoraproject.org/wiki/Howto:Netgroups > > Thanks in advance > Fu > > Not all platforms have a good way of configuring what you are trying to accomplish. Here are some options you have: http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ and see chapter on the host based access control. As I recall you will have success with Linux, Fedora and HP-UX. We have not found a way to do the same thing on AIX or Solaris. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/