[Freeipa-users] Difficulty setting up free-ipa
Rob Crittenden
rcritten at redhat.com
Thu Mar 5 20:22:19 UTC 2009
John B. Adams wrote:
> Hi
>
> I am little concerned that it is really difficult for us mortals to check out free-ipa. Especially as I feel it will become a significant part of our work if it does what it says on the tin.
>
> I tried last year on Fedora 10 which is becoming my standard platform for all things linux. I followed the setup instructions. I made a posting on 6th December 2008 listing the problems I was getting with the web browser and kerberos. We had another two attempts go after Dimitri kindly offered some suggestions. However we gave up.
I'm sorry you had problems. I'll see if I can help you.
>
> We were encouraged in the new year when the Step by step howto appeared. But we are still upable to get a result.
>
> Referring to the step by step howto our first hurdle was "The IPA server may show a conflict with mod_ssl package. IPA uses mod_nss in apache. You can remove mod_ssl for the time being"
>
> 1) How would we know if free-ipa was conflicting where would it show the conflict?
> 2) How would we remove mod_ssl if we identified the issue.
The assumption, apparently a bad one, is that there user is familiar
with Fedora package upgrade and management. The conflict is in the
package itself. You cannot install ipa-server package if mod_ssl is
installed (unless you explicitly force it).
To remove mod_ssl you can do either (as root):
# rpm -e mod_ssl
# yum erase mod_ssl
mod_nss and mod_ssl both provide SSL services to Apache. We chose to go
with mod_nss. Normally mod_nss and mod_ssl can coexist peacefully if
they are using unique ports. The reason for the conflict is that if
mod_ssl is loaded then the Apache module that does proxying (mod_proxy)
will use the mod_ssl crypto routines instead of the mod_nss crypto routines.
So by merely being loaded mod_ssl will cause UI failures, so we do what
we can to make sure mod_ssl isn't on the system at all.
>
> Anyway we ignored this did an iptables -F (SE linux is enabled but I can turn it off) and went for the install with
>
> ipa-server-install --setup-bind
>
> In the listing of the install it says "disabling mod_ssl in httpd" so it looks like that gets done for us.
This was the original method we used to disable mod_ssl. It renames the
configuration file. The problem is that the next time the package is
updated the package manager says "oh, I can write a new configuration
file" which will then cause the IPA UI to start failing.
>
> I do get "named service failed to start"
>
> So we tried to edit the minimal named.conf as suggested this is what we have
Our bind support is experimental at this point though your issue seems
related directly to basic bind configuration. I'm not sure what the
issue is though it seems to simply not be able to find the file it is
looking for. I'm not sure why.
>
> I notice in our original setup it says:
>
> Installing : ipa-server 64/64
> Missing Certification Authority file.
> You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt
Looks like a bug, this can be ignored. Some previous versions of IPA
didn't place a copy of the self-signed CA into /usr/share/ipa/html and
we were trying to catch that on upgrades. Apparently this can also be
displayed on an initial install which is confusing.
I've filed a bug.
>
> So this may cause some issues. Where do I get the CA certificates from do I have to self sign a certificate or something
> or buy one?
By default, when you run ipa-server-install it will generate a
self-signed CA which will issue all the necessary certificates.
You can optionally provide your own certificates. See ipa-server-install
--help for all the options.
> I usually configure linux machines with webmin so my interaction with BIND is well serviced by that webmin module, I am a little hopeless
> when it comes to certificates.
If you let IPA generate its own CA the only issue is having your clients
trust it (this is the one of the reasons that we check that the CA file
is installed in the proper location).
>
> Any help to get past these hurdles would be most welcome.
Hope this helps.
regards
rob
More information about the Freeipa-users
mailing list