[Freeipa-users] Difficulty setting up free-ipa

Rob Crittenden rcritten at redhat.com
Thu Mar 5 20:22:19 UTC 2009 

John B. Adams wrote:
> Hi
> 
> I am little concerned that it is really difficult for us mortals to check out free-ipa. Especially as I feel it will become a significant part of our work if it does what it says on the tin.
> 
> I tried last year on Fedora 10 which is becoming my standard platform for all things linux.  I followed the setup instructions. I made a posting on 6th December 2008 listing the problems I was getting with the web browser and kerberos. We had another two attempts go after Dimitri kindly offered some suggestions.  However we gave up.

I'm sorry you had problems. I'll see if I can help you.

> 
> We were encouraged in the new year when the Step by step howto appeared. But we are still upable to get a result.
> 
> Referring to the step by step howto our first hurdle was "The IPA server may show a conflict with mod_ssl package. IPA uses mod_nss in apache. You can remove mod_ssl for the time being" 
> 
> 1) How would we know if free-ipa was conflicting where would it show the conflict?
> 2) How would we remove mod_ssl if we identified the issue.

The assumption, apparently a bad one, is that there user is familiar 
with Fedora package upgrade and management. The conflict is in the 
package itself. You cannot install ipa-server package if mod_ssl is 
installed (unless you explicitly force it).

To remove mod_ssl you can do either (as root):
# rpm -e mod_ssl
# yum erase mod_ssl

mod_nss and mod_ssl both provide SSL services to Apache. We chose to go 
with mod_nss. Normally mod_nss and mod_ssl can coexist peacefully if 
they are using unique ports. The reason for the conflict is that if 
mod_ssl is loaded then the Apache module that does proxying (mod_proxy) 
will use the mod_ssl crypto routines instead of the mod_nss crypto routines.

So by merely being loaded mod_ssl will cause UI failures, so we do what 
we can to make sure mod_ssl isn't on the system at all.

> 
> Anyway we ignored this did an iptables -F (SE linux is enabled but I can turn it off) and went for the install with 
> 
> ipa-server-install --setup-bind 
> 
> In the listing of the install it says "disabling mod_ssl in httpd" so it looks like that gets done for us.

This was the original method we used to disable mod_ssl. It renames the 
configuration file. The problem is that the next time the package is 
updated the package manager says "oh, I can write a new configuration 
file" which will then cause the IPA UI to start failing.

> 
> I do get "named service failed to start" 
> 
> So we tried to edit the minimal named.conf as suggested this is what we have

Our bind support is experimental at this point though your issue seems 
related directly to basic bind configuration. I'm not sure what the 
issue is though it seems to simply not be able to find the file it is 
looking for. I'm not sure why.

> 
> I notice in our original setup it says:
> 
>   Installing     : ipa-server                                             64/64 
> Missing Certification Authority file.
> You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt

Looks like a bug, this can be ignored. Some previous versions of IPA 
didn't place a copy of the self-signed CA into /usr/share/ipa/html and 
we were trying to catch that on upgrades. Apparently this can also be 
displayed on an initial install which is confusing.

I've filed a bug.

> 
> So this may cause some issues.   Where do I get the CA certificates from do I have to self sign a certificate or something
> or buy one?

By default, when you run ipa-server-install it will generate a 
self-signed CA which will issue all the necessary certificates.

You can optionally provide your own certificates. See ipa-server-install 
--help for all the options.

> I usually configure linux machines with webmin so my interaction with BIND is well serviced by that webmin module, I am a little hopeless 
> when it comes to certificates.

If you let IPA generate its own CA the only issue is having your clients 
trust it (this is the one of the reasons that we check that the CA file 
is installed in the proper location).

> 
> Any help to get past these hurdles would be most welcome.

Hope this helps.

regards

rob

More information about the Freeipa-users mailing list