May 2019 - FreeIPA-users - Fedora mailing-lists

Statues of the HSM support?
by チョーチュアン 24 May '19

24 May '19

Hi all, I just bought a Nitrokey HSM and trying to set it up with the Freeipa; I'm not sure it's quite supported yet. `ipa-server-install` aborted everytime during CA configuration, reported error was "pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)" I wonder if the FreeIPA has some modifications that actually breaks HSM support? Environment: OS: Fedora-30-Cloud-base freeipa-4.7.90.pre1-4.fc30 opensc-0.19.0-6.fc30 Here's what I've done: ```sudo ipa-server-install -U \ --allow-zone-overlap \ --auto-forwarders \ --no-reverse \ -r DOMAN.TLD \ -a `pass ipa/admin` \ -p `pass ipa/dm` \ --setup-dns \ --ca-subject='CN=CA Subject Name' \ --pki-config-override=/etc/ipa/override.ini``` and in the `/etc/ipa/override.ini`: ```[DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219``` don't mind the password, it's the default and testing only. I have modified the polkit[0] also: ```polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "pkiuser") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && action.lookup("reader").startsWith("Nitrokey Nitrokey HSM") && subject.user == "pkiuser") { return polkit.Result.YES; } });``` `sudo -u pkiuser` gives the right card info. I have disabled p11-kit-proxy by hand: ``` #cat /etc/crypto-policies/local.d/nss-p11-kit.config #name=p11-kit-proxy #library=p11-kit-proxy.so ``` and added nitrohsm for it (maybe not necessary): ```/etc/crypto-policies/local.d/hsm.config name=nitrohsm library=opensc-pkcs11.so``` after that, I can successfully add the SmartCard-HSM to `/etc/pki/pki-tomcat/alias` without a problem. the original error snippet: ```Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpciwcfccp'] returned non-zero exit status 1: 'pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn\n raise Exception("server failed to restart")\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed.``` [0]: https://gist.github.com/tiran/af7c21882e1732227455a13c3b8ff380 -- Regards, Quan Zhou F2999657195657205828D56F35F9E5CDBD86324B quanzhou822(a)gmail.com

1 0

Certmonger spawns many processes, causing huge load due to swapping
by Jonathan Vaughn 23 May '19

23 May '19

I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long as I didn't run the Dogtag server on it performance seemed acceptable for the purpose. These are only being used as local DNS/LDAP/Krb5 replicas, everything also runs on both physical x86_64 and VM x86_64 servers as well in more than one location. However now that I'm trying to set up Pis for actual use (previously had set up a test environment to validate using them) I'm running into major performance issues once certmonger starts. Using a systemd timer to delay start until everything else starts at least lets everything else FreeIPA related start up and work, but once certmonger starts it still hammers the system using tons of memory and causing lots of swapping. Is there any reason for it to spawn so many processes all at once, versus doing them in a more serial fashion? And did something change in FreeIPA/certmonger behavior in the last year that would cause such a performance regression in memory limited scenarios? Previously I just had zram swap and it was fine, now I have to replace that with actual swap on storage. Also, there's currently no certs needing renewal or anything on this system, so why does it even spawn so many processes ? root 1699 1 0 03:55 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n root 1720 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1721 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1722 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1723 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1724 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1725 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1726 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1727 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1742 1699 0 03:55 ? 00:00:00 /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit root 1759 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1761 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1762 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1763 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1764 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1765 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1767 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1768 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1769 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1770 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1771 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1772 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1773 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1774 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1775 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1776 1699 0 03:57 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing Eventually these complete and things settle down but it takes a very long time, and without delaying certmonger until after the rest of FreeIPA it can cause various IPA services to take so long that they die and fail to start.

3 4

secure freeipa exposed to internet
by Stepan Vardanyan 23 May '19

23 May '19

Hello, I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because the former did not met our requirements as we moving to Single Sign On. We migrated to FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of external hosts in AWS and other datacenters which we want to join to our FreeIPA for authentication with one credential and utilize policies (HBAC, sudoers) easily and centrally. We found that there is two solutions: - setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers available; - redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet. We end up with second option because first one is very complex, but second option make us think about security. What came to mind is: - disable anonymous bind; - prohibit unencrypted traffic and improve communications security by using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1. So, there is several questions: 1) Is there anything else from security perspective that we should care, configure properly (Kerberos DC for example)? 2) We want to share with users only one Web service from specific replica so users will not cause replication conflicts by modifying entries in other replicas. Is it ok if we close web ports (80, 443) only to localhost on other replicas and leave all other ports on all replicas opened to internet (389,636,88,464)? 3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed that traffic is encrypted but can be decrypted by using servers kerberos keytab 4) Overall, even with all previous concerns taken into account cared is it proper to open FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice for us but just want to hear some advices, expert vision. P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on external hosts Thanks in advance.

10 18

Login to Web UI
by Markus Roth 23 May '19

23 May '19

2 3

Add SAN to cert (without adding it to the CSR)
by Ian Pilcher 22 May '19

22 May '19

I am trying to create a certificate for an older network printer. Unfortunately, I cannot just load a certificate and private key of my own creation. The printer only supports certificates created from a CSR of its own creation, which does not include the SAN. Is it possible to make IPA copy the CN into the SAN? Thanks! -- ======================================================================== Ian Pilcher arequipeno(a)gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

1 1

DNS problems
by Kristian Petersen 22 May '19

22 May '19

Hey all, I am using IPA for my DNS and have 3 total servers in the group. 2 of them are responding to queries just fine, but the 3rd (which is bare metal, not a VM like the others) is not resolving the queries issued to it. Running ipactl status returns all services running: [root@ipa3 /]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING *named Service: RUNNING * httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful We tried restarting the services but didn't change anything. Next we tries to do a forced sync of the server with one of its working replicas: ipa-replica-manage force-sync --from ipa1.example.com We also tried re-initializing the non-working replica: ipa-replica-manage re-initialize --from ipa1.example.com However, it still won't resolve any queries directed to it. Any ideas of what to try next? -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry

3 3

Everyone is disabled in UI
by Andrey Bondarenko 22 May '19

22 May '19

Hi, My IPA shows every user as "disabled" when in UI I go to the user's page. Also the password policy fields are empty and if I am filling in something new like phone number it's not showing up in the IU after I save it. But in cli everything is correct and shown. Users list also shows everyone as "enabled". Did anyone have seen something like this? Version: 4.6.4-10 CentOS 7 -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B

1 0

Access IPA Vault from container
by Dmitry Perets 21 May '19

21 May '19

Hi, I have a use-case when an application needs to access the secret stored in IPA Vault. The problem is that the application is containerized... So what would be the best practice to authenticate to the Vault? The logic says we should use REST API, but how to authenticate to the IPA, without having to put user/password in a file inside the container...? Enroll the container with IPA and use Kerberos...? Or mount a keytab file from the enrolled parent host and install Kerberos package in the container to use it...? Does anyone have an experience with this? Thanks.

2 1

AD->IPA Synchronisation: Staged versus Active users
by Robert Sturrock 21 May '19

21 May '19

Hi All. I’m exploring the use of IPA in a synchronisation (rather than trust) arrangement with AD, as this fits a particular use-case we have here quite well. Our AD is very large, so a large number of users are synchronised into IPA and they come across by default as ‘Disabled’. This is fine - an administrator can easily enable those who need access. However, the users all show up as ‘Active users’, rather than ‘Stage users’. But it would be much better if they were ‘Stage users’ to start with, and needed to be explicitly activated before moving into ‘Active users’. It seems that IPA doesn’t work this way in a synchronisation agreement? Is there any way to configure the system so that it does? Regards, Robert.

2 1

OTP check via API
by Adam Bishop 20 May '19

20 May '19

Is there an API endpoint I can use to perform OTP verification without the users password (i.e. just with their DN or uid)? I've got a non-web application with its own authentication system that I'd like to add MFA to, and I'd rather avoid copying the OTP secrets to it or re-writing the application.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2019