Has anyone installed this on their prod FreeIPA installation? I need to hook FreeIPA into some other auth systems that don't support LDAP.
On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote:
Has anyone installed this on their prod FreeIPA installation? I need to hook FreeIPA into some other auth systems that don't support LDAP.
I'm using FreeIPA with Ipsilon for quite a few years for my home setup. I even added integration for Ipsilon to HackMD: https://github.com/hackmdio/hackmd/pull/732
So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp%C2%A0as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
I see this in /var/log/messages:May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9215]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9217]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9219]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9221]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9223]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9224]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9228]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9230]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9238]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9240]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9243]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9245]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. This is what is in /var/log/http/error_log:[Thu May 17 13:55:56.263306 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user andrew.meyer: Authentication failure, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_trans... May 17 13:55:59.673795 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/form%5BThu May 17 13:56:05.735790 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user admin: Error in service module, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_trans... May 17 13:56:08.232387 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/form%5BThu May 17 13:56:14.206573 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_trans... May 17 14:39:17.674883 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/%5BThu May 17 14:39:21.039126 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/%5BThu May 17 14:39:32.032374 2018] [authnz_pam:warn] [pid 8830] [client 10.1.6.250:51742] PAM authentication failed for user admin: Error in service module, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_trans...
On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote:
Has anyone installed this on their prod FreeIPA installation? I need to hook FreeIPA into some other auth systems that don't support LDAP.
I'm using FreeIPA with Ipsilon for quite a few years for my home setup. I even added integration for Ipsilon to HackMD: https://github.com/hackmdio/hackmd/pull/732
On to, 17 touko 2018, Andrew Meyer wrote:
So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp%C2%A0as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
I do not run Ipsilon on the same machine as IPA master and do not recommend that. Use a separate IPA client.
On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On to, 17 touko 2018, Andrew Meyer wrote:
So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp%C2%A0as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
I do not run Ipsilon on the same machine as IPA master and do not recommend that. Use a separate IPA client.
It used to work fairly well in 2015:
https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine
and I've used it for number of demos and testing.
However, at least with Fedora 28, it will fail simply because FreeIPA is python3 and Ipsilon is python2, and wsgi does not like mixing the two.
What about on CentOS 7?
On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On to, 17 touko 2018, Andrew Meyer wrote:
So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp%C2%A0as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
I do not run Ipsilon on the same machine as IPA master and do not recommend that. Use a separate IPA client.
It used to work fairly well in 2015:
https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine
and I've used it for number of demos and testing.
However, at least with Fedora 28, it will fail simply because FreeIPA is python3 and Ipsilon is python2, and wsgi does not like mixing the two.
On Tue, May 22, 2018 at 02:38:11PM +0000, Andrew Meyer via FreeIPA-users wrote:
What about on CentOS 7?
On Thu, May 17, 2018 at 07:45:34PM +0000, Andrew Meyer via FreeIPA-users wrote:
So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp%C2%A0as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
CentOS 7 ships Ipsilon 1.0.0 while ipsilon-openidc (needed for the --openid option above) only started to be available with Ipsilon 2.
How did you install Ipsilon on CentOS 7 so that the above ipsilon-server-install command passed for you?
Andrew Meyer via FreeIPA-users wrote:
Has anyone installed this on their prod FreeIPA installation? I need to hook FreeIPA into some other auth systems that don't support LDAP.
Ipsilon is a fine IdP and is used to host a bunch of huge, operational infrastructure (like FAS).
A bunch of FreeIPA developers have contributed to it and AFAIK it still works fine using IPA as an identity backend.
rob
On to, 17 touko 2018, Rob Crittenden via FreeIPA-users wrote:
Andrew Meyer via FreeIPA-users wrote:
Has anyone installed this on their prod FreeIPA installation? I need to hook FreeIPA into some other auth systems that don't support LDAP.
Ipsilon is a fine IdP and is used to host a bunch of huge, operational infrastructure (like FAS).
A bunch of FreeIPA developers have contributed to it and AFAIK it still works fine using IPA as an identity backend.
Correct. Whole Fedora actually runs off that -- FAS is ipsilon and Kerberos authentication is done by Fedora FreeIPA instance behind it.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Andrew Meyer -
Jan Pazdziora -
Rob Crittenden