New plugin almost ready - postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have almost finished a plugin for FreeIPA, so that admins can have similar functionality found on Postfix Admin.
https://github.com/oculos/freeipa-postfixadmin/blob/main/README.md
freeipa-postfixadmin/README.md at main · oculos/freeipa-postfixadmin
github.com
There is already a good plugin that does a bit of that, but the goal is a bit different. My main goal is not to mix up postfix configuration with groups and hosts, but have separate entities for domain, aliases and virtual domains, in addition to mailboxes.
It was written mostly to allow me to migrate my mailboxes from MySQL to FreeIPA, and I don’t have a huge postfix configuration - I only have multiple domains, mailboxes, aliases and virtual domains, so that’s the functionality I wanted with this plugin.
There are a few things missing before this can go in production («production» here means to actually migrate my mailboxes to FreeIPA), adding a mailbox to ipa users on the gui being the most important one.
I would appreciate any comments and feedbacks regarding this plugin. It wasn’t easy to understand the logic on how to write one, but I got the hang of it (for simple stuff).
Best,
Francis
6 months, 3 weeks
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
6 months, 3 weeks
Installing FreeIPA server + replica using Ansible Role FreeIPA
by Finn Fysj
The installation of IPA server and replica does not produce desired result.
Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master.
Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid.
Example of the IPA server role:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
7 months, 1 week
FreeIPA PKI Certs wont renew "Adjustment limit exceeded"
by T A
On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start
ipactl status
pki-tomcatd Service: STOPPED
Ran 'getcert list' and found the 'pki-tomcat' cert was expired
Rolled back the system clock to before the cert expired, now starts up
ipactl status
pki-tomcatd Service: STARTED
Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows "status: CA_UNREACHABLE"
'ipa-cert fix' didnt work either
Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was giving out this error when it tried to renew 'csngen_adjust_local_time - Adjustment limit exceeded: value - 435060 limit - 86400'
Any way to change the adjustment limit or force this cert to renew anyway?
8 months, 1 week
kinit: KDC can't fulfill requested option while renewing credentials - which approach?
by Pieter Baele
I tried various approached to get Renewable tickets :
modifying the kdc
modifying krb5.conf
using kadmin.local on every replica to modify the principal; which is not
working - as designed (?)- in IPA
What should I do to get a ticket with the correct R flag from IPA ?
I don't think this is SSSD related (the service needing the renewable
ticket this way is Apache Storm)
Thanks a lot!
8 months, 2 weeks
AIX - IPA group membership
by Ronald Wimmer
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
# id y179768
uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g
ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
8 months, 3 weeks
Custom ssl cert for freeipa docker
by Leo O
Hello Guys,
I'm would like to use custom ssl certificates for http and ldap, I saw the following:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time?
Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.
9 months, 1 week
In FreeIPA AD trust environment add AD user to local group
by Sameer Gurung
I have integrated freeipa with AD via a two way trust. However I now have a
problem
How do I add my AD users logging in to linux clients to the local machines
docker group so that they can run docker.
Any help would be appreciated.
Thanks everyone!
Sameer K Gurung
--
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version. Saint Mary's College, Shillong, Meghalaya, India-793003,
smcs.ac.in <http://smcs.ac.in>
9 months, 3 weeks
Visibility/access of Freeipa users to windows on trusted AD
by Francis Augusto Medeiros-Logeay
Hi,
I have searched this everywhere, but can't find it.
I want to grant access to a FreeIPA user to a Windows machine. When I
try to grant the user access on windows, adding it like
FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both
domains, but every place where I see the trusted domain on Windows (for
example when configuring a GPO) I can't search for FreeIPA users.
Is this how it is supposed to be, or how can I see my FreeIPA users on
Windows the same way I see AD users on my freeipa linux clients?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
9 months, 3 weeks