FreeIPA
FreeIPA is a identity solution analogous to ActiveDirectory. Well, almost. The point is that it's still in the development but it's already usable. Here you'll find some tips about FreeIPA and it's use.
Different clients
Informix
O3Spaces
This is relatively good software from the user's stand point, but absolutely horrible when it comes to the administration. This software doesn't support external user database. The best you can achieve is to connect it to the LDAP database that is copied to some local/internal store of the O3Spaces. Thus, you can freely forget on Kerberos and Single Sign On.
Additional inconvenience is that you have to create account for O3Spaces that will be used to synchronize LDAP database with O3Spaces' database. Furthermore, O3Spaces will do a simple bind to the LDAP database.
Samba
http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html
Some random notes how I integrated Samba 3 with FreeIPA. I'll organize this better as soon as I find some free time:
I extended LDAP schema without any problems. Only, the command wasn't ldapmodify but ldapmodify -Y GSSAPI and I obtained admin ticket before. Also, yourdomain has to be changed. It's probably same as your Kerberos realm, e.g. if your Kerberos realm is EXAMPLE.COM then this will be dc=example,dc=com. Replica immediatelly caught the change.
I then configured Samba BDC. Note that I turned off SSL access because my IPA and Samba services are on the same host. Also, I gave Samba admin dn (it will be something like uid=admin,cn=users,cn=accounts,dc=example,dc=com, and I also stored admin password using smbpasswd -w command.
After configuring Samba I was able to obtain SID using net getlocalsid command.
Then, you need to configure ipa-dna. If you don't you won't be able to add new users. The problem is that sambaSID is mandatory attribute and ipa-adduser won't add it automatically. When configuring ipa-dna the following notes apply.
You need to access LDAP server as Directory Manager. admin user doesn't have appropriate rights.
Change dnaprefix with the whole string returned by net getlocalsid command.
Change dnascope to your base prefix.
You need to enable ipa-dns if it's not already enabled!
# ipa-adduser testuser First name: Test Last name: User A database error occurred: Object class violation: missing attribute "sambaSID" required by object class "sambaSamAccount"
In case you need additional information look 389 project documentation since this is a directory server behind FreeIPA and Samba talks directly to it.
To debug samba connection to LDAP you can use pdbedit tool. It's something like getent for NSS.
Misc stuff
Accessing LDAP
To access LDAP you have to options: simple bind or using a kerberos ticket.
Using simple bind
To access LDAP you can try the following command:
ldapsearch -x -D 'uid=<username>,cn=users,cn=accounts,<base DN>' -W -h <FreeIPA host> -b '<base DN>'
base DN you can find by looking into /etc/ldap.conf on the FreeIPA host. There will be line that starts with base. The argument to this keyword is base DN you should use.
In case you get an error ldap_bind: No such object (32) then you probably use wrong base DN.
Using Kerberos ticket
There is another way to access LDAP in a sense that you can use Kerberos ticket for authentication. First, you need to obtain Kerberos ticket for admin user by issuing command kinit admin. To check if you have a ticket use the command klist.
Search operation is now very easy:
ldapsearch -h <FreeIPA host> -b '<base DN>' -Y GSSAPI
As a directory manager
Some attributes and parts of the directory tree are not accessible to admin user. In that case you have to access LDAP as a directory manager. For example, to access configuration part of the tree (not accessible to admin user) use the following command:
ldapsearch -W -h <FreeIPA host> -b 'cn=config' -D 'cn=Directory Manager'
Note that you have to provide password defined during the installation phase.
Maximum username length
Default maximum length of the username is 8 characters which is quite low. So, you need to change this value. The change is easy in case you are using Web interface, but to change it in command line you have to use ldapmodify command as follows:
ldapmodify -h <FreeIPA host> -Y GSSAPI << EOF dn: cn=ipaConfig,cn=etc,<base DN> changetype: modify replace: ipaMaxUsernameLength ipaMaxUsernameLength: 12 EOF
In case you get the following error message:
ldap_modify: Invalid syntax (21) additional info: ipaMaxUsernameLength: value #0 invalid per syntax
Then there is probably some space around number 12 so it's best that you copy and edit those line in some temporary file and redirect the content of this file to ldapmodify command.
Default user shell
The default user shell is /bin/sh. You can change it using the same procedure as for the maximum username lenght, i.e.
ldapmodify -h <FreeIPA host> -Y GSSAPI << EOF dn: cn=ipaConfig,cn=etc,<base DN> changetype: modify replace: ipaDefaultLoginShell ipaDefaultLoginShell: /bin/bash EOF
Again, be carefull with spaces around the new value.
Specifying UID for new users
The command ipa-addgroup allows the group ID to be specified on the command line, but ipa-adduser does not, at least not in the obvious way. So to achieve this, use the following switch:
--setattr='uidNumber=NNNN'
Replace NNNN with the number you wish to be the UID for a new user.
Promoting replica into master
Document how to move/promote a master server
Error messages
Here is the list of error messages I encountered while working with FreeIPA along with the solutions.
The following error message appears when for some reason ipa-replica-prepare tries to access wrong directory server with successful authentication. This happened to me because I was messing up with IP addresses and my IPA server thought that it had different IP address that it really did.
preparation of replica failed: {'desc': 'No such object'} {'desc': 'No such object'} File "/usr/sbin/ipa-replica-prepare", line 284, inmain() File "/usr/sbin/ipa-replica-prepare", line 209, in main conn.do_simple_bind(bindpw=dirman_password) File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 323, in do_simple_bind self.simple_bind_s(binddn, bindpw) File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner return f(*args, **kargs) File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 148, in inner result_type, data = f(*args, **kargs) File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner return f(*args, **kargs) File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner return f(*args, **kargs) File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner return f(*args, **kargs) File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs)