Stjepan Groš

Home
SysAdm Stuff

FreeIPA

FreeIPA is a identity solution analogous to ActiveDirectory. Well, almost. The point is that it's still in the development but it's already usable. Here you'll find some tips about FreeIPA and it's use.

Different clients

Informix

O3Spaces

This is relatively good software from the user's stand point, but absolutely horrible when it comes to the administration. This software doesn't support external user database. The best you can achieve is to connect it to the LDAP database that is copied to some local/internal store of the O3Spaces. Thus, you can freely forget on Kerberos and Single Sign On.

Additional inconvenience is that you have to create account for O3Spaces that will be used to synchronize LDAP database with O3Spaces' database. Furthermore, O3Spaces will do a simple bind to the LDAP database.

Samba

http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html

Some random notes how I integrated Samba 3 with FreeIPA. I'll organize this better as soon as I find some free time:

• I extended LDAP schema without any problems. Only, the command wasn't ldapmodify but ldapmodify -Y GSSAPI and I obtained admin ticket before. Also, yourdomain has to be changed. It's probably same as your Kerberos realm, e.g. if your Kerberos realm is EXAMPLE.COM then this will be dc=example,dc=com. Replica immediatelly caught the change.

• I then configured Samba BDC. Note that I turned off SSL access because my IPA and Samba services are on the same host. Also, I gave Samba admin dn (it will be something like uid=admin,cn=users,cn=accounts,dc=example,dc=com, and I also stored admin password using smbpasswd -w command.

• After configuring Samba I was able to obtain SID using net getlocalsid command.

• Then, you need to configure ipa-dna. If you don't you won't be able to add new users. The problem is that sambaSID is mandatory attribute and ipa-adduser won't add it automatically. When configuring ipa-dna the following notes apply.

  • You need to access LDAP server as Directory Manager. admin user doesn't have appropriate rights.

  • Change dnaprefix with the whole string returned by net getlocalsid command.

  • Change dnascope to your base prefix.

  • You need to enable ipa-dns if it's not already enabled!

# ipa-adduser testuser
First name: Test
Last name: User
A database error occurred: Object class violation: missing attribute "sambaSID" required by object class "sambaSamAccount"

In case you need additional information look 389 project documentation since this is a directory server behind FreeIPA and Samba talks directly to it.

To debug samba connection to LDAP you can use pdbedit tool. It's something like getent for NSS.

Misc stuff

Accessing LDAP

To access LDAP you have to options: simple bind or using a kerberos ticket.

1. Using simple bind

   To access LDAP you can try the following command:

   ldapsearch -x -D 'uid=<username>,cn=users,cn=accounts,<base DN>' -W -h <FreeIPA host> -b '<base DN>'
   

   base DN you can find by looking into /etc/ldap.conf on the FreeIPA host. There will be line that starts with base. The argument to this keyword is base DN you should use.

   In case you get an error ldap_bind: No such object (32) then you probably use wrong base DN.

2. Using Kerberos ticket

   There is another way to access LDAP in a sense that you can use Kerberos ticket for authentication. First, you need to obtain Kerberos ticket for admin user by issuing command kinit admin. To check if you have a ticket use the command klist.

   Search operation is now very easy:

   ldapsearch -h <FreeIPA host> -b '<base DN>' -Y GSSAPI
   

3. As a directory manager

   Some attributes and parts of the directory tree are not accessible to admin user. In that case you have to access LDAP as a directory manager. For example, to access configuration part of the tree (not accessible to admin user) use the following command:

   ldapsearch -W -h <FreeIPA host> -b 'cn=config' -D 'cn=Directory Manager'
   

   Note that you have to provide password defined during the installation phase.

Maximum username length

Default maximum length of the username is 8 characters which is quite low. So, you need to change this value. The change is easy in case you are using Web interface, but to change it in command line you have to use ldapmodify command as follows:

ldapmodify -h <FreeIPA host> -Y GSSAPI << EOF
dn: cn=ipaConfig,cn=etc,<base DN>
changetype: modify
replace: ipaMaxUsernameLength
ipaMaxUsernameLength: 12 
EOF

In case you get the following error message:

ldap_modify: Invalid syntax (21)
	additional info: ipaMaxUsernameLength: value #0 invalid per syntax

Then there is probably some space around number 12 so it's best that you copy and edit those line in some temporary file and redirect the content of this file to ldapmodify command.

Default user shell

The default user shell is /bin/sh. You can change it using the same procedure as for the maximum username lenght, i.e.

ldapmodify -h <FreeIPA host> -Y GSSAPI << EOF
dn: cn=ipaConfig,cn=etc,<base DN>
changetype: modify
replace: ipaDefaultLoginShell
ipaDefaultLoginShell: /bin/bash 
EOF

Again, be carefull with spaces around the new value.

Specifying UID for new users

The command ipa-addgroup allows the group ID to be specified on the command line, but ipa-adduser does not, at least not in the obvious way. So to achieve this, use the following switch:

--setattr='uidNumber=NNNN'

Replace NNNN with the number you wish to be the UID for a new user.

Promoting replica into master

Document how to move/promote a master server

Error messages

Here is the list of error messages I encountered while working with FreeIPA along with the solutions.

The following error message appears when for some reason ipa-replica-prepare tries to access wrong directory server with successful authentication. This happened to me because I was messing up with IP addresses and my IPA server thought that it had different IP address that it really did.

preparation of replica failed: {'desc': 'No such object'}
{'desc': 'No such object'}
  File "/usr/sbin/ipa-replica-prepare", line 284, in 
    main()

  File "/usr/sbin/ipa-replica-prepare", line 209, in main
    conn.do_simple_bind(bindpw=dirman_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 323, in do_simple_bind
    self.simple_bind_s(binddn, bindpw)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 207, in simple_bind_s
    return self.result(msgid,all=1,timeout=self.timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 148, in inner
    result_type, data = f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)

Copyright(c) Stjepan Groš
Style respectfully borrowed from Blue Robot's Layout Reservoir
Last change: Tuesday, 18-Jun-2019 21:16:06 CEST