Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so. First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles. Creating a Kerberos Service Priciple Ensure you have a Kerberos ticket as admin user ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~# ipa1:~# ipa service-add imap/mail.example.com ——————————————— Added service “imap/mail.example.com@EXAMPLE.COM” ——————————————— ….Read More
Category: Uncategorized
FreeIPA and Selective 2FA with Kerberos Authentication Indicators
One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA. Usecases Usually a Linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers. Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/. With Authentication Indicators you can allow users accessing this services without 2FA while ….Read More
Integrate IPA in your Web application i.e. WordPress
Tired of log in to your favorite Web application? Integrate it with IPA, kerberize it! This blog post will guide you trough the kerberization of WordPress running on RHEL7 or Fedora. The magic is done by mod_intercept_form_submit and mod_auth_gssapi Assumptions You have a running IPA or FreeIPA infrastructure Your Kerberos REALM is EXAMPLE.COM The hostname where your WordPress instance is running is wptest.example.com WordPress is installed in /var/www/html and ready to run You are using a Linux Workstation with Kerberos, ….Read More
Updating Fedora to version 23 – how to workaround some issues
After upgrading two machines from Fedora 22 to 23 I stumbled upon some severe issues. Most of them are easy to solve. This weekend I’ve found some time to upgrade my headless router and one of my workstations. Unfortunately is did not went that smooth like the past few upgrades. No initrd created and grub config lacks initrd reference This seems to be connected to the Plymouth issue as described here: Common F23 bugs. On my headless machine I only ….Read More
Identity Management und 2FA mit (Free)IPA @Chemnitzer Linuxtage 2015
My first post in German, publishing the Slide Deck (in German) for my presentation about IPA and 2FA held at Chemnitzer Linux days 2015. Mein erster Post in Deutsch. Hier die Slides von meinem Vortrag an den Chemnitzer Linux Tagen 2015. Abstract: IPA ist ein Identity Management System für Linux und Unix, das stetig an Bedeutung gewinnt. Mittlerweile ist es des öfteren in Behörden, Banken, Versicherungen, aber auch in KMUs im Einsatz. IPA kann man sich als «Active Directory» für ….Read More
2FA with (Free) IPA. The good, the bad and the ugly
Two factor authentication (2FA) is more and more emerging which is good to enhance security. Since the release of IPA4 it comes with 2FA included. Over time I made a lot of experiments and experience I wanted to share with you. Its is easy to set up and maintain as long as you use it only for system authentication. If you are using such things as webmail, it fails. This post shows you the capabilities as they are of today. ….Read More
Building a virtual CEPH storage cluster
This post will guide you trough the procedure to build up a testbed on RHEL7 for a complete CEPH cluster. At the end you will have an admin server, one monitoring node and three storage nodes. CEPH is a object and block storage mostly used for virtual machine images and bulk BLOBS such as video- and other media. It is not intended to be used as a file storage (yet). Machine set up I’ve set up five virtual machines, one ….Read More
Using IPA to provide automount maps for NFSv4 home directories
Since the invention of NFSv4, automount NFS home directories is secure. Since the invention of IPA, its easier to set up and maintain. This article guides you trough the steps needed to set it up. The procedures have been tested on RHEL7.1 for the IPA servers, RHEL6.6 and 7.1 as clients but should work on Fedora and CentOS. Unfortunately it seems not to work (yet) for Debian Sid and Ununtu. [Update] Works in Ubuntu 14.04[/Update] Assumptions Your Domain is example.com ….Read More