Setting up IPA with a specific CA cert subject

If you are doing experiments with IPA where you install and reinstall IPA servers, you may notice SSL certificate errors when connecting to an IPA server using Firefox. The reason is that always the same Organization and serial is used when the CA cert is created. Normal users are usually only affected when using the same Realm and DNS subdomain for the test and production environment which is not recommended anyway. Reproducing the issue 1. Set up IPA with ipa-server-install. ….Read More

Identity Management und 2FA mit (Free)IPA @Chemnitzer Linuxtage 2015

My first post in German, publishing the Slide Deck (in German) for my presentation about IPA and 2FA held at Chemnitzer Linux days 2015. Mein erster Post in Deutsch. Hier die Slides von meinem Vortrag an den Chemnitzer Linux Tagen 2015. Abstract: IPA ist ein Identity Management System für Linux und Unix, das stetig an Bedeutung gewinnt. Mittlerweile ist es des öfteren in Behörden, Banken, Versicherungen, aber auch in KMUs im Einsatz. IPA kann man sich als «Active Directory» für ….Read More

2FA with (Free) IPA. The good, the bad and the ugly

Two factor authentication (2FA) is more and more emerging which is good to enhance security. Since the release of IPA4 it comes with 2FA included. Over time I made a lot of experiments and experience I wanted to share with you. Its is easy to set up and maintain as long as you use it only for system authentication. If you are using such things as webmail, it fails. This post shows you the capabilities as they are of today. ….Read More

Migrating legacy servers to FreeIPA authentication using ID-views

ID-Views are a new feature of FreeIPA4 which allows you to map UID/GID user/group names to another. This is a very handy solution when migrating legacy servers. There are legacy servers in the field with a lot of history. They have been migrated from one operating system to another since the last decade(s). It is unfortunately also not uncommon on those legacy servers to find software with hardcoded UID/GID and/or user/group names. Along with an unknown number of scripts installed ….Read More

Using IPA to provide automount maps for NFSv4 home directories

Since the invention of NFSv4, automount NFS home directories is secure. Since the invention of IPA, its easier to set up and maintain. This article guides you trough the steps needed to set it up. The procedures have been tested on RHEL7.1 for the IPA servers, RHEL6.6 and 7.1 as clients but should work on Fedora and CentOS. Unfortunately it seems not to work (yet) for Debian Sid and Ununtu. [Update] Works in Ubuntu 14.04[/Update] Assumptions Your Domain is example.com ….Read More

Upgrading RHN Satellite 5.6 to 5.7

This post guides you trough the upgrade procedure for a Satellite 5.6 using the embedded database on RHEL6-x86_64. Further it guides you to setup of Kerberos authentication of Satellite users with IPA. Recently Redhat released Satellite Server 5.7. Despite Satellite 5.x will be outphased in the next few years, there are plenty of new features. The most significant new features are: Upgraded PostgreSQL to 9.2 Authentication via IPA/SSSD/Kerberos IPMI support Renewed WebUI Readonly API users And finally… drum roll…. formal ….Read More

Using OTP Tokens and 2FA with FreeIPA 4.0

On 2014-07-08 FreeIPA 4.0 was released. One of the most interesting new features is the support of two factor authentication (2FA). I was curious about how to set it up and get it running. Unfortunately the documentation does not tell much about the OTP setup. What is OTP and 2FA? An overview OTP stands for One Time Password and 2FA for two factor authentication. OTP is available since long time, in the beginning usually as a list of passwords printed ….Read More

Providing SRV and TXT records for Kerberos and LDAP with dnsmasq

What if you have an application such as OVirt/RHEV-M that relies on DNS services records and you dont have the possibility to add them to the DNS servers because the DNS admins do not like to do its job? Fake them! DNSMasq is your friend 🙂 Install dnsmasq on the server in question and configure /etc/resolv.conf to query first dnsmask on localhost. yum -y install dnsmasq chkconfig dnsmasq on Assuming your subdomain is called example.com and your ldap and kerberos ….Read More