Using OTP Tokens and 2FA with FreeIPA 4.0

On 2014-07-08 FreeIPA 4.0 was released. One of the most interesting new features is the support of two factor authentication (2FA). I was curious about how to set it up and get it running. Unfortunately the documentation does not tell much about the OTP setup. What is OTP and 2FA? An overview OTP stands for One Time Password and 2FA for two factor authentication. OTP is available since long time, in the beginning usually as a list of passwords printed ….Read More

Providing SRV and TXT records for Kerberos and LDAP with dnsmasq

What if you have an application such as OVirt/RHEV-M that relies on DNS services records and you dont have the possibility to add them to the DNS servers because the DNS admins do not like to do its job? Fake them! DNSMasq is your friend 🙂 Install dnsmasq on the server in question and configure /etc/resolv.conf to query first dnsmask on localhost. yum -y install dnsmasq chkconfig dnsmasq on Assuming your subdomain is called example.com and your ldap and kerberos ….Read More

Host based access control with IPA

Host based access control is easy with IPA/FreeIPA, very easy. Lets assume you want to have a host group called rhel-prod, a usergroup called prod-admins and you want to let them access the servers in the rhel-prod group by ssh from any host that can reach the servers. Lets call the HBAC rule prod-admins. You can either user the web GUI or use the command line interface. Lets create the user group: [root@ipa1 ~]# ipa group-add prod-admins –desc=”Production System Admins” ….Read More

How to recover from a lost Kerberos password for admin

Ever lost your password for the admin principle on your Linux Kerberos server? It is quite easy to recover by just setting a new one. You just need to log in to your KDC and proceed as follows: [root@ipa1 ~]# kadmin.local Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: change_password admin@EXAMPLE.COM Enter password for principal “admin@EXAMPLE.COM”: Re-enter password for principal “admin@EXAMPLE.COM”: Password for “admin@EXAMPLE.COM” changed. kadmin.local: q [root@ipa1 ~]# Now enter kinit to get a Kerberos ticket. Have fun 🙂

Identity Management with IPA Part II – Kerberized NFS service

In part one I was writing how to set up an IPA server for basic user authentication. One reason NFSv4 is not that widespreaded yet, is it needs Kerberos for proper operation. Of course this is now much easier thanks to IPA. Goal for the part of the guide Configure IPA to serve the NFS principle Configure NFS to use IPA Configure some IPA clients to use Kerberos for the NFS service Requirements A runing IPA service like discussed in ….Read More

Identity Management with IPA Part I

Red Hat released RHEL 6.2 on December 6th. From my point of view, the greatest news in the release is that IPA (or now called Identity Management) is now fully supported and available in the RHEL 6 base channel without additional subscription costs. Upstream project is freeIPA and is available trough the default Fedora repos. About central Identity Management IPA stands for Identification, Auditing, Policy. The focus in this article is on identification of users. In the past, there have ….Read More

Set up a Red Hat Directory Server and Kerberos Part I

Kerberos and LDAP are today’s way of single sign on. It is platform independent and supported by a wide range of applications. Together with the Red Hat Directory Server (also available as CentOS Directory Server and 389 Directory Server from Fedora) you can build a neat identity management infrastructure. Setting up the Directory Server However there are some pitfalls when installing such a integrated solution. Installing redhat-ds is quite easy, just ensure you define your planned LDAP Namespace and default ….Read More