Difference between revisions of "FreeIPA"

From HSG Wiki
Jump to: navigation, search
(Initial FreeIPA documentation)
 
Line 55: Line 55:
 
</pre>
 
</pre>
  
If you want to use '''Starttls''' for securing the connection between the application and LDAP, you can use the CA Certificated which can use the following certificate:
+
=== STARTTLS ====
 +
 
 +
If you want to use '''STARTTLS''' for securing the connection between the application and LDAP, you can use the CA Certificate:
 
<pre>
 
<pre>
 
-----BEGIN CERTIFICATE-----
 
-----BEGIN CERTIFICATE-----

Revision as of 22:34, 22 July 2021

Introduction

FreeIPA is the integrated security information management solution used at the Hackerspace Gent.

It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).

Access

URL: https://ipa.hackerspace.gent

First time access: You will be prompted for a new password. Don't forget to set your correct email address.


Management

Allow users to modify their own email (or some other fields)

IPA Server > Self Service Permissions > Add

Self-service name: "Users can manage their own email address"
Attributes: mail

Hooking up services to LDAP for authentication

Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.

You will need to connected directly via LDAP to make the appropriate changes.

[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: <application account name>
userPassword: <password for the application>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>
^D

Example of configuration:

URL             ldap://ipa.hackerspace.gent:389
BindDN          "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
Password        "<password for the application>"

BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(uid=%u)"

BaseDN          "cn=groups,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(member=%g)"

STARTTLS =

If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:

-----BEGIN CERTIFICATE-----
MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL
RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT
UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G
CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F
vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB
1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q
WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch
bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK
9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t
d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v
Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4
eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW
gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH
AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl
bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl
IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D
iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot
cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0
K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE
/afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn
0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57
2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
-----END CERTIFICATE-----