Difference between revisions of "FreeIPA"
Carroarmato0 (talk | contribs) |
Carroarmato0 (talk | contribs) |
||
Line 55: | Line 55: | ||
</pre> | </pre> | ||
− | === STARTTLS | + | === STARTTLS === |
If you want to use '''STARTTLS''' for securing the connection between the application and LDAP, you can use the CA Certificate: | If you want to use '''STARTTLS''' for securing the connection between the application and LDAP, you can use the CA Certificate: |
Revision as of 22:34, 22 July 2021
Contents
Introduction
FreeIPA is the integrated security information management solution used at the Hackerspace Gent.
It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).
Access
URL: https://ipa.hackerspace.gent
First time access: You will be prompted for a new password. Don't forget to set your correct email address.
Management
Allow users to modify their own email (or some other fields)
IPA Server > Self Service Permissions > Add
Self-service name: "Users can manage their own email address" Attributes: mail
Hooking up services to LDAP for authentication
Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.
You will need to connected directly via LDAP to make the appropriate changes.
[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent changetype: add objectclass: account objectclass: simplesecurityobject uid: <application account name> userPassword: <password for the application> passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 <blank line> ^D
Example of configuration:
URL ldap://ipa.hackerspace.gent:389 BindDN "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent" Password "<password for the application>" BaseDN "cn=users,cn=accounts,dc=hackerspace,dc=gent" SearchFilter "(uid=%u)" BaseDN "cn=groups,cn=accounts,dc=hackerspace,dc=gent" SearchFilter "(member=%g)"
STARTTLS
If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:
-----BEGIN CERTIFICATE----- MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB 1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK 9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4 eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB /wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0 K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE /afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn 0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57 2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh -----END CERTIFICATE-----