Difference between revisions of "FreeIPA"
Carroarmato0 (talk | contribs) |
Carroarmato0 (talk | contribs) |
||
| Line 86: | Line 86: | ||
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh | pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh | ||
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
| + | </pre> | ||
| + | |||
| + | == Prevent annoying BasicAuth popup to appear on login page == | ||
| + | In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in. | ||
| + | The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA. | ||
| + | This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize. | ||
| + | To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA. | ||
| + | |||
| + | <pre> | ||
| + | [root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf | ||
| + | ... | ||
| + | # Protect /ipa and everything below it in webspace with Apache Kerberos auth | ||
| + | <Location "/ipa"> | ||
| + | ... | ||
| + | # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard | ||
| + | # showing a confusing Basic Auth popup window by which the user cannot login with. | ||
| + | BrowserMatch Windows gssapi-no-negotiate | ||
| + | ... | ||
| + | </Location> | ||
| + | |||
| + | [root@ipa ~]# systemctl restart httpd | ||
</pre> | </pre> | ||
Revision as of 22:44, 22 July 2021
Contents
Introduction
FreeIPA is the integrated security information management solution used at the Hackerspace Gent.
It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).
Access
URL: https://ipa.hackerspace.gent
First time access: You will be prompted for a new password. Don't forget to set your correct email address.
Management
Allow users to modify their own email (or some other fields)
IPA Server > Self Service Permissions > Add
Self-service name: "Users can manage their own email address" Attributes: mail
Hooking up services to LDAP for authentication
Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.
You will need to connected directly via LDAP to make the appropriate changes.
[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent changetype: add objectclass: account objectclass: simplesecurityobject uid: <application account name> userPassword: <password for the application> passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 <blank line> ^D
Example of configuration:
URL ldap://ipa.hackerspace.gent:389 BindDN "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent" Password "<password for the application>" BaseDN "cn=users,cn=accounts,dc=hackerspace,dc=gent" SearchFilter "(uid=%u)" BaseDN "cn=groups,cn=accounts,dc=hackerspace,dc=gent" SearchFilter "(member=%g)"
STARTTLS
If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:
-----BEGIN CERTIFICATE----- MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB 1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK 9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4 eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB /wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0 K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE /afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn 0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57 2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh -----END CERTIFICATE-----
Prevent annoying BasicAuth popup to appear on login page
In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in. The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA. This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize. To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.
[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf ... # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> ... # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard # showing a confusing Basic Auth popup window by which the user cannot login with. BrowserMatch Windows gssapi-no-negotiate ... </Location> [root@ipa ~]# systemctl restart httpd
