Difference between revisions of "FreeIPA"

From HSG Wiki
Jump to: navigation, search
 
(5 intermediate revisions by the same user not shown)
Line 55: Line 55:
 
</pre>
 
</pre>
  
=== STARTTLS ====
+
=== STARTTLS ===
  
 
If you want to use '''STARTTLS''' for securing the connection between the application and LDAP, you can use the CA Certificate:
 
If you want to use '''STARTTLS''' for securing the connection between the application and LDAP, you can use the CA Certificate:
Line 86: Line 86:
 
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
 
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
 
-----END CERTIFICATE-----
 
-----END CERTIFICATE-----
 +
</pre>
 +
 +
== Prevent annoying BasicAuth popup to appear on login page ==
 +
In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in.
 +
The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA.
 +
This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize.
 +
To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.
 +
 +
<pre>
 +
[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf
 +
...
 +
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
 +
<Location "/ipa">
 +
  ...
 +
  # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard
 +
  # showing a confusing Basic Auth popup window by which the user cannot login with.
 +
  BrowserMatch Windows gssapi-no-negotiate
 +
  ...
 +
</Location>
 +
 +
[root@ipa ~]# systemctl restart httpd
 +
</pre>
 +
 +
== Automembership to Groups ==
 +
By default, all new users created in FreeIPA are automatically part of the '''ipausers''' group (this can be changed in '''IPA Server''' > '''Configuration''' > '''Default users group'''.
 +
 +
While this can be fine, it might pose an issue on systems expecting to work with '''posixgroups''' in LDAP.
 +
 +
A possible solution is to create a separate dedicated group with the posixgroup option selected and use the automembership functionality to add both pre-existing and new users to said group while still being part of the original ipausers group.
 +
 +
'''Identity''' > '''Automember''' > '''User group rules''' > '''Add'''.
 +
 +
Add an '''Inclusive''' rule with '''Attribute uid''' and value '''.*'''
 +
 +
== Backup ==
 +
 +
FreeIPA has a command to backup all the essentials. This will stop all IPA services to have a consitent backup.
 +
 +
<pre>
 +
[root@ipa ~]# ipa-backup
 +
Preparing backup on ipa.hackerspace.gent
 +
Local roles match globally used roles, proceeding.
 +
Stopping IPA services
 +
Backing up ipaca in HACKERSPACE-GENT to LDIF
 +
Backing up userRoot in HACKERSPACE-GENT to LDIF
 +
Backing up HACKERSPACE-GENT
 +
Backing up files
 +
Starting IPA service
 +
Backed up to /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11
 +
The ipa-backup command was successful
 +
</pre>
 +
 +
Currently, the backup is run through a cronjob and backed up to a NAS.
 +
<pre>
 +
[root@ipa ~]# crontab -l
 +
# Backup FreeIPA every day at 5am and transfer to Nasty
 +
0 5 * * * /usr/sbin/ipa-backup && rsync -a --no-perms --delete /var/lib/ipa/backup/ -e 'ssh -i ~/.ssh/id_rsa -p 22' hsg@nasty.0x20:/volume1/BACKUPS/freeipa/
 +
# Delete backups every Saturday at midnight, older than 7 days
 +
0 0 * * 0 find /var/lib/ipa/backup/* -type d -ctime +7 -delete
 +
</pre>
 +
 +
== Restore ==
 +
 +
Theoretically speaking, the following command should be able to restore from backup:
 +
<pre>
 +
[root@ipa ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11/
 
</pre>
 
</pre>

Latest revision as of 13:43, 8 August 2021

Introduction[edit]

FreeIPA is the integrated security information management solution used at the Hackerspace Gent.

It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).

Access[edit]

URL: https://ipa.hackerspace.gent

First time access: You will be prompted for a new password. Don't forget to set your correct email address.


Management[edit]

Allow users to modify their own email (or some other fields)[edit]

IPA Server > Self Service Permissions > Add

Self-service name: "Users can manage their own email address"
Attributes: mail

Hooking up services to LDAP for authentication[edit]

Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.

You will need to connected directly via LDAP to make the appropriate changes.

[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: <application account name>
userPassword: <password for the application>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>
^D

Example of configuration:

URL             ldap://ipa.hackerspace.gent:389
BindDN          "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
Password        "<password for the application>"

BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(uid=%u)"

BaseDN          "cn=groups,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(member=%g)"

STARTTLS[edit]

If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:

-----BEGIN CERTIFICATE-----
MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL
RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT
UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G
CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F
vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB
1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q
WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch
bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK
9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t
d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v
Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4
eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW
gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH
AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl
bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl
IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D
iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot
cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0
K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE
/afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn
0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57
2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
-----END CERTIFICATE-----

Prevent annoying BasicAuth popup to appear on login page[edit]

In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in. The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA. This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize. To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.

[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf
...
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  ...
  # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard
  # showing a confusing Basic Auth popup window by which the user cannot login with.
  BrowserMatch Windows gssapi-no-negotiate
  ...
</Location>

[root@ipa ~]# systemctl restart httpd

Automembership to Groups[edit]

By default, all new users created in FreeIPA are automatically part of the ipausers group (this can be changed in IPA Server > Configuration > Default users group.

While this can be fine, it might pose an issue on systems expecting to work with posixgroups in LDAP.

A possible solution is to create a separate dedicated group with the posixgroup option selected and use the automembership functionality to add both pre-existing and new users to said group while still being part of the original ipausers group.

Identity > Automember > User group rules > Add.

Add an Inclusive rule with Attribute uid and value .*

Backup[edit]

FreeIPA has a command to backup all the essentials. This will stop all IPA services to have a consitent backup.

[root@ipa ~]# ipa-backup 
Preparing backup on ipa.hackerspace.gent
Local roles match globally used roles, proceeding.
Stopping IPA services
Backing up ipaca in HACKERSPACE-GENT to LDIF
Backing up userRoot in HACKERSPACE-GENT to LDIF
Backing up HACKERSPACE-GENT
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11
The ipa-backup command was successful

Currently, the backup is run through a cronjob and backed up to a NAS.

[root@ipa ~]# crontab -l
# Backup FreeIPA every day at 5am and transfer to Nasty
0 5 * * * /usr/sbin/ipa-backup && rsync -a --no-perms --delete /var/lib/ipa/backup/ -e 'ssh -i ~/.ssh/id_rsa -p 22' hsg@nasty.0x20:/volume1/BACKUPS/freeipa/
# Delete backups every Saturday at midnight, older than 7 days
0 0 * * 0 find /var/lib/ipa/backup/* -type d -ctime +7 -delete

Restore[edit]

Theoretically speaking, the following command should be able to restore from backup:

[root@ipa ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11/