Difference between revisions of "FreeIPA"

From HSG Wiki
Jump to: navigation, search
Line 86: Line 86:
 
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
 
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
 
-----END CERTIFICATE-----
 
-----END CERTIFICATE-----
 +
</pre>
 +
 +
== Prevent annoying BasicAuth popup to appear on login page ==
 +
In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in.
 +
The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA.
 +
This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize.
 +
To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.
 +
 +
<pre>
 +
[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf
 +
...
 +
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
 +
<Location "/ipa">
 +
  ...
 +
  # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard
 +
  # showing a confusing Basic Auth popup window by which the user cannot login with.
 +
  BrowserMatch Windows gssapi-no-negotiate
 +
  ...
 +
</Location>
 +
 +
[root@ipa ~]# systemctl restart httpd
 
</pre>
 
</pre>

Revision as of 22:44, 22 July 2021

Introduction

FreeIPA is the integrated security information management solution used at the Hackerspace Gent.

It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).

Access

URL: https://ipa.hackerspace.gent

First time access: You will be prompted for a new password. Don't forget to set your correct email address.


Management

Allow users to modify their own email (or some other fields)

IPA Server > Self Service Permissions > Add

Self-service name: "Users can manage their own email address"
Attributes: mail

Hooking up services to LDAP for authentication

Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.

You will need to connected directly via LDAP to make the appropriate changes.

[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: <application account name>
userPassword: <password for the application>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>
^D

Example of configuration:

URL             ldap://ipa.hackerspace.gent:389
BindDN          "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
Password        "<password for the application>"

BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(uid=%u)"

BaseDN          "cn=groups,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(member=%g)"

STARTTLS

If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:

-----BEGIN CERTIFICATE-----
MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL
RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT
UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G
CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F
vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB
1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q
WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch
bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK
9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t
d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v
Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4
eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW
gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH
AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl
bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl
IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D
iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot
cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0
K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE
/afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn
0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57
2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
-----END CERTIFICATE-----

Prevent annoying BasicAuth popup to appear on login page

In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in. The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA. This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize. To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.

[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf
...
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  ...
  # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard
  # showing a confusing Basic Auth popup window by which the user cannot login with.
  BrowserMatch Windows gssapi-no-negotiate
  ...
</Location>

[root@ipa ~]# systemctl restart httpd