Questions tagged [freeipa]

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.

Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.

230 questions
2
votes
0 answers

Minimal example of extending already existing API and CLI call in FreeIPA 4

I am looking to add fields into the user definition in FreeIPA 4.4. Right now I have modified the user schema and added the fields in the Web UI for editions. Now I would like to be able to change the new fields added (country code c and country…
Mayeu
  • 33
  • 5
2
votes
1 answer

ipa users cannot sudo on some machines only, including the ipa server

I'm having trouble with freeipa on a few machines. It's been very frustrating to debug so far. Here's the details of the issue; How it manifests: The user can login just fine to any host, but on some hosts they can't run sudo commands. What i…
Sirex
  • 5,499
  • 2
  • 33
  • 54
2
votes
1 answer

FreeIPA and AD password synchronisation

I am attempting to integrate FreeIPA with Active Directory to provide single-sign-on for Windows and Linux users by following this guide. I have successfully created the 'winsync' agreement and loaded the AD data into FreeIPA but I am struggling to…
KingBob
  • 153
  • 9
2
votes
1 answer

FreeIPA in LXD/LXC containers - cannot switch user

The Setup consists of one FreeIPA-Server and one Client, which both reside in unprivileged LXD-Containers on the same Host. Both containers and the host machine run Ubuntu 16.04. All Settings are basically FreeIPA defaults, as generated by…
zenyatta
  • 61
  • 1
  • 6
2
votes
1 answer

Migrate logcal linux users to FreeIPA ones

We have several Linux machine (running various versions of Fedora and CentOS, but that should not be relevant) with local users. Most of those local users are the same login name but might have different UID/GID based on when and by whom they were…
2
votes
1 answer

Restrict LDAP attribute read to self in FreeIPA/RedHat IdM

In our environment, employeeNumber is a sensitive field and we don't want it to be readable by all users. By default, IdM/IPA has a default permission System: Read User Addressbook Attributes which includes the employeeNumber attribute, but we…
yakatz
  • 1,213
  • 4
  • 12
  • 35
2
votes
1 answer

FreeIPA show all dns records

Just as the title says. I'm stuck at ipa dnsrecord-show mydomain.com I get prompted for a hostname Usage: ipa [global-options] dnsrecord-show DNSZONE NAME [options] I've tried wildcards but it is asking for a specific host. Any ideas?
solly989
  • 67
  • 1
  • 4
2
votes
2 answers

Cannot create a user in IPA server for remote login

I had created a new IPA IdM server in Centos 7 using script install-ipa-server. The installation was successful. After installation, I was not able to create a user using IPA user-add user, it asks for first name and lastname, but after that it…
2
votes
1 answer

FreeIPA re-arrange custom attributes

I created several custom attributes and added them to LDAP and FreeIPA, but their order in the user page is very messy. I want to re-arrange them and put the related attributes together (such as 'initiation date' should be followed by 'termination…
Muhmmad Aziz
  • 271
  • 2
  • 12
2
votes
1 answer

Extending LDAP and FreeIPA

I'm working with FreeIPA and I've extended its attributes successfully, but noticed that the verification function in the Python plugin, added to FreeIPA, only works for the values entered through the command line. Values entered through the web UI…
Muhmmad Aziz
  • 271
  • 2
  • 12
2
votes
1 answer

how to disable forwarder in freeipa servers named.conf

My IPA server's named.conf has this in it since I chose to enter a forwarder address during the ipa-server-install. forward first; forwarders { 132.206.44.21; 132.216.44.21; }; Now I can only resolve hostnames…
Jesse Stacey
  • 21
  • 1
  • 2
2
votes
1 answer

How can I force a mac mobile account user to be logged out or locked out when their LDAP account is disabled?

I have a FREEIPA LDAP server and a Mavericks Client. I have bound my Mac to my ldap and created a mobile account. What I want is when someone is disabled it logs out the user or locks the screen.
2
votes
1 answer

Cross realm constrained delegation

I have Red Hat IdM on RHEL8 with a two-way trust to AD on Windows 2019. What currently works: Constrained delegation for NFS clients. NFS clients can impersonate users from the IdM realm (gssproxy). Users from the AD domain can log on to the hosts…
2
votes
0 answers

FreeIPA - Login failed due to an unknown reason - SSL certificate: unable to get local issuer certificate

I believe my FreeIPA instance has a certificate issue, which manifests in the "Login failed due to an unknown reason" error on the web ui. This seems to be really close to the issue described here: Unable to log in to FreeIPA web ui - “Login failed…
Fiete
  • 21
  • 2
1
vote
1 answer

For FreeIPA autodiscovery to work, what SRV records must exist on the DNS server?

I've configured FreeIPA for the most part. When I attempt to add a client, I must manually specify the domain and IPA server FQDN. I've read many sources discussing autodiscovery, but I have yet to find an example of the autodiscovery records. My…
ndemarco
  • 213
  • 1
  • 2
  • 13