Recent Posts

How to debug FreeIPA privilege separation issues

FreeIPA 4.5 has a lot of internal changes. A server side of the FreeIPA framework now runs in a privilege separation mode. This improves security of FreeIPA management operations but complicates debugging of the server. During FreeIPA 4.5 development phase Simo Sorce and I spent a lot of time debugging regressions and decided to document how we log events and how to debug server side operations. As result, this article details on what privilege separation means in FreeIPA management framework context and how to debug it.

FreeIPA JSON-RPC API article

FreeIPA Web UI provides a browser for discovering application programming interface (API) since version FreeIPA 4.2. However, the API itself is not yet officially supported and there is no documentation on how to access it. Some time ago I wrote a blog post detailing on how to access the API from an external client, like curl utility. The blog post was quite popular and allowed to create bindings to FreeIPA API in Perl and other languages. However, the blog post assumed you know what you are doing. In order to help those starting from scratch, I wrote a larger...

Samba and identity tales

Samba is built to bridge Windows and POSIX worlds. Apart from the file system semantics, there are many other differences. The story I’m about to tell concerns users and groups. They have different meaning and representation in both worlds, so translation is required, similar to a real life. In real life translators often have to take into account cultural differences and sometimes lack of certain concepts in the language they are translating to.

Protocol communications which Samba implements, end up bringing in objects which have a certain meaning in one world that doesn’t really have a one to one counterpart...

Creating permissions in FreeIPA

FreeIPA has quite flexible system to define access rights for any resources in the LDAP store. The system consists of three different parts:

  • a permission object
  • a privilege object, and
  • a role object.

Permission object specifies the target of the access grant: what attributes of which objects in LDAP would be subject of the checks.

A privilege allows to combine several permissions together in a logical task. A role defines who can have access to privileges.

An example below is a somewhat complex use of the permission system to allow groups of administrators to manage specific hosts. We...

Single sign-on into virtual machines on Linux

This weekend I looked into making possible a single sign-on into Fedora 24 guests running on libvirt/KVM. Suppose you have a libvirt-based server where a number VMs is deployed with VMs presenting graphical workstations. This is not far from what does (RHEV product). You want to have both your virtualization infrastructure and OS environments in VMs to be enrolled into FreeIPA and thus accessible with single sign-on from an external client.

There are several layers of single sign-on here. Once you signed into your external client, supposedly you have valid Kerberos credentials that can be used to obtain service...

Talking to FreeIPA API with sessions and JSON-RPC

Occasionally I see questions on how to drive FreeIPA programmatically. One can use ipa <command> from enrolled IPA clients or go directly to Python API (as /usr/sbin/ipa utility is just a tiny shim over the Python API). However, if you want to drive operations from other frameworks or from non-IPA clients, there is another way and it is actually very simple.

FreeIPA web UI is one example of such use. It is a JavaScript-based application which is downloaded by the browser when visiting IPA web site. The application bootstraps itself and issues JSON-RPC requests to...

SambaXP 2015 travel report

I’ve attended annual SambaXP conference on May 19th-21st. I’ve presented about FreeIPA ID Views and this year we also had quite a few Red Hat’s talks in the program so that organizers even made a 'Red Hat track' on the last day, with all speakers in that track coming with a Shadowman.

SambaXP is a conference run by SerNet GmbH in Goettingen, Lower Saxony, Germany. SerNet is one of core contributors to Samba project, organized by, among others, Volker Lendecke who is founder of Samba project along with Andrew Tridgell and Jeremy Allison.


Playing with FreeIPA ipa-ldap-updater

FreeIPA has a number of well-hidden utilities used to simplify administrative tasks when setting up or upgrading the master servers. Out of these utilities ipa-ldap-updater is one that is helpful for some common tasks which otherwise would require use of ldapadd/ldapmodify.

One strength of ipa-ldap-updater is in the template language it provides to abstract out deployment details. Each FreeIPA server has several constants like LDAP tree suffix, FreeIPA realm, and few more. These constants can be referred in a generic form without explicitly spelling their value. This approach makes ipa-ldap-updater a valuable tool for expressing...

FreeIPA and Fedora 21

I have a terrible secret to confess: despite all the effort we made in FreeIPA to integrate with Fedora releases, Fedora 21 is the first release where FreeIPA is installable from the distribution media. You can finally fetch an ISO image and install FreeIPA from it without first updating from the Fedora updates.

It is amazing that a simple “meet the deadline” goal is hard to actually meet but that is our reality. In Fedora 21 we’ve got FreeIPA as part of a release criteria for the Fedora Server. Starting from an alpha release, a failure to enroll FreeIPA...

Setting up S4U2Proxy with FreeIPA

When using Kerberos to authenticate users, applications often need to talk to another services on behalf of a user. For example, a user connects to a web mail application which, in turn, talks to a mail store. It is often a good idea to limit what an application service could do while pretending to others to be a user. A web mail application accessed by an admin should not be able to create new users or delete them at its own will. A mail store, when presented with user credentials, should also not allowed to create or delete...