Coder Social home page Coder Social logo

freeipa-community-portal's Introduction

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts

freeipa-community-portal's People

Contributors

dperny avatar frasertweedale avatar mkosek avatar tiran avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

tbabej tiran mscherer bluemutedwisdom fidcn laijingli

freeipa-community-portal's Issues

Limit password reset to self-service users

For now the portal can reset the password of any user. The permission can be abused to break into accounts with elevated permissions. The ACI for 'System: Change User password' already forbids password changes to members of the admin group. There might be systems with other critical users.

The 'System: Change User password' permission should be replaced by a more limited permission that is restricted to self-service users. In order to limit the scope we have to introduce a set of additional group/role/permission

  • group: self-service users
  • role: Self-Service User
  • permission: 'System: Change Self-Service User password'
  • ACI similar to "permission:System: Change User password".

Self-registered users should be automatically added to the new group, too. It also allows the admin to track self-registered users more easily.

require n out of m keys/users to authenticate an ssh session?

I'm looking for an option - eventually to extend standard ssh - in such a way that I need (at least) two people/keys out of m possible to authenticate a session instead of one out of m known once...

anyone seen this or know how to do?

I know there is key + password (which is kind of this direction) but not exactly what I'm looking for...

Regarding the user restriction to the specific master

Hello

Before discussing the requirement. i would like to specify about the scenario for this implementation.
we have 4 ipa servers among them one will be the master and the another will be the replica of that master, as shown below two of the servers are in thr HA and other are into the DR.
the ask is->
{ "Is there any possibility so that we can restrict the user to get authenticated from the specified master only !! " }

in simple words we don't wanna our HA User to get authenticated over the DR master. if there is any possibility.
what are the configuration changes in the files or during the installation we have to perform ???

Waiting for Prompt response
with regards
Shubham Vij

No link / full URL in email

The password reset email doesn't contain a link that can be clicked:

Someone (probably you) has requested to reset your password. Details:

    Username: demo
       Token: EaE9-h9hB4s

Link: /reset_password?username=demo&token=EaE9-h9hB4s

Simplify GSSAPI authentication

Kerberos / GSSAPI authentication can be simplified a lot with a single env var:

os.environ['KRB5_CLIENT_KTNAME'] = 'FILE:/etc/ipa/portal.keytab'

With a client keytab and the env var, GSSAPI and ipalib will automatically pick up and use the keytab for authentication. That's all! Even the principal is looked up from the client keytab.

The path to the portal keytab should be configurable in the config file.

create-portal-user: cannot add "System: Read User Addressbook" privilege 

[f22-6:~/dev/freeipa] [ master ] ftweedal% create-portal-user  
---------------------------------------------
Added privilege "Portal management privilege"
---------------------------------------------
  Privilege name: Portal management privilege
  Description: Portal privileges
ipa: ERROR: invalid 'permission': cannot add permission "System: Read User Addressbook Attributes" with bindtype "all" to a privilege
------------------------------
Added role "Portal management"
------------------------------
  Role name: Portal management
  Description: self-service portals
  Role name: Portal management
  Description: self-service portals
  Privileges: Portal management privilege
----------------------------
Number of privileges added 1
----------------------------
-------------------
Added user "portal"
-------------------
  User login: portal
  First name: Self
  Last name: Service
  Full name: Self Service
  Display name: Self Service
  Initials: SS
  Home directory: /home/portal
  GECOS: Self Service
  Login shell: /bin/sh
  Kerberos principal: [email protected]
  Email address: [email protected]
  UID: 729600012
  GID: 729600012
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  Role name: Portal management
  Description: self-service portals
  Member users: portal
  Privileges: Portal management privilege
-------------------------
Number of members added 1
-------------------------

StandardError: API.bootstrap() already called

API initialization should be delayed. The current global initialization is probably not compatible with pre-forking webservers or NGinx vassal model.

[Fri Aug 07 12:42:31.206164 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426] Traceback (most recent call last):, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.206502 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]   File "/var/www/wsgi/freeipa_community_portal.wsgi", line 4, in <module>, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.206789 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]     from freeipa_community_portal import app, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.206839 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]   File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 30, in <module>, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.206899 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]     from freeipa_community_portal.model.user import User, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.206932 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]   File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/model/__init__.py", line 28, in <module>, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.206981 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]     api.bootstrap(context='cli'), referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.207015 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 374, in bootstrap, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.207073 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]     self.__doing('bootstrap'), referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.207103 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 359, in __doing, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.207145 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426]     '%s.%s() already called' % (self.__class__.__name__, name), referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user
[Fri Aug 07 12:42:31.207253 2015] [wsgi:error] [pid 1605] [client 10.36.7.206:46426] StandardError: API.bootstrap() already called, referer: http://vm-244.abc.idm.lab.eng.brq.redhat.com/user

(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

Hey, I set everything up as described at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#post-installation (except I installed it on the same server as FreeIPA), but when trying to register a user, the following error occurs:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 74, in POST
    errors = user.save()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 56, in save
    self._call_api()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 66, in _call_api
    api_connect()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/__init__.py", line 47, in api_connect
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package
    schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
    raise NetworkError(uri=server, error=str(e))
NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

This is on a freshly-installed Fedora 26 VM (KVM).

$ dnf list installed | grep -E "([^i]ipa|[^a-z]nss)"
device-mapper-multipath.x86_64       0.4.9-88.fc26                      @fedora
device-mapper-multipath-libs.x86_64  0.4.9-88.fc26                      @fedora
freeipa-client.x86_64                4.4.4-4.fc26                       @updates
freeipa-client-common.noarch         4.4.4-4.fc26                       @updates
freeipa-common.noarch                4.4.4-4.fc26                       @updates
freeipa-server.x86_64                4.4.4-4.fc26                       @updates
freeipa-server-common.noarch         4.4.4-4.fc26                       @updates
libcrypt-nss.x86_64                  2.25-7.fc26                        @updates
libipa_hbac.x86_64                   1.15.3-1.fc26                      @updates
libsss_nss_idmap.x86_64              1.15.3-1.fc26                      @updates
mod_nss.x86_64                       1.0.14-3.fc26                      @fedora
python-ipaddress.noarch              1.0.16-4.fc26                      @fedora
python-nss.x86_64                    1.0.1-1.fc26                       @fedora
python2-ipaclient.noarch             4.4.4-4.fc26                       @updates
python2-ipalib.noarch                4.4.4-4.fc26                       @updates
python2-ipaserver.noarch             4.4.4-4.fc26                       @updates
python2-libipa_hbac.x86_64           1.15.3-1.fc26                      @updates
python3-iniparse.noarch              0.4-24.fc26                        @fedora
sssd-ipa.x86_64                      1.15.3-1.fc26                      @updates

$  pip freeze | grep -E "ipa|nss"
freeipa==2.0.0a0
freeipa-community-portal==0.2
ipaclient==4.4.4
ipaddress==1.0.16
ipalib==4.4.4
ipaplatform==4.4.4
ipapython==4.4.4
python-nss==1.0.1

/var/log/krb5kdc.log:

Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, [email protected] for HTTP/[email protected]
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11

/var/log/sssd/sssd_nss.log: (full of this repeating)
(Wed Aug 23 17:56:56 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]

If I take a minimal example, e.g.

#!/usr/bin/env python2
import os
from ipalib import api

os.environ['KRB5_CLIENT_KTNAME'] = "/etc/ipa/portal.keytab"

api.bootstrap(context='cli')
api.finalize()

if not api.Backend.rpcclient.isconnected():
    api.Backend.rpcclient.connect()

api.Command.stageuser_add(
    givenname=u'testy',
    sn=u'mctestface',
    uid=u'testymctest',
    mail=u'[email protected]')

Running this as apache works fine (now), not sure why the below happened.

Running this as root (with an admin ticket), works just fine. However, running this as apache leads to

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 994, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 975, in _call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1125, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1119, in __request
    raise error_class(**kw)
ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found (filename: /var/run/httpd/ipa/clientcaches/[email protected]))

and sometimes

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
    raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (PR_END_OF_FILE_ERROR) Encountered end of file.

Happens both with ipalib/ipaclient 4.4.4 and 4.5.3. The keytab was created via ipa-getkeytab -s ipa.mueslo.de -p [email protected] -k /etc/ipa/portal.keytab.

RPM package for python-captcha

Now that captcha 0.2 has been released I should create a RPM package of captcha. python-captcha is not yet available in Fedora and RHEL. It doesn't look hard. https://fedoraproject.org/wiki/Packaging:Python has a good example.

Here is my first attempt:

%global pypi_name captcha
%global sum A captcha library that generates audio and image CAPTCHAs.

Name:           python-%{pypi_name}
Version:        0.2
Release:        1%{?dist}
Summary:        A captcha library that generates audio and image CAPTCHAs.

License:        BSD
URL:            http://pypi.python.org/pypi/%{pypi_name}
Source0:        https://pypi.python.org/packages/source/c/%{pypi_name}/%{pypi_name}-%{version}.tar.gz

BuildArch:      noarch
BuildRequires:  python2-devel python3-devel

%description
A captcha library that generates audio and image CAPTCHAs.

%package -n python2-%{pypi_name}
Summary: %{sum}
Requires: python3-pillow
%{?python_provide:%python_provide python2-%{pypi_name}}

%description -n python2-%{pypi_name}
A captcha library that generates audio and image CAPTCHAs.

%package -n python3-%{pypi_name}
Summary: %{sum}
Requires: python3-pillow
%{?python_provide:%python_provide python3-%{pypi_name}}

%description -n python3-%{pypi_name}
A captcha library that generates audio and image CAPTCHAs.

%prep
%setup -q -n %{pypi_name}-%{version}

%build
%py2_build
%py3_build

%install
%py2_install
%py3_install

%files -n python2-%{pypi_name}
%license LICENSE
%doc README.rst
%{python2_sitelib}/%{pypi_name}
%{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info

%files -n python3-%{pypi_name}
%license LICENSE
%doc README.rst
%{python3_sitelib}/%{pypi_name}
%{python3_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info

%changelog

Better error handling for api_connect()

api_connect() doesn't handle errors such as FreeIPA server being not available. This may lead to ugly 500 errors. Instead the community portal should inform the user when the FreeIPA server is not available.

Related to #5

Black list / white liste for email domains

The portal should support black lists for email addresses and domains as well as white lists for domains. The lists should be stored in the sqlite database. It makes it much easier to maintain for an admin.

Disable or redirect file logging

api.boostrap() and finalize() complain about file permissions:

ERROR: Could not create log_dir u'/usr/share/httpd/.ipa/log

The portal should either disable file logging or use a writeable log location.

python-pillow cannot open font resource

Visiting /user results in a 500 Internal Server Error. It seems Pillow cannot
open a font file.

I guess something is missing from the deploy guide, or some
initialisation is not being performed by the program.

This occurs with Pillow 2.8.2 from Fedora repos as well as 2.9 from PyPI.

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal-0.2.2-py2.7.egg/freeipa_community_portal/app.py", line 59, in GET
    return self._render_registration_form()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal-0.2.2-py2.7.egg/freeipa_community_portal/app.py", line 76, in _render_registration_form
    captcha = captcha_helper.CaptchaHelper()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal-0.2.2-py2.7.egg/freeipa_community_portal/model/captcha_wrapper.py", line 61, in __init__
    self.image = self.image_generator.generate(self.solution, format='jpeg').getvalue()
  File "/usr/lib/python2.7/site-packages/captcha-0.2-py2.7.egg/captcha/image.py", line 40, in generate
    im = self.generate_image(chars)
  File "/usr/lib/python2.7/site-packages/captcha-0.2-py2.7.egg/captcha/image.py", line 217, in generate_image
    im = self.create_captcha_image(chars, color, background)
  File "/usr/lib/python2.7/site-packages/captcha-0.2-py2.7.egg/captcha/image.py", line 192, in create_captcha_image
    images.append(_draw_character(c))
  File "/usr/lib/python2.7/site-packages/captcha-0.2-py2.7.egg/captcha/image.py", line 159, in _draw_character
    font = random.choice(self.truefonts)
  File "/usr/lib/python2.7/site-packages/captcha-0.2-py2.7.egg/captcha/image.py", line 118, in truefonts
    for s in self._font_sizes
  File "/usr/lib64/python2.7/site-packages/PIL/ImageFont.py", line 260, in truetype
    return FreeTypeFont(font, size, index, encoding)
  File "/usr/lib64/python2.7/site-packages/PIL/ImageFont.py", line 140, in __init__
    self.font = core.getfont(font, size, index, encoding)
IOError: cannot open resource

Default HTTP configuration should enforce HTTPS

The community portal's default configuration for Apache should enforce HTTPS and reject plain HTTP connection. Users can still opt-out from HTTPS. The default configuration shall always be secure.

User self registration doesn't validate email address

The self registration workflow doesn't validate the user's email address yet. It's common practice to validate the email address.

Suggested workflow

  1. User registers herself with username, temporary password and email address. The stage user is not created. Instead the information are stored in a local sqlite database.
  2. Portal sends user an email with a validation token and a temporary password
  3. User clicks on link and validates the token.
  4. Portal creates stage user in FreeIPA.

Security concern

The temporary password is send plain text. Since it's a temporary password (user has to set a new password in FreeIPA web UI anyway) it is not so bad.

In order to mitigate flooding and DoS attacks on FreeIPA and LDAP servers, the portal must create the staging user after the mail address has been validated.

[doc] Portal user setup incomplete

The installation guide is incomplete and doesn't explain all necessary steps for the user setup. After create-portal-user is invoked, the user is available but cannot grab a TGT from Kerberos.

# kinit portal
kinit: Generic preauthentication failure while getting initial credentials
# ipa user-find portal
--------------
1 user matched
--------------
  User login: portal
  First name: Self
  Last name: Service
  Home directory: /home/portal
  Login shell: /bin/sh
  Email address: [email protected]
  UID: 1507400003
  GID: 1507400003
  Account disabled: False
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 1
----------------------------

The create-portal-user script has a commented out section at the end. It shows how to use ipa-getkeytab to acquire a user keytab. This should be added to the docs, too.

# ipa-getkeytab -s ipaserver.ipa.example -p [email protected] -k /etc/ipa/portal.keytab
# kinit -kt /etc/ipa/portal.keytab portal
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_XbhVstw
Default principal: [email protected]

Valid starting       Expires              Service principal
2015-08-07 12:38:12  2015-08-08 12:38:12  krbtgt/[email protected]

# chown apache:apache /etc/ipa/portal.keytab 
# su -s /bin/sh apache -c 'kinit -kt /etc/ipa/portal.keytab portal'

Check for duplicate email address

FreeIPA doesn't enforce unique email addresses. The portal should inform that an email address is already registered. Optionally it could enforce unique email addresses, too.

Invalidate password reset token

In the current implementation the password reset token stays valid up for three days. There is no way to invalidate a token except for using it. The portal should offer a route to invalidate a token.

NotFound: username: stage user not found

I get a "stage user not found" error when the user already exists as an ordinary user. Perhaps the user model should check if the user already exists and print an error message.

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 66, in POST
    errors = user.save()
  File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 55, in save
    self._call_api()
  File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 69, in _call_api
    mail=self.email
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward
    return self.Backend.rpcclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 888, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 865, in _call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1016, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1010, in __request
    raise error_class(message=error['message'])
NotFound: username: stage user not found

Move create-portal-user and freeipa-portal-install

Both scripts should not be put in /bin or any other directory in PATH. A user should not be able to accidentally execute any of the scripts. Also the scripts are only required once when the portal is set up. Better put them in a safe place like /usr/share and force the user to execute them with their full path.

CherryPy debug logger reveals internals

Some errors reveal internal information like paths when an error occurs. Debug mode and tracebacks should be disabled by default.

500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 69, in POST
    SignUpMailer(user).mail()
  File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/mailers/mailer.py", line 65, in mail
    self._send(contents)
  File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/mailers/mailer.py", line 81, in _send
    server = smtplib.SMTP(MAIL_SERVER, SMTP_PORT)
  File "/usr/lib64/python2.7/smtplib.py", line 256, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib64/python2.7/smtplib.py", line 316, in connect
    self.sock = self._get_socket(host, port, self.timeout)
  File "/usr/lib64/python2.7/smtplib.py", line 291, in _get_socket
    return socket.create_connection((host, port), timeout)
  File "/usr/lib64/python2.7/socket.py", line 557, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
gaierror: [Errno -2] Name or service not known

Powered by CherryPy 3.5.0

Best Method to Create Super-Admin User Not Clear

I have tried to provide a role all privileges but get various errors all resembling invalid 'permission': cannot add permission "System: Read Global Configuration" with bindtype "all" to a privilege.

However, I need a few users with all permissions for the time being until the IPA servers are stood up completely.

I have looked through Google, various mailing lists however I cannot find a definitive method of creating a user with all permissions to manage and setup our IPA server cluster.

Login and password change should invalidate password reset token

A successful login or a password change should invalidate the current password reset token. Both operations are evidence that either the user is still in possession of valid credentials or that an admin has forcefully reset the password.

FreeIPA keeps track of logins and password changes in the LDAP attributes krbLastPwdChange and krbLastSuccessfulAuth. When a user requests a password reset, the portal should store the fields in its sqlite database. Upon reset it compares the values with the current values. If the values are newer, it shall refuse a password reset.

See #38

[doc] portal server needs to be freeipa client

The server, that hosts the community portal, must be configured as an FreeIPA client in order to communicate with FreeIPA master. The premise isn't covered by the documentation yet. It also needs ipalib package (which is part of freeipa-client) and the ipa commands (freeipa-admintools). Until https://fedorahosted.org/freeipa/ticket/5133 is resolved, python-memcached is also a requirement.

dnf install freeipa-client freeipa-admintools python-memcached

Fedora 28 Fresh Install - install errors.

I reached a first error that Alexander solved for me by having me load python2 libraries being that the new install only had python 3.

The second error I am still stuck at.

Error #1 - Install Documentation - create-portal-user error

[  ]$ ./create-portal-user
    Traceback (most recent call last):
      File "./create-portal-user", line 27, in <module>
        from ipalib import api
    ImportError: No module named ipalib      <-- This is the error



# then tried to manuall load the lib and got this:

[]$ sudo pip install ipalib
    WARNING: Running pip install with root privileges is generally not a

    good idea. Try `pip install --user` instead.
    Collecting ipalib
    Complete output from command python setup.py egg_info:
    In distributed package, building from C files...
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-rcBXhA/gssapi/setup.py", line 109, in <module>
        raise Exception("Could not find main GSSAPI shared library.  Please "
    Exception: Could not find main GSSAPI shared library.  Please try
      setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION

      to 'false'  <-- and again another error
   
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-rcBXhA/gssapi/

Solved by installing the following package:
sudo dnf install python2-ipaclient

Error #2

[me@portal ~]$ create-portal-user
Created privilege 'Portal management privilege'
    Added permission 'System: Add Stage User' to privilege
    Added permission 'System: Read Stage User' to privilege
    Added permission 'System: Change User password' to privilege
    Cannot add permission 'System: Read User Standard Attributes' to privilege
ipa: WARNING:     Cannot add permission 'System: Read User Standard Attributes' to privilege
    Cannot add permission 'System: Read User Addressbook Attributes' to privilege
ipa: WARNING:     Cannot add permission 'System: Read User Addressbook Attributes' to privilege
Created role 'Portal management'
Added privilege 'Portal management privilege' to role 'Portal management'
Created user 'portal'
Added role 'Portal management' to user 'portal'
Retrieving keytab...
    ipa-getkeytab -s prime.ipa.kkgpitt.org -p [email protected] -k /etc/ipa/portal.keytab
Failed to add key to the keytab
Traceback (most recent call last):
  File "/home/me/.local/bin/create-portal-user", line 207, in <module>
    main()
  File "/home/me/.local/bin/create-portal-user", line 197, in main
    create_keytab(args.username, args.keytab, args.keytab_owner)
  File "/home/me/.local/bin/create-portal-user", line 180, in create_keytab
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['ipa-getkeytab', '-s', u'prime.ipa.kkgpitt.org', '-p', u'[email protected]', '-k', '/etc/ipa/portal.keytab']' returned non-zero exit status 11

I tried manually running the command and then changing the pw and running again and got varying errors:

[jjflynn22@portal ~]$ ipa-getkeytab  -s prime.ipa.kkgpitt.org -p <new pw> -k /etc/ipa/portal.keytab
Failed to parse result: PrincipalName not found.

Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.

Failed to get keytab!
Failed to get keytab

Remove self-service group

@simo5 explained to me that a general self-service group is not a good idea. Such a group has performance implication and should be avoided.

XSS in jinja2 templates

Michael Scherer has reported a XSS vulnerabilities in jinja2 templates. According to Michael jinja2 doesn't filter HTML. All user data (name, email etc) must be filtered.

HTTP error 500 without Kerberos credentials

The server should react more gracefully to internal errors like missing Kerberos credentials. Instead of a HTTP error 500, the portal should show an error page like "The community portal isn't correctly configured. Please contact the administrator."

[Fri Aug 07 12:21:31.944164 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201] mod_wsgi (pid=1608): Exception occurred processing WSGI script '/var/www/wsgi/freeipa_community_portal.wsgi'.
[Fri Aug 07 12:21:31.944296 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201] Traceback (most recent call last):
[Fri Aug 07 12:21:31.944411 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]   File "/var/www/wsgi/freeipa_community_portal.wsgi", line 4, in <module>
[Fri Aug 07 12:21:31.944594 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]     from freeipa_community_portal import app
[Fri Aug 07 12:21:31.944687 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]   File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 30, in <module>
[Fri Aug 07 12:21:31.944869 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]     from freeipa_community_portal.model.user import User
[Fri Aug 07 12:21:31.944974 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]   File "/srv/freeipa-community-portal/lib/python2.7/site-packages/freeipa_community_portal/model/__init__.py", line 30, in <module>
[Fri Aug 07 12:21:31.945114 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]     api.Backend.rpcclient.connect() # pylint: disable=no-member
[Fri Aug 07 12:21:31.945206 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63, in connect
[Fri Aug 07 12:21:31.945455 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]     conn = self.create_connection(*args, **kw)
[Fri Aug 07 12:21:31.945539 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 776, in create_connection
[Fri Aug 07 12:21:31.946006 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]     principal = get_current_principal()
[Fri Aug 07 12:21:31.946101 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]   File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in get_current_principal
[Fri Aug 07 12:21:31.946481 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201]     raise errors.CCacheError()
[Fri Aug 07 12:21:31.946567 2015] [wsgi:error] [pid 1608] [client 10.36.7.206:46201] CCacheError: did not receive Kerberos credentials

unable to access Free IPA in web gui url

Dear Team

I have done successful configuration of Free ipa in centos machine with vagrant setup,
but the thing is i cant access Free IPA in web url with given ip

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.39 ipa.gworks.mobi ipa

please help me

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.