I've setup a mokey (mokey version 0.5.4) with hydra (oryd/hydra:v1.9.2) and tried to social login with nextcloud app. When I click on Hydra social login it redirects to mokey login from hydra correctly (http://mokey.server/auth/login?login_challenge=d4afe584f0e74efab7e4181782e804b0).

Then I validate with a freeipa (FreeIPA, version: 4.8.7) user and it goes to the mokey profile, when I expect to be redirected to consent page and then to nextcloud with valid token. As I see in the logs there is no redirect URL:

{"time":"2021-02-20T21:29:22.952615656Z","level":"ERROR","prefix":"echo","file":"server.go","line":"65","message":"code=404, message=Not Found, internal=<nil>"}
time="2021-02-20T21:29:31Z" level=info msg="Redirect URL" wyaf=/

It seems mokey is not taking into account the configuration of hydra in mokey.yml. It doesn't matter what I set there that it won't access again to hydra.

hydra_admin_url: "http://hydra.server:4444"
hydra_consent_timeout: 86400
hydra_login_timeout: 86400
# hydra_fake_tls_termination: true

Where should I set up that redirect URL? From the logs it seem there is a missing 'prefix' with 404 return code.

level=error msg="Failed login attempt" ipa_client_error="Post "https://localhost/ipa/session/login_password\": x509: certificate is valid for ipamaster.example.com

What is going on.

mokey from mokey-0.5.4-1.el7.x86_64

Regards,

Rudi G.

This is a suggestion to modify the README.

This section:

dsn: "user:pass@/dbname?parseTime=true"
keytab: "/etc/mokey/keytab/mokeyapp.keytab"
auth_key: "32 or 64 bytes random key"
enc_key: "16, 24, or 32 byte random key"
[ edit to taste ]

should have the username to edit, since we created the mokeyapp user in ipa. Default is username, which throws an error in Kerberos saying the principal is unknown.

Hello

I have deployed mokey on a system outside the office. The IPA server is in the office. Both systems have IPv4 and IPv6 addresses. However, they can only reach each other over IPv6.

The IPA client where mokey is running enrolled correctly. I can ssh fine and can also run "kinit admin,", so its indeed able to use IPv6 to reach kdc. I had to add this line "lookup_family_order = ipv6_only" on sssd.conf file though

What I have noticed is, it looks like the mokey application isn't asking the application the preferred method of communication and just always use IPv4. This seem to be a bug and would be nice to look at it if you have a chance

Jan 8 12:15:41 mars systemd[1]: Started mokey server.
Jan 8 12:15:41 mars bash[26834]: time="2019-01-08T12:15:41-05:00" level=info msg="Using template dir: /usr/share/mokey/templates"
Jan 8 12:15:46 mars bash[26834]: time="2019-01-08T12:15:46-05:00" level=fatal msg="[Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with TCP (error in getting a TCP connection to any of the KDCs) and then UDP (sending over UDP failed to 192.168.30.5:88: read udp 209.98.51.141:38478->192.168.30.5:88: i/o timeout)"
Jan 8 12:15:46 mars systemd[1]: mokey.service: main process exited, code=exited, status=1/FAILURE
Jan 8 12:15:46 mars systemd[1]: Unit mokey.service entered failed state.
Jan 8 12:15:46 mars systemd[1]: mokey.service failed.

[root@mars ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting Expires Service principal
01/08/2019 12:08:52 01/15/2019 12:08:33 ldap/[email protected]
renew until 01/18/2019 12:08:33
01/08/2019 12:08:39 01/15/2019 12:08:33 HTTP/[email protected]
renew until 01/18/2019 12:08:33
01/08/2019 12:08:33 01/15/2019 12:08:33 krbtgt/[email protected]
renew until 01/18/2019 12:08:33
[root@mars ~]#

When a client app calls the logout endpoint (that seems to be the same for oauth and basic auth in mokey) it seems not to be handling the current logout flow as described in hydra: https://www.ory.sh/hydra/docs/guides/logout

The current implementation for logout it seems to be this one:

But doesn't seem to be using the described hydra logout challenge flow. In the logs we also see:
level=warning msg="Logout - Failed to revoke hydra authentication session" error="No sid or user found in session"

github.com/coreos/go-oidc has never used gopkg.in, and we may break this soon when we add a go.mod file (coreos/go-oidc#228).

Just a heads up that you'll need to use the correct import path "github.com/coreos/go-oidc"

Thanks for the software. Hoping you can help with adding some security-related headers to the server responses.

The following headers in particular:

• X-Frame-Options: DENY
  • As per MDN docs, "Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites."
• Cache-Control: no-store
  • Prevents caching of pages (e.g. ones that require authentication)
• Pragma: no-cache
  • HTTP 1.0 version of Cache-Control (HTTP 1.1)

Regarding cookies, the httpOnly attribute could be added to the mokey-sessck cookie. This prevents JavaScript from reading the cookie.

How to showing link for forgot password on html page ? since i dont have email server or OTP server etc version 0.0.6

I have written an Ansible role to install and configure mokey. https://github.com/Ranjandas/ansible-role-mokey. Sharing here in case it helps someone.

Hi

Mokey doesn't start on a Centos 8 instance with IPA 4.8.7-13 installed

After following the instructions and issuing systemctl restart mokey the service fails to start and doesn't give much information,
systemctl status mokey gives the output below but i am not sure what the error is, does anyone have any suggestions?

mokey.service - mokey server
Loaded: loaded (/usr/lib/systemd/system/mokey.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2021-01-28 17:05:18 CET; 6s ago
Process: 2807 ExecStart=/usr/bin/mokey --debug server (code=exited, status=1/FAILURE)
Main PID: 2807 (code=exited, status=1/FAILURE)

Jan 28 17:05:18 ldap2.inne.proxdynamics.com systemd[1]: Started mokey server.
Jan 28 17:05:18 ldap2.inne.proxdynamics.com mokey[2807]: time="2021-01-28T17:05:18+01:00" level=info msg="Using template dir: /usr/share/mokey/templates"
Jan 28 17:05:18 ldap2.inne.proxdynamics.com mokey[2807]: time="2021-01-28T17:05:18+01:00" level=fatal msg="encoding/hex: invalid byte: U+0048 'H'"
Jan 28 17:05:18 ldap2.inne.proxdynamics.com systemd[1]: mokey.service: Main process exited, code=exited, status=1/FAILURE
Jan 28 17:05:18 ldap2.inne.proxdynamics.com systemd[1]: mokey.service: Failed with result 'exit-code'.

When doing logout from a client app this is the flow happening:

1. Logout from the app: https://hydra.server/oauth2/sessions/logout
2. Hydra calls mokey: https://mokey.server/auth/logout (with a post_logout_redirect). Here Hydra expects a flow as is setting a logout_challenge parameter on url (as stated in the documentation: https://www.ory.sh/hydra/docs/concepts/logout/)
3. Looking at the code, mokey doesn't follow that flow and seems to just revoke Hydra authentication:

   mokey/server/auth.go

   Line 90 in 04fcefd

   func (h *Handler) Logout(c echo.Context) error {

   and after that just redirects to /auth/login

   mokey/server/auth.go

   Line 99 in 04fcefd

   return c.Redirect(http.StatusFound, Path("/auth/login"))

   but, as it has no login_challenge as when it comes from an app, it will not follow the OpenID flow to the app again.

As stated on hydra documentation, there is a flow and there is a post_logout_redirect_uri where the user should be redirected after logout (and also an optional logout consent page). As I understand mokey should get that post redirect parameter from the logout flow from hydra and in the end redirect there (to the app), so when the user wants to log in again, the app will redirect with the login_challenge parameter from hydra (login flow).

Is the logout flow missing in mokey? Or am I misunderstanding the OpenID logout flow?

We will need a page where the user can edit his profile and this is updated on freeipa, to be used by hydra OpenID. Now mokey allows the user to reset the password only.

Could this be implemented with the goipa library mokey is already using to communicate to freeipa? Will this be updated on hydra client apps automatically or mokey may update this info to hydra admin url?

Also we are looking how to add user avatar picture to the whole auth system. Planning to do an integration with libravatar (ivatar). Do you have any other/easier ideas to upload/modify a custom client app avatar image and serve it using the OpenID picture field?

Hello,

Is there any chance of including some screenshoots of the actual status of the project in the README?

Thanks.

I looked through the code, documentation, and previous issues but haven't been able to resolve my issue. I set both auth_key and enc_key to random 32 characters but when I log in I get the "Forbidden - CSRF token invalid" message. There are no messages from mokey when run from the command line. SSL is disabled as we will be proxying this through a load balancer. Is there another place to look for debug logs? Any idea why I would be getting this message?

# /usr/bin/mokey -d server
INFO[0000] Using template dir: /usr/share/mokey/templates
INFO[0000] IPA server: localhost
WARN[0000] **WARNING*** SSL/TLS not enabled. HTTP communication will not be encrypted and vulnerable to snooping.
INFO[0000] Running on http://0.0.0.0:9000
INFO[0307] Redirect URL                                  wyaf=/

This is an excellent piece of software that fits our requirements well, and it's also written in GO, kudos !

We believe a new version might be released soon ? We wanted to check with you if there are plans to add sending reset tokens via SMS to a phone number that is (pre)-stored in FreeIPA. For instance via a specialized online SMS service, or a mail-to-SMS gateway, or simply by calling a webhook that does whatever dirty work is behind it.

To give you an idea, our workflow is as follows:

• User joins the firm
• HR systems gets to work, also interacting with the API of FreeIPA to create the user object and their related information (name, e-mail address, e-mail address alias, phone number, dummy password)
• The username / password is communicated to the user

From that moment onwards the user can access their e-mail box, change / reset their password via Mokey, or access any other services. However this is only done after communicating the username / password combination to a user, via paper or via phone, rather cumbersome and not the safest option.

We were therefore thinking of amending this workflow by having a HR system user add trigger a Mokey registration sequence where Mokey looks up a phone number and sends a registration / reset token to the user's phone number that it can pull from FreeIPA. (the user will already have a mobile phone handed over to them, so it seems the most ideal / more secure self-service option)

Not sure what is feasible and if there is anything we can do to help you with this potential new feature. We're engineers, so certainly no GO developers ;-)

We'd love to hear your thoughts and regardless recommend Mokey (over PWM) for every FreeIPA environment in need of the functionality it offers.

This part is really not nice solution, you should not create standard user for Mokey app.

1. New role is not required, there already exist 'User Administrator'
2. Don't use user, use service

$ mkdir /etc/mokey/keytab
$ kinit adminuser
$ ipa service-add mokey/server.example.com
$ ipa role-add-member 'User Administrator' --services=mokey/[email protected]
$ ipa-getkeytab -s freeipa.example.com -p mokey/[email protected] -k /etc/mokey/keytab/mokeyapp.keytab
$ chmod 640 /etc/mokey/keytab/mokeyapp.keytab
$ chgrp mokey /etc/mokey/keytab/mokeyapp.keytab

After installing and running mokey on the FreeIPA server itself I get the following error when trying to log in.

ipa_client_error="Post https://localhost/ipa/session/login_password: x509: certificate is valid for ipa.example.com

It makes sense, localhost is not correct in that request and does not match the name on the certificate. I can't however figure out where it got that in the first place. When running mokey with debug I do get the correct name in INFO[0000] IPA server: ipa.example.com and it is specified in the mokey config.

Do you maybe have an idea whats causing this? Or an idea on how to override the URL?

Thanks in advance!

Notes:

• I use the released mokey v0.5.2 and FreeIPA version 4.5.4 with api version: 2.228 (ipa --version).
• I replaced the correct domain name with ipa.example.com in this post

I have experienced problems after running ipa trust-add --type=ad ad_domain --admin Administrator --password.

When a user tries to change password in the mokey portal: Fatal system error is displayed.
journatlctl -u mokey shows:

level=error msg="failed to set user password in FreeIPA" error="ipa: error 2100 - Insufficient access: Insufficient 'write' privilege to the 'ipaNTHash' attribute.

When I add ipaNTHash attribute in System: change User Password permission, then journalctl -u mokey shows

level=error msg="failed to set user password in FreeIPA" error="ipa: change password failed. Unknown status" uid=username

When I revert with a snapshot taken before ipa-trust-add, normal behaviour is restored.

Normal ipa commands worked on mokey, fatal system error only occurred in the web portal. Presumably adding trust capability to FreeIPA introduces schema changes that Mokey is not aware of?

Hello,

First, I would like to thank you for the great software! We are starting to test it as it fill our need perfectly. Also, great documentations on how to get started 👍

I am wondering if you plan to add an option to deactivate the security question feature?

Thanks for your help.

Hello,

First of all, thank you for this nice project.

Is it possible to use email addresses for users to log in, instead of user names?

Thank you
CG

I would be nicer, that a user has been notified on the GUI and via email rather than just "Invalid login", when the account has been locked for "Lockout duration" seconds after login failure count has been reached or being disabled. In the current scenario, the user won't be able to know if the account has been locked or not after multiple failed login.

Hello,

I am struggling to connect to my IPA API.

First I had https issues however I found a solution in #25 .
Now I'm getting a new error "Error contacting FreeIPA " and there is no log output at all.

I would really appreciate any help.

Hi,

If a user tries to reset the password and the complexity is not reached, then the error message shown is "Fatal system error", which is not very helpful.
I think the corresponding line in the code is this one:

regards,
Jörg

I am getting invalid UI x509: certificate is not valid for any names, but expected the name of ipa server

As title mentioned,
may I know where these two key used? I cannot login my FreeIPA account on web GUI, possible related with it?
Currently, I just typed random key for these two separately; I am not sure where I need to match? such as where I need to put into FreeIPA?

auth_key: "32 or 64 bytes random key"
enc_key: "16, 24, or 32 byte random key"

Thanks

I have been having trouble with getting handler.go to require email token but still ask for password. Is it possible to configure the "enable_user_signup" to require password with an email instead of bypassing it?

I know it doesn't make sense as-is but the idea was to disable user validation and send an email for OTP configuration. Pretty much configure Mokey to allow OTP configuration for a limited amount of time only by email / token.

Thanks in advance.

systemd[1]: Started mokey server.
bash[9607]: time="2019-07-06T07:39:19Z" level=info msg="Using template dir: /usr/share/mokey/templates"
systemd[1]: mokey.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Unit mokey.service entered failed state.
systemd[1]: mokey.service failed.

Rectified

No matter what I set the bind address to, I cannot access mokey remotely.

The only way I can access it is via ssh tunnel using ssh -L 8000:localhost:8000 root@mokeyhost.

Besides that, no matter what I set the bind address to, it won't load. I've tried 127.0.0.1, 10.0.1.15 (lan address), 0.0.0.0.

This is both on the most recent release and from a build from the most recent commit (c677e97ae83a150b7ced99c8ea061f02c416349e).

Opening a new issue for this:

I can create users, and I see them get populated in FreeIPA, but when I try to login - the site pauses for a bit and displays Error contacting FreeIPA.

I spent about a day yesterday trying to get it to work after struggling trying to get PWM to work, but failing on getting the LDAP schemas to register.

Things I have tried

I have run this on both the same IPA server and an IPA client. While running on the ipa server, I could not access the panel remotely, a la #44 .

On the client, I could bring up the panel and things seemed to work at first, but I couldn't register users. I had a problem with the encryption key and saw your comments in some other issues on how to generate them.

Updating the encryption keys, I got to the place where I am now, where I just get the cryptic message at the top and zero logs, even in debug mode.

The IP is bound to 0.0.0.0 as it is just running on a ubuntu client vm on my network.

I have tried the latest rpm release as well as building from source. By the way, it doesn't seem to compile with go v1.14.

In server/handler.go and server/hydra.go there are following imports from Github ory/hydra,
"github.com/ory/hydra/sdk/go/hydra"
and
"github.com/ory/hydra/sdk/go/hydra/swagger"

Recently ory/hydra made some code changes and above folder and go files are not there anymore. Can you please update your repo to accommodate the hydra code changes.

Any attempt to move beyond the initial login page produces this error. Beyond help with the error, a log file describing problem and pointing to possible resolutions would be a big help.

#58 introduced the option to require admin verification for new users. However, currently require_verify_admin and require_verify_email are mutually exclusive. I independently implemented a solution where this limitation does not exist but before providing a PR I think we should discuss if the way I implemented it for our organization it is actually the best way to do so.

For require_verify_email I kept the current approach to lock the user. For require_verify_admin I added a table admin_verify to the DB to which an entry is added after email verification. After admin verification the entry is deleted and the user unlocked.

However also in #58 @cmd-ntrf proposed a different approach which I find quite interesting:

To avoid storing state in Mokey, a potential alternative could be that if require_verify_admin is true, Mokey adds a FreeIPA stage user instead of a full fledge user.

As @aebruno commented

The above sounds great and leveraging the FreeIPA user life cycle management would be ideal.

To which I fully agree.

Despite continuing to use it, I consider using NSAccountLock to store email verification as not optimal considering we want to use FreeIPA user life cycle management. But replacing it again creates the need for an additional DB table which I think we agree on should be avoided.

In this workflow, if require_verify_admin is True, Mokey would create a stage user. The admins would then promote the stage user to make it a full user with UID and GID, but maintain the disabled status of the account. The user would also be sent an email with a link to activate the account, but the link would only starting working once the admin has promoted the user from stage to full-fledged.

This implies an order of email and admin verification which is actually the opposite as the one I force in my current approach.
But should we force an order on email and admin verification?
Forcing it in the order email then admin verification means locking only has a meaning in Mokey for stage users. Otherwise I don't see arguments for one or the other.

The admins would then promote the stage user to make it a full user with UID and GID, but maintain the disabled status of the account.

Should this be done only via FreeIPA or should it be possible to do using Mokey? When done via Mokey the user can be notified when their account was verified.
For our organization we added it to Mokey's web interface. This required me to implement group checking for frontend and backend and a corresponding function in goipa.

As we are integrating our own apps we don't want to ask for consent to the user. Now we just forced it:

https://github.com/isard-vdi/mokey/blob/1356ffed84ce6e3830dd667e6ee8f79b1e530668/server/hydra.go#L63-L64

But it will be nice if there is an option in mokey.yml to just force no consent validation.

It might be worthwhile to get Mokey added to:

https://www.freeipa.org/page/Self-Service_Password_Reset

"version": mokey-0.5.3-1.el7.x86_64 rpm
When i enter valid credential, nothing happend, page reloads and offers to enter the credential again.

In log:

Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=info msg="Using template dir: /usr/share/mokey/templates/"
Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=info msg="IPA server: freeipa-server.onelya.auth"
Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=warning msg="**WARNING*** SSL/TLS not enabled. HTTP communication will not be encrypted and vulnerable to snooping."
Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=info msg="Running on http://10.4.0.152:8080/mokey"
Nov 15 18:15:57 centos-vpn-test mokey: ⇨ http server started on 10.4.0.152:8080
Nov 15 18:16:16 centos-vpn-test mokey: time="2019-11-15T18:16:16+03:00" level=info msg="Redirect URL" wyaf=/mokey
Nov 15 18:16:16 centos-vpn-test mokey: time="2019-11-15T18:16:16+03:00" level=info msg="Redirect URL" wyaf=/mokey
Nov 15 18:16:23 centos-vpn-test mokey: time="2019-11-15T18:16:23+03:00" level=info msg="Redirect URL" wyaf=/mokey

in browser:

$ mysql> grant all on mokey.* to [user]@localhost identified by '[pass]'
$ mysql> exit
$ mysql -u root -p mokey < /usr/share/mokey/ddl/schema.sql

MariaDB [(none)]> grant all on mokey.* to [user]@localhost identified by '[pass]'
    -> exit
    -> mysql -u root -p mokey < /usr/share/mokey/ddl/schema.sql
    -> 

So I tried end with ; but got error

    -> ;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '[user]@localhost identified by '[pass]'
exit
mysql -u root -p mokey < /usr/share' at line 1

I'm sorry that I often use GUI operations like phpmyadmin

Thanks

I tried to install mokey on the IPA server itself (CentOS), using a different URL to reach mokey and a wildcard certificate so both the freeipa admin interface and mokey can be reached using the same httpd server, so far so good. However, I am not able to login. The error returned by mokey is:

level=error msg="tryauth: failed login attempt" ipa_client_error="ipa: login failed invalid set-cookie header" 

Googling the error I can trace it back to a regex, it seems like the ipa_session variable in the Set-Cookie header is empty. Which is strange, because testing it locally, doing a post request from my laptop to the server, works fine. And even on the server (where mokey is installed) a curl requests shows a valid session, but in the IPASESSION session header.

Next step, the apache log, generated by ipa requests, I can see that another request is done before the requests to the /ipa/session/login_password url. One to GET /ipa/session/cookie. If I understand it correctly, because the server is part of the same domain all requests to that domain are pre-authenticated by the server automatically. I even went as far as logging the response headers. And indeed, the required Set-Cookie header is empty when doing a curl request from the server.

That is about where I got stuck. I thought of installing it on another server, but I read the requrement in the documentation 'mokey needs to be installed on a machine already enrolled in FreeIPA'. So I wonder, am I doing something wrong in my setup or is this a bug to be fixed?

Another note: The login credentials are correct, when I submit incorrect credentials on purpose I do get a different error in the log ipa_client_error="IPA login failed with HTTP status code: 401" . And when testing a user with 2FA it properly shows the 2FA login form.

Please let me know if you need more information, and thanks in advance

I've spent a lot of time pouring through the code and the dependencies to try and track down why I am unable to reset my password. I'm running FreeIPA 4.5.0. I have tried with the svc_mokey user keytab (with 'Modify Users and Reset passwords' and 'User Administrators' roles) and also with the admin keytab.

Side note: one thing I've noticed is there is no checking on the keytab to see if it actually exists or is valid. I get the same response whether the keytab is there or not which makes it difficult to troubleshoot if it's a bad file, bad permissions, etc.

I downloaded the source and started adding debug statements to the code to see where exactly it's failing. I've tracked it down to this line https://github.com/ubccr/goipa/blob/master/ipa.go#L242. There is no session so the client tries to use SPNEGO.

Even with the admin keytab it still fails. I know that keytab works because I use it for creating accounts and other tasks. The Apache log makes me believe that it can connect and is authenticated. I can log into the front end and see all of my stats. It seems to only fail when it tries to reset the password.

Debug output

INFO[0003] loaded keytab /etc/mokey/keytab/mokey.keytab
ERRO[0003] failed to set user password in FreeIPA        error="ipa: error 2100 - Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=jhane,cn=users,cn=accounts,dc=idm,dc=example,dc=com'." uid=jhane

/var/log/httpd/error_log

[Fri Jan 12 23:31:28.918539 2018] [:error] [pid 19009] ipa: INFO: [jsonserver_kerb] host/[email protected]: user_show(u'jhane', all=True, version=u'2.156', no_members=False): SUCCESS
[Fri Jan 12 23:31:28.960808 2018] [:error] [pid 19010] ipa: INFO: [jsonserver_kerb] host/[email protected]: user_mod(u'jhane', random=True, all=True, version=u'2.156', no_members=False): ACIError

The newacct command was removed in the last big refactor. Would it be possible to bring it back, or to have a similar admin-initiated account setup in place?

It would be nice if new users could also register via this portal.

Hi,

According to https://openid.net/specs/openid-connect-basic-1_0.html#Scopes the profile should provide name, family_name fields but instead we see from client app this fields: ["first"]=> string(4) "John" ["last"]=> string(3) "Doe".

As the client apps expects name and family_name fields I'm wondering if it's mokey that it is not translating them correctly from freeipa to openid standard or hydra, but we see that hydra uses those fieldnames also (https://www.ory.sh/hydra/docs/reference/api/#openid-connect-userinfo).

Is this a missing field translation in mokey to openid standard?

Thanks

Info:

• OS: CentOS Linux release 8.3.2011
• Go: golang-1.14.7-2.module_el8.3.0+471+76db7791.x86_64
• Mokey: v0.5.4
• Mokey templates: v0.5.4 default

Problem: Mokey start fatal error
Error:

# sudo -u mokey /usr/bin/mokey --debug server
INFO[0000] Using template dir: /usr/share/mokey/templates
FATA[0000] encoding/hex: invalid byte: U+0068 'h'

Hello,

I've tried to install mokey inside docker with freeipa server being outside. Everything works fine until I try to login to mokey via webui or even do any mokey commands inside container.

[root@selfserv /]# mokey newacct --uid grejeru
FATA[0000] Post https://ipa.example.com/ipa/json: x509: certificate is not valid for any names, but wanted to match ds1.example.com

I've found one topic about that here golang/go#24293 but even downgrading docker to version 17.09 (compiled on go 1.8.3) didn't helped.

Anyone has succeeded in mokey installation inside docker?

Whole docker-compose available here https://github.com/Grejeru/mokey-docker

I get the error
level=error msg="Forgotpw: failed send email to user" error=EOF
in the message log and nothing else.

So far I've checked he correct IMAP address and host. Port 465 for TLS. Username and Password. Open the ports on both TCP/UDP.

Do I require any specific additional Centos 7 packages? or does Mokey include a SMTP mailer?

Hi,

We are currently switching from our old LDAP Server to IPA and we want to use mokey for password resets. There are two things that are bothering us a bit, although we will probably be able to use mokey anyways.

1: We need to set a root context path for mokey so the it will be available via https://url.com/mokey/.
2: It is possible to deactivate the security question for password resets, but when a user tries to log in he is still asked to provide a security question. It would be nice if those security questions could be turned off completely.

Apart from this: Great app. Thanks and keep it up!

regards,
Jörg

Hi,

when I create a new user with freeipa, I would like to send him mokey invitation to set his password. Unless he does this he can't use the email address from freeipa to read this invitation. So it would be nice to add a foreign email address with the mokey command.

A second thing is, that several people can't be reached with a 1 hour limit. It would be nice to add a switch with a variable time delay for the mokey command to make individual time delays possible.

Regards,

Rudi G.

Hello,

How would one need to add on this line so that mokey can use mysql database on a remote system?

dsn: "user:pass@/dbname?parseTime=true"

William

Could you give an example of what auth_key and enc_key should look like and how to generate them?

I was sure if those keys should be plaintext or the hash of some plaintext. Also, I wasn't sure how to specify bytes in a YAML file.

In Python 3.6, I can generate 16 secure random bytes by running:

import secrets
print(secrets.token_bytes(16))

All the project README has to say about those keys is:

auth_key: "32 or 64 bytes random key"
enc_key: "16, 24, or 32 byte random key"

Hello

Thank you for sharing this tool for us to use. Came across it on 20th Dec and so far the best fit to work with IPA server.

I have struggled with getting it working - I can reset the password - by getting it to send me an email and then using the link generated to successfully change the password, but I can't login with the new password or the previous valid password

This is the only info I can find from the logs:

Dec 21 17:06:49 mokey.eng.example.com bash[1787]: time="2018-12-21T17:06:49-05:00" level=info msg="Redirect URL" wyaf=/
Dec 21 17:06:49 mokey.eng.example.com bash[1787]: time="2018-12-21T17:06:49-05:00" level=error msg="Requested path not found" ip=192.168.11.1 path=/favicon.ico
Dec 21 17:06:49 mokey.eng.example.com bash[1787]: {"time":"2018-12-21T17:06:49.340658167-05:00","level":"ERROR","prefix":"echo","file":"echo.go","line":"595","message":"code=404, message=Not Found"}
Dec 21 17:07:37 mokey.eng.example.com bash[1787]: time="2018-12-21T17:07:37-05:00" level=info msg="Redirect URL" wyaf=/
Dec 21 17:07:59 mokey.eng.example.com bash[1787]: time="2018-12-21T17:07:59-05:00" level=info msg="Redirect URL" wyaf=/

You have experience like this in the past? How would I go about making mokey more verbose in order to figure what need fixing?

Regards,
William

If anyone finds it useful we are developing an OpenID based on FreeIPA+Mokey+Hydra easy and quick to set up using docker-compose. You can find it at https://gitlab.com/isard/isard-openid

Many bugs still there to be fixed but it is working now. Feel free to open us issues if you try it.