freeipa | Mirror of FreeIPA , an integrated security information | Identity Management library

Q: "Automatically make all hosts that execute this role a member of the ipaclient group."

A: Put this task into the role

I don't see how this question is related to programming, maybe move it to ServerFault.

And it's not clear what you want to do exactly. You don't want to install an embedded CA within the IPA Server, but it's unclear if you're going to use an external CA or no CA at all. In the first case this means the IPA Server would still automatically update the certificates, while the second case means you would update yourself when it is necessary.

The best entry point is the Linux Domain Identity, Authentication, and Policy Guide

If you're not going to use any CA at all, see section 2.3.6 :

It turns out mschapv2 is a challenge response protocol, and that does not work with an LDAP bind in the basic configuration of FreeRadius.

However I did find a solution where FreeRadius looks up a user by their LDAP DN, then reads (not bind) the NTHash of the user. From there, FreeRADIUS is able to process the challenge response.

First permissions have to be given to service accounts: https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html

After performing these steps users will need to change their password in order to generate an ipaNTHash.

Then configure FreeRadius to use mschapv2 with FreeIPA: https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html

After completing all the steps described in both links, this radtest cli command should return an Access-Accept response.

I was able to resolve the same issue following this other answer, basically by adding --sysctl net.ipv6.conf.lo.disable_ipv6=0 into my docker run ... command. I don't actually know why it needs to be there but my symptoms were the same as yours and this did the trick. Here is my full command for testing:

finally, I have completed with LDAP connection in laravel App. If anyone is facing difficulty in connecting LDAP go through with this package https://ldaprecord.com/docs/laravel/. very clear explanation about Integrating LDAP in laravel.

No, there is no such way. FreeIPA is not a tool, it is full functioning identity management system, similar to Active Directory but for POSIX environments. You aren't deploying it on a single machine as a separate application.

There are plenty other tools that utilise existing Active Directory deployment to store own information and handle Linux machines but most of them are commercially available.

However, I wonder why you are claiming there is no central management with SSSD for direct AD integration. SSSD with id_provider = ad supports group policies in AD, so you can apply those rules centrally. Technically you also can store SUDO rules in AD LDAP, though it wouldn't be easily manageable compared to FreeIPA.

Ah found it.

OpenVPNAS was using anonymous binding to connect to FreeIPA in order to authenticate people. With anonymous binding, it isn't permitted to see group membership!

Fix was to change OpenVPNAS to bind as an admin user. Now it works fine.

Certificate requests submitted for FreeIPA for signing pass through the internal set of checks that validate your rights to issue those certificates. One decision we made early enough is that Kerberos principal SAN in the certificate is one thing we can enforce and thus it is enforced.

Certificate Authority is much more than just self-signing with openssl. It includes revocation lists maintenance as well and without knowing what was issued and how, it is harder to maintain that.

Do you have any specific reason for issuing certs without Kerberos principals in them? Note that you can generate a certificate signing request any way you want, then submit it through 'ipa cert-request' or IPA Web UI directly, not using certmonger's tools. This CSR would still need to pass validation, though.