Running PivacyIDEA with FreeIPA

for quite some time I have been using FreeIPA to manage 2FA tokens (TOTP, Yubikey, SMS/eMail). As part of my MacOS Server Migration series and moving my OpenDirectory / Authentication services to FreeIPA, I also had to move PrivacyIDEA from my legacy MacOS Server and decided to move it to the FreeIPA server to have all authentication services on the same host. I am aware that FreeIPA also has OTP support built-in, but as that only supports TOTP tokens, this did not suit my needs.

In this post describes how to get this working, without interfering with the FreeIPA web interface/services. This turned out to be a bit tricky as it requires additional rights granted to work under SELinux.

Update 2019-09-18: added how to migrate an existing PrivacyIDEA instance.

Continue reading “Running PivacyIDEA with FreeIPA”

MacOS Server Replacement #4 – Moving (Free)Radius to FreeIPA

After migrating OpenDirectory (LDAP) to FreeIPA, the next step in my MacOS Server replacement is to migrate the (Free)Radius service as well so that FreeIPA becomes the single authentication source within my network like the MacOS Server has been for years. There are several online guides available describing how to setup FreeRadius on FreeIPA, also on the FreeIPA HowTo list, though as I ended up using fragments of multiple guides to install and configure FreeRadius on FreeIPA with LDAP and MSCHAPv2 support (needed for EAP and other mechanisms) I wrote this post as a single step by step guide.

Continue reading “MacOS Server Replacement #4 – Moving (Free)Radius to FreeIPA”

Manage devices with legacy Firefox versions on MacOS

I still have a few old web-managed devices of which the web UI does not work (correctly) with modern browser versions. It found out that they worked fine with Firefox 17.0.9esr (yes I know that is really old) and for quite a while I kept an outdated VM available to manage them. Since the OS that runs on now also is way beyond EOL I worked out a way to use older versions of the FireFox browser (as they keep a great archive of their historic versions).

Yes, one shouldn’t use obsolete browser versions as it is not safe for normal browsing, but to access a web interface of an internal device (that otherwise can’t be managed) should be safe enough as long as one doesn’t visit other sites. In this post I will describe how I set this up and also how I ensured that the browser would not conflict with a regular installation of the Firefox Browser

Continue reading “Manage devices with legacy Firefox versions on MacOS”

Integrating Synology DS with FreeIPA

I recently decided to replace my outdated Synology DS 1010+ NAS (in service 24×7 for over 8 years without major issues) with a new DS 1618+ NAS. Of course the new NAS is a lot faster, has an additional drive bay but to me most important was to replace the hardware and benefit from the newer version of DSM (Synology’s NAS software platform). However, this post is not about my new NAS (there are sufficient other sites describing / testing / comparing these devices).

Of course, now that I am integrating everything with FreeIPA (replacing my MacOS OpenDirectory setup) I also needed the Synology NAS to be fully integrated with FreeIPA. Jack Henschel’s excellent post that gave me some clue’s but wasn’t quite clear in how things worked and what was really needed. The article itself was clear in the steps to take but not everything worked for me immediately so I had to find out why and how to fix that and document that in this post.

Continue reading “Integrating Synology DS with FreeIPA”

Password-Protecting Shell Scripts

When setting up systems, configuring applications and making changes I prefer to script things rather than follow instructions. Main drawback of scripting is that it takes more time but has (in my view) a number of advantages

  • Scripting makes things reproducible
  • Allows for checking and validation
  • (when needed) can produce change logs
  • It can be reused when the same change has

However, frequently these scripts contain sensitive information (e.g. passwords) and must be transferred to someone (or another system) so they should not be stored in clear text. This post explains how to encrypt shell scripts using openssl for cross-platform use.

Continue reading “Password-Protecting Shell Scripts”

Multiple Mosquitto instances on Debian with Systemd

I have been playing for quite a while MQTT to have my Arduino devices communicate with Node-Red for all kinds of automation. Due to the constraints of the Arduino’s, so far I have not been able to effectively secure this as SSL/TLS is not an option on these devices.

Mosquitto supports multiple listeners out of the box though aside from the listener-specific settings all listeners share the same global (e.g. authentication and plugin) settings. To secure my setup and to work on a more permanent solution I needed different settings per listener for which multiple Mosquitto instances are required (i.e. multiple instances of the mosquitto daemon with their configuration and listeners different IP addresses / ports). This was not difficult on my Debian server but as I did not find much documentation on this I will document the necessary steps in this post.

Continue reading “Multiple Mosquitto instances on Debian with Systemd”

Cisco EEM Service Module Monitoring

For quite a while I had issues with a faulty service module in a remote Cisco. Sometimes the card would lock-up and no longer respond and the only way to revive it was to issue the command service-module wlan-ap 0 reset to reboot it.

Normally one would simply replace it but that wasn’t that simple as the card itself can’t be replaced (and the device is also EOL) and the device is in a remote location without any technical staff on-site. Since rebooting the service module resolved the issue for that moment I looked for a way to automate that and documented that in this post.

Continue reading “Cisco EEM Service Module Monitoring”

MacOS Server Replacement #3 – Move OpenDirectory (LDAP) and DNS to FreeIPA on Fedora

As part of the migration of my MacOS Server to Linux the most tricky service to migrate is Apple’s OpenDirectory service. Although it is based on the open-source OpenLDAP project, Apple did customize things a lot, making it very tricky to move and block a real migration due to these closed-source customizations.  Instead of spending a lot of time on trying to figure out how to migrate OpenDirectory, I decided to start with a clean FreeIPA installation and migrate the users to that. Since I have been using MacOS Server’s OpenDirectory handled my  authentication for quite some time and ran in to issues before I learned that starting from scratch (and only migrating user information) isn’t that hard and in often the best approach.

As it is already quite long, this post focuses on how to configure FreeIPA on Fedora Core and migrating DNS and users. Integrating MacOS is covered on the FreeIPA WiKi and will be covered in a subsequent post including the integration with Apple’s Profile Server (the main component Apple seems to intend to support in the future). To aid with the configuration / setup I wrote a couple of scripts that are available from my Gitlab instance.

Continue reading “MacOS Server Replacement #3 – Move OpenDirectory (LDAP) and DNS to FreeIPA on Fedora”