Fixing web login for FreeIPA
There are some scripts on GitHub which automate renewing certs with let's encrypt and adding them to FreeIPA. This means no more browser warnings about self-signed certs.
Additional Setup Notes:
- for my installation I put the scripts and configuration in
/var/local/lib/ipa. - before running the setup script or manually installing the
letsencryptpackage,epel-releasemust be installed. - the scripts (at least the renew one) must be executable if using the setup script.
- if asked to enter a pass phrase for the httpd key, there is a solution
here.
Basically:
sudo /usr/libexec/platform-python /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA - to run daily, I put
renew-cert.[timer,service]in/etc/systemd/system/. - to allow the script
/var/local/lib/ipa/renew-le.shto run from systemd, I had to allow it in selinux with:
sudo semanage fcontext --add --type bin_t /var/local/lib/ipa/renew-le.sh
sudo chcon -Rv -u system_u -t bin_t /var/local/lib/ipa/renew-le.sh
sudo restorecon -R -v /var/local/lib/ipa/renew-le.sh
Firefox auto-login
From ipa clients who have kerberos tickets, it makes sense to allow logging into the web interface using that kerberos ticket. To do so:
- In the firefox address tab enter
about:config - enter "negotiate" in the search bar, then double click the entry for
network.negotiate-auth.trusted-uris. - in the text box enter the the domain (for example ".example.com")
(source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/sso-config-firefox)
Enabling for all users
It is also possible to enable trusting your domain for all users.
The basic process would be to add the following to ".js" file in /usr/lib/firefox/defaults/pref/:
pref("network.negotiate-auth.trusted-uris", ".example.com");