2024-04-02T05:31:55 *** bommel is now known as comrad 2024-04-02T05:50:46 In my app, I got 20 TOTPs, but the only heroes-related one is gitlab.i.o.o and that did not work in Kanidm 2024-04-02T06:28:27 *** teepee_ is now known as teepee 2024-04-02T07:33:43 "Signature verification failed for file 'repomd.xml' from repository 'update-sle (15.5)'." 2024-04-02T07:33:44 some issue with the repositories? 2024-04-02T07:38:27 bmwiedemann: I will assume this means you want me to delete the one from IPA then. Kanidm can't "make up" TOTP's, we only reflect what FreeIPA has. 2024-04-02T07:39:21 thalunil: This is common, depending on the mirror it may have rsynced non-atomically. Wait a bit and refresh. 2024-04-02T07:40:24 Firstyear (Firstyear): yes, please. 2024-04-02T07:41:26 Done, it will be reflected (aka removed) from Kanidm when the next sync occurs (which is every 5 minutes) 2024-04-02T07:42:10 I was able to log into freeipa yesterday and did not see 2FA enabled there. 2024-04-02T07:43:28 Because freeipa has terrible ui. You need to hunt for it in another tab. 2024-04-02T07:43:51 but wouldn't it ask for 2FA on login? 2024-04-02T07:45:51 Nope. FreeIPA doesn't work like that. You can have MFA and optionally disregard them based on your account settings 2024-04-02T07:46:00 Which is what was happening here. 2024-04-02T07:46:11 FreeIPA is very murkey about when or when not MFA is needed. 2024-04-02T07:46:18 Anywy, I'm going back to my night I'm still very tired. 2024-04-02T07:46:24 lmk if you have any more issues. 2024-04-02T07:46:30 And I'll check later. 2024-04-02T07:46:34 good night 2024-04-02T08:12:01 Firstyear (Firstyear): thanks alot - works as expected by now 2024-04-02T12:34:34 tried logging into gitlab, but all I get is " Sign-in using Heroes authentication auth failed. Identities provider can't be blank " 2024-04-02T12:46:36 JacobMichalskie: it works for me, can you confirm in a private browser window? 2024-04-02T12:47:01 it should redirect you to idm.i.o.o upon clicking "Sign in" 2024-04-02T12:47:10 yes I can 2024-04-02T12:47:24 and it does redirect 2024-04-02T12:47:32 I only get it after I logged in on kanidm side 2024-04-02T12:47:38 from gitlab 2024-04-02T12:47:48 422 from gitlab to be precise with that message 2024-04-02T12:50:49 ah after successful login, it is an issue with your account, let me check 2024-04-02T12:54:36 "message":"Correct LDAP account has been found. identity to user: hellcp1." .. 2024-04-02T12:55:00 that doesn't sound very correct 2024-04-02T12:55:11 the problem is your gitlab account has your @opensuse.org address, but in the LDAP this is only your secondary one whilst the primary is @lcp.world 2024-04-02T12:55:22 ugh 2024-04-02T12:55:24 which one do you prefer ? 2024-04-02T12:55:33 I don't care tbh 2024-04-02T12:56:04 ok, try now please 2024-04-02T12:57:09 hmm interesting it does not save it in gitlab albeit saying success 2024-04-02T12:57:22 will swap them in ldap then 2024-04-02T13:03:11 takes about 5 minutes to sync from freeipa to kanidm, will check when it's there and ping 2024-04-02T13:37:39 got distracted, JacobMichalskie: can try now 2024-04-02T13:50:46 nope, still doesn't work 2024-04-02T13:50:56 same error 2024-04-02T14:30:39 hm, sorry, cannot yet find what is different with your user. will investigate more after work. 2024-04-02T15:11:54 what about now? 2024-04-02T15:17:44 actually no, I repaired it in gitlab but the mails are still swapped 2024-04-02T15:18:18 Firstyear: can you check? I swapped the two "mail" attributes in hellcp's account but from Kanidm I still get them in the original order 2024-04-02T15:18:50 from freeipa I get the correct order 2024-04-02T15:35:41 Jacob Michalskie dunno if its intentional or not, but it appears that the telegram <-> matrix bridge bot is down, or stuck or something. 2024-04-02T15:42:45 it is: https://progress.opensuse.org/issues/158287 2024-04-02T16:11:34 I really need to start to remember to check progress.o.o 2024-04-02T18:50:54 *** teepee_ is now known as teepee 2024-04-02T19:48:35 SFaulken: I often remember :) 2024-04-02T22:02:42 *** teepee_ is now known as teepee 2024-04-02T22:14:36 acidsys: LDAP attribute order doesn't imply anything, and LDAP can serve the attributes in "whatever" order. That's why you need separate attributes like Mail primary etc to show which one is actually primary. In this case, because FreeIPA lacks mailprimary, we can't tell anything about the preference, so whatever order LDAP returns the values in, is what we have to accept. 2024-04-02T22:14:47 So right now I'm looking and I see the "wrong" order from FreeIPA via ldap. 2024-04-02T22:15:23 So the "best" option would be to remove the "incorrect" mail until it can be re-added later. 2024-04-02T22:15:36 hi Firstyear, from the accounts I tested the GitLab migration with, I always found that the attribute which appears "first" is the one used to set the email attribute in GitLab. Maybe I was just lucky. 2024-04-02T22:15:47 Sounds like an idea! 2024-04-02T22:15:50 Yep, 2024-04-02T22:16:16 And yeah, ldap attributes don't imply ny ordering. 2024-04-02T22:16:38 then it makes also sense why the sync tool did not catch me changing it 2024-04-02T22:17:12 Yeah, this is one of those "cursed ldap dark magic secrets" 2024-04-02T22:17:32 Depending on the ldap server, two queries can return the same entry with different attribute orders etc. 2024-04-02T22:17:42 Depends on the internal datastructures, sorting, etc. 2024-04-02T22:18:08 It's also why the attribute names aren't alphabetical either in order on a result. 2024-04-02T22:21:51 right .. to be fair, FreeIPA is the first LDAP where I worked with users having multiple `mail` attributes :p 2024-04-02T22:22:38 Ahhh right. 2024-04-02T22:24:13 So what this does in kani is the mail attribute is imported, but we have a concept of "primary" and "secondary" addresses, and we deal with that based on the import order. Sadly, we can't actually get freeipa to say "which is which" here too easily. but anyway, that's why kani is always showing the same order regardless of what freeipa was doing, whichever we see "first" is primary, and the rest are... 2024-04-02T22:24:18 ... secondary. 2024-04-02T22:25:19 From gitlab's view you can use mailPrimary from kanidm. 2024-04-02T22:25:36 Because we "synthesise" those records from the structure of the attribute. 2024-04-02T22:25:45 As an example query. 2024-04-02T22:26:47 LDAPTLS_REQCERT=never ldapsearch -H ldaps://idm.infra.opensuse.org -x -b 'o=heroes' '(uid=hellcp)' + 2024-04-02T22:27:00 You'll need to add a bind username/password to have rights to show mail attributes 2024-04-02T22:27:28 But the "+" here to that query says "show all virtual attributes" so it will show you everything we "synthesise" and all it's forms. 2024-04-02T22:30:40 the plus does not seem to do anything, even if escaped 2024-04-02T22:31:33 but with ldapseach authenticated with my user I do not see "mail" attributes for users generally. I always need to use "kanidm person get" 2024-04-02T22:31:45 if I query "mail" specifically (by putting it where you put the +) I just get empty results 2024-04-02T22:32:05 Ldap search wont show you unless you have a servire account token with privs. 2024-04-02T22:32:15 because ldapsearch is considered less secure. 2024-04-02T22:32:28 can I haz privs to read all attributes? <3 2024-04-02T22:32:36 No <3 2024-04-02T22:32:48 Ldapsearch requires you to use a service-account token if you want privs to read via ldap 2024-04-02T22:32:57 because ldap is always single factor authentication otherwise. 2024-04-02T22:33:09 but you wrote "You'll need to add a bind username/password to have rights to show mail attributes" 2024-04-02T22:33:15 so which username/password do I use if not mine 2024-04-02T22:33:18 Yeah, that's what I meant sorry. 2024-04-02T22:33:22 oh 2024-04-02T22:33:38 * acidsys searches for "token" in docs 2024-04-02T22:33:42 Like, how is gitlab reading the mail 2024-04-02T22:34:07 https://kanidm.github.io/kanidm/stable/integrations/ldap.html#access-controls 2024-04-02T22:34:07 and 2024-04-02T22:34:11 it uses the primary email address from oauth2 2024-04-02T22:34:19 https://kanidm.github.io/kanidm/stable/accounts/service.html#api-tokens-with-ldap 2024-04-02T22:34:24 the problem is if that was not the same email address which was originally considered "primary" from ldap 2024-04-02T22:34:27 acidsys: Ahhhhhh okay. 2024-04-02T22:34:49 acidsys: Yeah, but there ws no "primary" in ldap. Just a pool of chaos, like anything ldap related. 2024-04-02T22:34:52 there does not seem to use any other identifier unfortunately. the documenation says the linking of existing accounts is always by email 2024-04-02T22:35:06 _slow clap for gitlab_ 2024-04-02T22:35:09 That's awful. 2024-04-02T22:35:32 thx for the link 2024-04-02T22:36:37 Anyway, lets just remove all but the primary from freeipa, that will clear it up for now 2024-04-02T22:36:48 and then later kani has propery primary/secondary handling so it'll be resolved. 2024-04-02T22:36:55 yup on it 2024-04-02T22:37:55 btw since I can read with "kanidm person get" .. is there a way use the "+" trick there ? 2024-04-02T22:38:47 The person get is using the kanidm native api, not the ldapsearch, so there aren't virtual attributes there. 2024-04-02T22:38:54 The + thing is specific to ldap 2024-04-02T22:39:17 ah ok, maybe a different quick way to just "check" which is currently considered the primary email address? 2024-04-02T22:39:31 without building my own oauth client :P 2024-04-02T22:40:01 Kanidm person get shows you, because it _does_ order them, first in the list of mail is primary in the kani output 2024-04-02T22:40:14 ahh great! 2024-04-02T22:40:26 Though it should be clearer 2024-04-02T22:40:29 That's on my todo 2024-04-02T22:40:38 API growing pains and all that :) 2024-04-02T22:40:44 return a .jpg with a red circle around the first email ? 2024-04-02T22:41:00 rofl 2024-04-02T22:41:05 :p 2024-04-02T22:41:23 Of all the approaches, that is certainly one of them. 2024-04-02T22:41:44 LGTM 2024-04-02T22:42:29 I'm doing a bit better today, still might not be t work but i'll look at that slim issue 2024-04-02T22:43:17 no pressure 2024-04-02T22:43:47 PRESSURE! 2024-04-02T22:44:06 * acidsys steams 2024-04-02T22:44:47 firstyear is not in the sudoers file. 2024-04-02T22:44:47 This incident has been reported to the administrator. 2024-04-02T22:44:52 I can hear the sirens coming for me. 2024-04-02T22:44:55 haX 2024-04-02T22:45:30 man did you really have to start the siren and red alarm light in my room 2024-04-02T22:45:38 people are sleeping already 2024-04-02T22:47:36 I don't want to be that guy but: 2024-04-02T22:47:36 ... long message truncated: https://matrix.opensuse.org/_matrix/media/v3/download/opensuse.org/hVhtdxEaPsPkcEfzaAQUvrBP (3 lines) 2024-04-02T22:47:39 It works for me? 2024-04-02T22:48:20 yes. now it works for me as well. 2024-04-02T22:48:39 your magic hands 2024-04-02T22:48:59 I didn't do anything! 2024-04-02T22:49:06 But to explain a possible answer. 2024-04-02T22:49:31 Kanidm-unixd has a "not found" cache. So depending on the scenario, it can briefly cache an NX of an account and return no results. 2024-04-02T22:49:42 The other thing is kanidm-unixd will _never_ return an account that exists locally on the machine. 2024-04-02T22:49:58 So if you had a crameleon in /etc/passwd it would also not respond to that either. 2024-04-02T22:50:08 the second point I get 2024-04-02T22:51:09 with the first one, when is the "not found" cache populated? if it's the first time I authenticate, will it block to look up the account ? 2024-04-02T22:51:38 It will block to look it up yes. 2024-04-02T22:51:47 It only populates nx if the server says your account doesn't exist. 2024-04-02T22:51:54 I see 2024-04-02T22:52:06 Which probably means it doesn't matter here ^^; 2024-04-02T22:52:09 then I can't quite explain why sometimes it takes me more than 1 attempt 2024-04-02T22:52:44 That one I can explain 2024-04-02T22:52:54 And I thought Ihad fixed .... 2024-04-02T22:53:27 If the resolver believes it's offline, the first attempt pokes it to do an online-now check, but then doesn't continue the auth. The resolver is now online, so the second works. 2024-04-02T22:53:39 But I specifically fixed tht because it had affected me at home. 2024-04-02T22:53:41 So I will check 2024-04-02T22:54:41 It _could_ be timeout. If the pam module doesn't get response fast enough the resolver is still doing the online test but pam times it out. 2024-04-02T22:55:20 acidsys: Did you get chip working btw? Or should I look at that too 2024-04-02T22:55:36 interesting, that'd be cool to figure out 2024-04-02T22:56:01 moment 2024-04-02T22:56:24 It's easy to piece together from logs if we know wht time it happened. But either way in the mean time I'd say we raise the connection timeout anyway, 2024-04-02T22:58:39 ugh chip has worse problems, sorry, false alarm 2024-04-02T22:58:51 if we can raise the timeout that'd be cool 2024-04-02T22:58:58 especially to provo we have terrible latency 2024-04-02T22:59:21 Firstyear (Firstyear): I've got worse news, it's not _uncommon_ 2024-04-02T22:59:38 acidsys: How much latency do you expect? 2024-04-02T22:59:51 Jacob Michalskie: I'm aware. And I hate it. 2024-04-02T23:00:30 Firstyear: 160-200 ms from Prague to Provo 2024-04-02T23:01:01 seems right now it's quite stable at 165 2024-04-02T23:01:20 _laughts in 350ms from aus to prague_ 2024-04-02T23:01:35 well only wait til you try to ssh from your workstation to one in provo _via_ prague 2024-04-02T23:01:50 https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1654 2024-04-02T23:01:56 seen it checking 2024-04-02T23:02:54 ayyy, I get a different error when trying to log into gitlab 2024-04-02T23:02:58 "Your account is pending approval from your GitLab administrator and hence blocked. Please contact your GitLab administrator if you think this is an error. " 2024-04-02T23:03:14 is the gitlab administrator in the room with us 2024-04-02T23:03:17 Is that progress or a regression? Who knows. 2024-04-02T23:03:19 :P 2024-04-02T23:03:19 this is why you don't annoy the administrator. 2024-04-02T23:03:20 shall I hide? 2024-04-02T23:03:38 depends 2024-04-02T23:03:39 Jacob Michalskie: _gets the ouiji board_ 2024-04-02T23:04:04 JacobMichalskie: I still need to change it, right now it "works" but is the wrong primary address, hence it tries to make a new account. hang on 2024-04-02T23:04:12 oh 2024-04-02T23:04:34 acidsys: I can fix the mail addresses 2024-04-02T23:04:39 That's esy 2024-04-02T23:05:23 hmm I don't see a way to remove email addresses in the freeipa UI 2024-04-02T23:05:32 Yeah, I'll do it. 2024-04-02T23:05:35 It needs an ldif probably 2024-04-02T23:05:36 I see it in the user search overview, but when I open the user it's not there 2024-04-02T23:05:39 oki, thanks! 2024-04-02T23:05:55 lcp#0: You want opensuse.org or lcp.world as primary email? 2024-04-02T23:06:13 use the opensuse.org one please, it's the one gitlab has 2024-04-02T23:06:31 Got it. 2024-04-02T23:06:51 both websites are pretty cool tbh 2024-04-02T23:06:55 luckily we don't have so many tools that I'd need to calculate an average of which one is used as primary in most tools :P 2024-04-02T23:07:30 indeed. but only one has free downloads >:O 2024-04-02T23:08:11 Firstyear: earlier today when hacking on FreeIPA I found instead of writing ldif I can use `ldapvi` from the FreeIPA shell. changed my life 2024-04-02T23:08:49 Yeah, ldapvi is magic. 2024-04-02T23:09:15 I should make "kanidmvi" :P 2024-04-02T23:09:39 "kanivi" has a nice ring to it 2024-04-02T23:09:45 Done mail changed 2024-04-02T23:09:52 kaneevee 2024-04-02T23:10:00 lcp#0: It'll be synced to kani within the next 5 minutes, then try again. 2024-04-02T23:10:13 kanimacs 2024-04-02T23:10:19 I might be asleep by that point 2024-04-02T23:10:31 kanied 2024-04-02T23:10:45 kanidd 2024-04-02T23:11:11 acidsys: We're getting two gsoc students potentially, and one wants to work on an admin webui too 2024-04-02T23:11:13 kanipipe and kanicd 2024-04-02T23:11:14 which should be good for you 2024-04-02T23:11:53 me personally? I like the cli ;) adding the oauth2 clients was soo easy 2024-04-02T23:12:06 but I think many others will like it 2024-04-02T23:12:08 https://matrix.opensuse.org/_matrix/media/v3/download/opensuse.org/DQWYgKKcWCSRBkarAJaNwtfx/Screenshot%20from%202024-04-03%2001-11-49.png 2024-04-02T23:12:15 how will I ever survive this 2024-04-02T23:12:19 wasn't me! 2024-04-02T23:12:33 Yeah. 2024-04-02T23:12:42 I spent years suffering ldap's horrible "cli" and then freeipas 2024-04-02T23:12:51 So I made a big point to make the kani cli "really good" 2024-04-02T23:13:01 It's certainly got it's flaws and that 2024-04-02T23:13:06 But it works darn well for what it does. 2024-04-02T23:14:18 wow I finally logged into gitlab 2024-04-02T23:14:24 yay! 2024-04-02T23:14:33 You're welcome :) 2024-04-02T23:14:44 I'll keep this in mind for the next person with multiple email addresses .. 2024-04-02T23:14:55 remind me what was I going to do in gitlab again 2024-04-02T23:14:57 theoretically I guess I could write something to scan for it, but maybe easier to just do it on a complain basis 2024-04-02T23:15:00 acidsys: If you haven't seen btw, there is some "magic" in kani that will let you add a passkey to your account, even though it's still syncing from freeip in the meantime :) 2024-04-02T23:15:09 aka you can use a yubikey or whatever. 2024-04-02T23:15:12 Jacob Michalskie: Now start working !!!! 😅 2024-04-02T23:15:54 it never occured to me to try the MFA "feature" in FreeIPA 2024-04-02T23:16:09 it does not work well at all 2024-04-02T23:16:17 If you add a totp on freeipa it will sync to kani and work 2024-04-02T23:16:18 it's not really worth the effort 2024-04-02T23:16:20 though I am one of the odd people who log into the web UI using Kerberos tickets sometimes. 2024-04-02T23:16:22 But yeah, freeipa's totp is rough. 2024-04-02T23:17:08 oh yeah, I was meaning to get my coworkers access to heroes network 2024-04-02T23:17:30 anyway, it's past 01:00, probably not a topic for now 2024-04-02T23:17:31 That's a weird way to spell "victims". 2024-04-02T23:17:36 also we only used freeipa through LDAP so the OTP was not much good .. now with kanidm we can actually make use of MFA :-) 2024-04-02T23:18:22 Once we swap to kani from freeipa, the default account policy will kick in that enforces mfa on kani accounts by default. 2024-04-02T23:18:51 Firstyear (Firstyear): yeah, they will have to maintain the obs review machine 2024-04-02T23:18:52 perfect, I will just blame it on the software then 2024-04-02T23:18:52 And at least unlike freeipa, we store our password hashes in a secure kdf 2024-04-02T23:18:55 the pain 2024-04-02T23:19:39 acidsys: Blame it on that silly australian :) 2024-04-02T23:20:17 I would make a joke about a famous australian but I know none 2024-04-02T23:20:40 I know some australian youtubers that nobody else will probably know on the other hand 2024-04-02T23:21:11 I didn't know there was a Kanidm YouTube channel 2024-04-02T23:22:11 Oh yeah there is 2024-04-02T23:22:18 I think the other main dev put something up 2024-04-02T23:24:33 cargo downloading dependencies with elevator music? 2024-04-02T23:25:02 rofl 2024-04-02T23:25:11 it's just a live stream trying to decrypt passwords from the database, failing miserably 2024-04-02T23:27:16 with a counter