Dmitri Pal wrote:

Sorry, I accidentally deleted your post.
I am resending it.


Greetings all:
Turned out to be webservice getting reconfigured out from under me.  We
didn't know that the management interface website was necessary for the
command-line management tools.
This raises a couple more questions:
1) Is the free-ipa website needed only for management (i.e.: changes) to
the IPA (e.g.: user additions, password changes, service deletions,
etc.), or is it required for the fundamental workings of authentication
-- we think this unlikely as this should be handled by kerberos/ldap,
etc., and we were able to auth while the website was down.

Apache provides a vehicle for getting to the TurboGears UI (via mod_proxy) and for the XML-RPC API used by the command-line. It isn't used for authentication/authorization.

2) What is the simplest way to configure the free-ipa website for
command-line only usage -- is there a stand-alone daemon we can run for
the free-ipa command-line utilities to work so we need not worry about
free-ipa in our apache configs?

It only runs from within Apache right now and there are no plans to do otherwise. We have all of the IPA configuration centralized in two files: ipa.conf and ipa-rewrite.conf, if that helps.

3) It is worthy of mention that we do have redundant configuration
between two servers, and will need them to be able to propogate changes
across -- is the free-ipa website in any way related to this, or is this
entirely handled by internal kerberos/ldap faculties?

Data (users, groups, etc) replication is handled by 389-ds.

Per-service configuration is generally done on a per-box basis. We don't have integration with a configuration management system like puppet to keep configuration files in sync, if that is what you are asking.



Greetings all: I'm thinking I just have to bounce something (or maybe it's been long enough that I'm running the command wrong, but I don't think so). Note that I show the error when not authenticated, and that I can authenticate without error: [r...@sandbox1 ~]# ipa-finduser admin
Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
provide more information/Ticket expired
[r...@sandbox1 ~]# kinit admin -k -t krb5.keytab
[r...@sandbox1 ~]# ipa-finduser admin
Unable to connect to IPA server: File Not Found I assume that the "File Not Found" is simply a poor error message. Any insight into what I need to do to fix this? I tried bouncing [ns-]ldap/dirsrv just in case that was the source of our problem. NOTE: We also use coda, and it has no difficulty authenticating to
[IPA] kerberos (though we are having an odd UID issue with non-admin
users which prompted the attempt to run some ipa-finduser queries). Your assistance in this matter is greatly appreciated.
{void} _______________________________________________
Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to