Well, thanks Martin for the info :)

On 05/19/2015 08:23 PM, Martin Kosek wrote:
> On 05/19/2015 03:21 PM, Dewangga Bachrul Alam wrote:
>> Thank you Martin,
>> Yes, the IPA Server was built on CentOS 7.1. But, some client still
>> using CentOS 6.x, but I have plan upgrade them to 7.x.
>> Is it gave a problem if some client still on CentOS 6.x and the IPA
>> Server built on CentOS 7.x ?
> No, I do not see a problem with this setup. Clients will just simply use the
> capabilities they can do. We still tend to backport client features to
> RHEL-6.x, so it keeps getting the selected functionality (server does not).
>> On 05/19/2015 08:14 PM, Martin Kosek wrote:
>>> On 05/19/2015 10:53 AM, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>> On 05/19/2015 12:53 PM, Martin Kosek wrote:
>>>>> On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote:
>>>>>> Hello!
>>>>>> I'm trying to reinstall ipa client, but have a problem with old/existing
>>>>>> ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA
>>>>>> server still on development and always reinstalled, I need to reproduce
>>>>>> any possible problem/error on FreeIPA 4.x on CentOS 7.
>>>>>> The error was :
>>>>>> LDAP Error: Connect error: TLS error -8054:You are attempting to import
>>>>>> a cert with the same issuer/serial as an existing cert, but that is not
>>>>>> the same cert.
>>>>>> Currently, I was renamed ca.crt to ca.crt.old and the ipa client
>>>>>> successfully reconnected to new FreeIPA Server using dns discovery.
>>>>>> Is it normal? And why the ipa-client-install --uninstall didn't
>>>>>> completely remove the old ca.crt?
>>>>> Hello,
>>>>> ipa-client-install uninstall the CA certificate properly since FreeIPA
>>>>> 3.2. This is the upstream ticket:
>>>>> https://fedorahosted.org/freeipa/ticket/3537
>>>>> CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x
>>>>> versions, you need to delete the certificate manually if you reinstalled
>>>>> the IPA server.
>>>>> HTH,
>>>>> Martin
>>>> Could you gimme advice, which version is suitable on production? 3.x or
>>>> 4.x ?.Or is there any release timeline for FreeIPA version (like EOL, etc).
>>> All versions in RHEL should be suitable for production - RHEL is an OS
>>> targeting production/stable environment.
>>> For FreeIPA, I would recommend using environment built on top of RHEL-7.1
>>> version (FreeIPA 4.1) as it contains the most fixes and most functionality 
>>> to
>>> be offered.
>>> I would not recommend having mixed RHEL-6.x and RHEL-7.x as you you will 
>>> have
>>> limited capabilities of your infrastructure as most of the new server 
>>> features
>>> are not backported to RHEL-6.x and clients connected to these servers could 
>>> not
>>> use them.
>>> Martin

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to