Well, thanks Martin for the info :) On 05/19/2015 08:23 PM, Martin Kosek wrote: > On 05/19/2015 03:21 PM, Dewangga Bachrul Alam wrote: >> Thank you Martin, >> >> Yes, the IPA Server was built on CentOS 7.1. But, some client still >> using CentOS 6.x, but I have plan upgrade them to 7.x. >> >> Is it gave a problem if some client still on CentOS 6.x and the IPA >> Server built on CentOS 7.x ? > > No, I do not see a problem with this setup. Clients will just simply use the > capabilities they can do. We still tend to backport client features to > RHEL-6.x, so it keeps getting the selected functionality (server does not). > >> >> On 05/19/2015 08:14 PM, Martin Kosek wrote: >>> On 05/19/2015 10:53 AM, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> On 05/19/2015 12:53 PM, Martin Kosek wrote: >>>>> On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: >>>>>> Hello! >>>>>> >>>>>> I'm trying to reinstall ipa client, but have a problem with old/existing >>>>>> ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA >>>>>> server still on development and always reinstalled, I need to reproduce >>>>>> any possible problem/error on FreeIPA 4.x on CentOS 7. >>>>>> >>>>>> The error was : >>>>>> LDAP Error: Connect error: TLS error -8054:You are attempting to import >>>>>> a cert with the same issuer/serial as an existing cert, but that is not >>>>>> the same cert. >>>>>> >>>>>> Currently, I was renamed ca.crt to ca.crt.old and the ipa client >>>>>> successfully reconnected to new FreeIPA Server using dns discovery. >>>>>> >>>>>> Is it normal? And why the ipa-client-install --uninstall didn't >>>>>> completely remove the old ca.crt? >>>>> >>>>> Hello, >>>>> >>>>> ipa-client-install uninstall the CA certificate properly since FreeIPA >>>>> 3.2. This is the upstream ticket: >>>>> https://fedorahosted.org/freeipa/ticket/3537 >>>>> >>>>> CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x >>>>> versions, you need to delete the certificate manually if you reinstalled >>>>> the IPA server. >>>>> >>>>> HTH, >>>>> Martin >>>> >>>> Could you gimme advice, which version is suitable on production? 3.x or >>>> 4.x ?.Or is there any release timeline for FreeIPA version (like EOL, etc). >>> >>> All versions in RHEL should be suitable for production - RHEL is an OS >>> targeting production/stable environment. >>> >>> For FreeIPA, I would recommend using environment built on top of RHEL-7.1 >>> version (FreeIPA 4.1) as it contains the most fixes and most functionality >>> to >>> be offered. >>> >>> I would not recommend having mixed RHEL-6.x and RHEL-7.x as you you will >>> have >>> limited capabilities of your infrastructure as most of the new server >>> features >>> are not backported to RHEL-6.x and clients connected to these servers could >>> not >>> use them. >>> >>> Martin >>> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
