[Freeipa-users] Re: Replication failed after ipa-server-upgrade
On 11/29/2017 10:53 PM, Rob Crittenden wrote: skrawczenko--- via FreeIPA-users wrote: i'm checking with ldapsearch -Y GSSAPI -b cn=,cn=replicas,cn=ipa,cn=etc,dc= and there's just dn: ... cn: objectClass: ipaConfigObject objectClass: nsContainer objectClass: top right after ldapmodify [root@idm0 ~]# ipa-replica-manage list unexpected error: u'ipaconfigstring' like something is not letting the attribute to be added or removes it immediately. That is sure curious. Thierry, do you know if the topology plugin would mess with this kind of entry? rob Hi, topology plugin should not interfere into the udpate of "cn=,cn=replicas,cn=ipa,cn=etc,dc=" It catches only updates to replica agreements (under cn=config), segments (cn=topology), hosts (cn=masters), domain level (cn=domain level). About the successful update not taken into account. Do you have the portion of access logs/error logs where the update is done ? Would you retry ldapsearch -D "cn=directory manager" -W -b "cn=,cn=replicas,cn=ipa,cn=etc,dc=" nscpentrywsi best regards thierry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo
I see, mechanism is clear for me. I took my CA chain from https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2 And my chain is following: main cert Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Subject: OU=Domain Control Validated, OU=EssentialSSL Wildcard, CN=*.mydomain.com inter1 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority inter2 Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA root Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Is it seems correct? According sources from google - it's not. And what order to import CA's via ipa-cacert-manage? Am I should import them just one by one or from one file in correct order? https://www.ssllabs.com/ssltest/analyze.html tells me that chain is full and order is correct... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] DNS forwarder broken
I am running on the latest Centos 7 with a system that has been working for quite some time. The only thing that I think has changed has been keeping the system up to date with yum. DNS forwarding no longer works. On the DNS Global Configuration page I have a Global forwarders IP listed as forward only but it does not work. Running ipa dnsconfig-show on my workstation returns nothing. However, running on the IPA server returns something. I manually added a specific forward zone for a specific domain and that works. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication failed after ipa-server-upgrade
skrawczenko--- via FreeIPA-users wrote: > i'm checking with > ldapsearch -Y GSSAPI -b cn= controller>,cn=replicas,cn=ipa,cn=etc,dc= > > and there's just > > dn: ... > cn: > objectClass: ipaConfigObject > objectClass: nsContainer > objectClass: top > > right after ldapmodify > > [root@idm0 ~]# ipa-replica-manage list > unexpected error: u'ipaconfigstring' > > like something is not letting the attribute to be added or removes it > immediately. That is sure curious. Thierry, do you know if the topology plugin would mess with this kind of entry? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo
randrewg--- via FreeIPA-users wrote: > Hello! > > Guys, I had set up FreeIPA 4.5 on Centos 7 with self-signed SSL cert. > Now I want to install my main wildcard cert (from Comodo CA) for domain where > IPA-server located, just for web-service, so web browsers won't complain to > users about ssl. > As expected - when I'm trying to do: > > # ipa-server-certinstall -w comodo.crt comodo.key > > I'm getting: > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's > Certificate issuer is not recognized.). Please run ipa-cacert-manage install > and ipa-certupdate to install the CA certificate. > The ipa-server-certinstall command failed. > > I've found on > https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2 > all CA certs for Comodo and set them up via > > # ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt > # ipa-certupdate > > As pointed on > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > But nontheless, when I'm trying after it - ipa-server-certinstall, I get > above error anyway. > > I'm starting to go crazy with it and don't know what should I do to solve > this :( IPA requires the full chain. What I tend to do is grab the subject from the server cert and find the issuer, then look at the issuer of that, and continue working backwards until I find the self-signed original CA. Install all those CA certs and things should work. Their bundles usually don't have the full chains because most other servers don't do the full chain checking that IPA does (because we've been burned too many times we are a bit twitchy about it). rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Renewal of External Third Party SSL Cert
Hello Alka, As I understood - you had set up 3rd party SSL on top of self-signed? Could you please help me with similar task in my thread? https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/T5AHK6FTTUWVBIDU5HSOYKRIKMWUZ3OH/ Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] FreeIPA setup third party ssl from Comodo
Hello! Guys, I had set up FreeIPA 4.5 on Centos 7 with self-signed SSL cert. Now I want to install my main wildcard cert (from Comodo CA) for domain where IPA-server located, just for web-service, so web browsers won't complain to users about ssl. As expected - when I'm trying to do: # ipa-server-certinstall -w comodo.crt comodo.key I'm getting: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed. I've found on https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2 all CA certs for Comodo and set them up via # ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt # ipa-certupdate As pointed on https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But nontheless, when I'm trying after it - ipa-server-certinstall, I get above error anyway. I'm starting to go crazy with it and don't know what should I do to solve this :( Help me please! Thank you. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication failed after ipa-server-upgrade
i'm checking with ldapsearch -Y GSSAPI -b cn=,cn=replicas,cn=ipa,cn=etc,dc= and there's just dn: ... cn: objectClass: ipaConfigObject objectClass: nsContainer objectClass: top right after ldapmodify [root@idm0 ~]# ipa-replica-manage list unexpected error: u'ipaconfigstring' like something is not letting the attribute to be added or removes it immediately. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication failed after ipa-server-upgrade
skrawczenko--- via FreeIPA-users wrote: > i'm afraid also i'm unable to add the ipaconfigstring attribute into this dn > > ldapmodify -x -D 'cn=directory manager' -W > > dn: cn=,cn=replicas,cn=ipa,cn=etc,dc= > changetype: modify > add: ipaconfigstring > ipaconfigstring: winsync: > > ^D > modifying entry "cn=<...> > > no errors > ipaconfigstring attribute does not appear after that however > > doing something wrong? > How are you checking that it does not appear? Is ipa-replica-manage still breaking or something else? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Special admin account for one server/host only?
Simo Sorce via FreeIPA-users wrote: > On Wed, 2017-11-29 at 09:26 -0500, Rob Morin via FreeIPA-users wrote: >> Ok so I will Initially create the account. So far my tests went ok, this >> special user can change the users group and password , ONLY if they are >> in the group sftponly. So that's ok. But I cannot seem to figure out how >> to give Fred permission to be able to disable and enable a user in the >> sftponly group group. Is this possible? > > Not with standard permissions, but perhaps adding an explicit ACI on > the sftponly group to allow Fred to change the "member" attribute would > work ... > > You need to test this as Fred may then lack the permission to change > the memberof attribute (automatically done by the system) on the users, > so this may cause the whole operation to fail anyway. I think current permissions support a targetfilter so you might be able to use that, something like: targetfilter = "(memberOf=cn=sftp,cn=groups,cn=accounts,dc=example,dc=com)" I forget the syntax for specifying the targetfilter but this will hopefully point you in the right direction. rob > > Simo. > >> Rob Morin >> Systems/Network Administrator >> Hardent Inc. >> >> On 11/28/2017 11:13 AM, Rob Crittenden wrote: >>> Rob Morin via FreeIPA-users wrote: Hello all... I was wondering if someone could help me out, is it possible to have a user administer only one host/server. Meaning they would log on to freeipa gui and be able to change a password or lock and account for one host only. In our case our sftp server where someone else wants to administer it, when i am not around, like add a user and so on. Is this possible? >>> >>> User accounts can't be created or locked per-host because they are >>> centralized. >>> >>> rob >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication failed after ipa-server-upgrade
i'm afraid also i'm unable to add the ipaconfigstring attribute into this dn ldapmodify -x -D 'cn=directory manager' -W dn: cn=,cn=replicas,cn=ipa,cn=etc,dc= changetype: modify add: ipaconfigstring ipaconfigstring: winsync: ^D modifying entry "cn=<...> no errors ipaconfigstring attribute does not appear after that however doing something wrong? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Deployment considerations - domain name
Hello list, I’m managing the network for my hackerspace, and we’re moving to FreeIPA (from plain LDAP) to manage internal and external services. We have some services that are hosted on public, external machines (wiki, etc.) that members would authenticate to via Ipsilon OAuth2 that are under the main domain (e.g. wiki.example.org), and some internally hosted services that are under a subdomain (e.g. netbox.hq.example.org). My plan is to have a IPA replica on the ”outside” with Ipsilon for external auth, and a couple of local replicas (one of which is the ca master). The outside replica would be connected via VPN to the internal network, to avoid opening lots of ports to the outside world. I’m having some difficulties choosing the proper Kerberos domain, and in general putting together the ”external” world (example.org domain) and the ”internal” one (hq.example.com domain) because the DNS server on the main domain is under CloudFlare. Would getting a new domain just for FreeIPA be advisable? Thanks, Aljaž -- Aljaž Srebrnič a.k.a g5pw My public key: https://g5pw.me/key Key fingerprint = 2109 8131 60CA 01AF 75EC 01BF E140 E1EE A54E E677 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Directory service stop and won't stay up when restarted
Hi Ludwig, Thanks for your reply. We decided earlier today to restore from backup, that wasn't without issues but we had to get production back up running asap. I believe I fixed all the issues post backup restore and we seem to be in good shape now. We're looking at migrating to redhat idm in the future as we can't afford facing such critical issues like that. Thanks to Alexander Bokovoy on IRC as well for providing backup restore instructions. Regards, Alex On Wed, Nov 29, 2017 at 4:18 AM, Ludwig Krispenz via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > The crash looks very much like the one found in > https://pagure.io/389-ds-base/issue/48894 > it is fixed and the code has also been generally improved with: > https://pagure.io/389-ds-base/issue/49401 > > As far as I can see these patches are not in 1.3.6.1-21, they are in > upstream 1.3.6.10. > > If you cannot get a version containing these patches, you could try to > cleanup the entry state information by export/import reinitialize. It would > mean on on server export the data to ldif without replication meta data and > reimport it. But this changes the data generation and other replicas have > to be reinitialized for replication to work again > > Ludwig > > On 11/28/2017 04:37 AM, Alexandre Pitre via FreeIPA-users wrote: > > I managed to remove the replication conflicts but the orignal issue > persist. I found a couple of triggers that crash the directory service, > regardless of the freeipa server location. Here are the triggers: > >- Deleting a host that exist in freeipa but no longer exist in our >infrastructure >- Deleting the same host from an hostgroup >- Re-building the auto membership of the hosts > > What worry me the most is that I can't even delete the "dead hosts" from > the ldap backend cn=computers OU...it crash the directory service as well. > > Attached you'll find the stack trace generated from a core dump. > > Please help. > > Thanks > > > > > On Sun, Nov 26, 2017 at 11:06 PM, Alexandre Pitre < > alexandre.pi...@gmail.com> wrote: > >> I believe I found the root cause.There are replication conflicts. >> >> ldapsearch -x -D "cn=directory manager" -w password -b >> "dc=ipa,dc=domain,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict >> >> # extended LDIF >> # >> # LDAPv3 >> # base
[Freeipa-users] Re: Replication failed after ipa-server-upgrade
Thank you, Rob You're right, ipaconfigstring is missing, i've googled your instructions from the past how to re-add it. Any idea why it disappears? Many thanks ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org