[Freeipa-users] issues while switching to other root CA
Hi All, We are using our own (selfsigned) root CA for our installations. We just started to use ipa and after exploring the possibilities we want to switch to the root CA we normally use. According to [1] it should be done using these instruction [2]. When we tray to renew the certificate we get this error: [root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed. When we check the subject of the file, it seems to be correct to me: [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL Is there anyone who can help me with this? Kind regards, wim vinckier. [1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WXC4IHUM3J5KHLGR4YU6HZEGBGN6IUZS/ [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#manual-cert-renewal-ext -- I would love to change the world, but they wont give me the source code. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: adding users
On 08/31/2018 04:33 PM, Andrew Meyer via FreeIPA-users wrote: So we are starting the final phase of our migration and I am trying to add all the users to FreeIPA. But i'm getting an error and i'm not sure why. I've also never gotten this in the past when adding users. [root@freeipa01 ~]# ipa user-add user.name --first=User --last=name --email user.n...@example.com --password basicpasswordtobechanged ipa: ERROR: command 'user_add' takes at most 1 argument [root@freeipa01 ~]# Hi, with ipa user-add, --password does not take any value but prompts you to enter a value (and to confirm a second time). See the help: $ ipa user-add --help Usage: ipa [global-options] user-add LOGIN [options] Add a new user. Options: -h, --helpshow this help message and exit --first=STR First name --last=STRLast name [...] --passwordPrompt to set the user password If you want to avoid the prompt, you can do: $ echo basicpasswordtobechanged | ipa user-add user.name --first=User --last=name --email user.n...@example.com --password HTH flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] adding users
So we are starting the final phase of our migration and I am trying to add all the users to FreeIPA. But i'm getting an error and i'm not sure why. I've also never gotten this in the past when adding users. [root@freeipa01 ~]# ipa user-add user.name --first=User --last=name --email user.n...@example.com --password basicpasswordtobechangedipa: ERROR: command 'user_add' takes at most 1 argument[root@freeipa01 ~]#___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Using ipa migrate-ds to import host groups, hbac rules and sudo rules
Heather A. Selbe via FreeIPA-users wrote: > I am using ipa migrate-ds to move entries from an old single master IPA > instance to an IDM instance on a new environment with a new realm name. > I was able to use the ipa migrate-ds command to get the users and groups > moved successfully, but I am missing stuff such as my host groups and > hbac and sudo rules. Are there flags to pull those over as well? For > host groups I don't need to move over the hosts since I will have to > register all of the boxes to the new realm anyhow to ensure they can > properly fine both of the masters that I will have in the new > environment. If need be I can do these by hand, but copying over these > sets as is since I know they work for my environment will be preferable. > > If there's a better guide for options and flags for ipa migrate-ds, > please point me to it. All my searching brings me to the same pages that > have a very limited and specific set of usages for this command, and in > the os there isn't a man or help page for migrate-ds that I was able to > find. migrate-ds only migrates users and groups at the moment. It is possible to use ldapsearch to create an ldif of the data, massage it for the new install, and then import it, but it does require some knowledge of how IPA stores its data. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Using ipa migrate-ds to import host groups, hbac rules and sudo rules
I am using ipa migrate-ds to move entries from an old single master IPA instance to an IDM instance on a new environment with a new realm name. I was able to use the ipa migrate-ds command to get the users and groups moved successfully, but I am missing stuff such as my host groups and hbac and sudo rules. Are there flags to pull those over as well? For host groups I don't need to move over the hosts since I will have to register all of the boxes to the new realm anyhow to ensure they can properly fine both of the masters that I will have in the new environment. If need be I can do these by hand, but copying over these sets as is since I know they work for my environment will be preferable. If there's a better guide for options and flags for ipa migrate-ds, please point me to it. All my searching brings me to the same pages that have a very limited and specific set of usages for this command, and in the os there isn't a man or help page for migrate-ds that I was able to find. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org