[Freeipa-users] "message" -> "Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute
Hi All, I've been building a password self service application which talks to the FreeIPA REST API to reset a user's password. This is working perfectly when I use the 'admin' user to perform the operation, but I don't want to do that in production because of reasons. So I've created a dedicated service account and assigned the role 'helpdesk' (I've also tried 'User Administrator'). I can perform changes like modifying another user's email address, but I can't reset the password. The error is: code=2100 message=Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=X'. data={info=Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=tho,cn=users,cn=accounts,dc=ipa,dc=diges,dc=org'.} name=ACIError Any ideas? Regards, Thomas ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa.service "fails" to start
Hi there, This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7. After reboot I couldn't start ipa service via systemctl, hence I run "ipactl start --ignore-service-failures" and this was kind of successful. I still have some discrepancies, and looking for troubleshooting ideas. 1."systemctl status ipa.service" reads that service failed 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server is running. 3. # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: STOPPED < !! ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Well, why pki-tomcatd reads 'stopped' and how to make systemctl to recognize that ipa service is running, thanks in advance, Zarko ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA
On Thu, Oct 18, 2018 at 10:00:20AM -0400, Ralph Crongeyer via FreeIPA-users wrote: > Hi Fraser, > Actually my goal would be to have two identical stand alone servers. For > instance maybe add a server as a replica and then separate them from each > other, or maybe export the CA's and issued certs and then import them to a > new server.But I'm not sure how to do either of those. > Well, you can create a replica with a CA (`ipa-replica-install --setup-ca` or `ipa-replica-install` and subsequent `ipa-ca-install`). They will be exact replicas, all keys and certificates will be the same on both masters. Then you can separate them. > I did try to add a server as a replica and then run ipa-replica-manage del > server-name on both, but when I try to delete the master from the replica > it complains that it can't be removed. I tried ipa-replica-manage del > master-server-name --force and that works but then the ipa tools break and > I can no longer login to the web portal. So i know I'm doing something > wrong. > I'm not sure what the problem is here. Maybe someone else can weigh in. But in the end, I'm really not sure what problem you're trying to solve. Why would you want to create two identical masters and then "divorce" them? What problem are you trying to solve? Cheers, Fraser > Any advice would be helpful. > > Thanks, > Ralph > > > > > On Tue, Oct 16, 2018 at 7:18 PM Fraser Tweedale > > wrote: > > > >> On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via > >> FreeIPA-users wrote: > >> > Hello, > >> > I have a FreeIPA server that is currently running as a CA only, no > >> clients > >> > connect, no LDAP entries have ever been made, no DNS etc... The original > >> > ipa CA is how it was setup during the initial install. > >> > A second CA was created, company.com CA, and certs have been created > >> from > >> > this CA. > >> > I've setup two new freeipa boxes and have them replicated and migrated > >> our > >> > openldap users and groups. > >> > > >> > What we would like to do now is to export the company,com CA from the > >> > "freeipa CA only" and import it into the new freeipa environment. > >> > I haven't been able to find anything about doing this in my web > >> searches so > >> > far. > >> > > >> > Can somebody help me with this? > >> > > >> > Thanks, > >> > Ralph > >> > >> Hi Ralph, > >> > >> It's not clear what you want to accomplish. Do you want to: > >> > >> - Import the company.com CA certificate into FreeIPA so that IPA > >> servers and clients will use it as a trusted CA? > >> (Use `ipa-cacert-manage install` to do this). > >> > >> - Reissue the IPA CA certificate as a subordinate of the company.com > >> CA? You can use `ipa-cacert-manage renew --external-ca` to do > >> this. > >> > >> - Something else? > >> > >> Cheers, > >> Fraser > >> > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa-replica-manage --force replica.server fails
Ralph Crongeyer via FreeIPA-users wrote: > Hi List, > I have a master server that had a replica installed. The replica has > been uninstalled. When I try to run "ipa-replica-manage del --force > replica.server" it fails with: > invalid 'PKINIT enabled server': all masters must have IPA master role > enabled > > How can I delete this replica? What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa-replica-manage --force replica.server fails
Hi List, I have a master server that had a replica installed. The replica has been uninstalled. When I try to run "ipa-replica-manage del --force replica.server" it fails with: invalid 'PKINIT enabled server': all masters must have IPA master role enabled How can I delete this replica? Thanks, Ralph ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Remove a replica without DNS from a master with DNS
Hello List, I'm trying to remove a replica without the DNS component installed from a master with the DNS component installed. Every time I remove the replica from the master (ipa-replica-manage del replica.server.com) I can no longer log into the web UIof the replica. Additionally when I try to remove the master from the replica (ipa-replica-manage del master.server.com) it tells me that it can't remove the master server because it will leave this server (replica server) without DNS. What do I need to do to so that the removed replica can function without the master for DNS? Thanks, Ralph ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: LDAP replica + Sub-CA on one FreeIPA server
Dmitry Perets via FreeIPA-users wrote: > Hi, > > I am considering FreeIPA for a multi-site project, to provide both PKI and > LDAP services. > So ideally, I would like to have one separate FreeIPA server on each site + > one central FreeIPA server. > And this is what I have in mind: > 1. The central FreeIPA server will be my master for LDAP/Kerberos. And each > site will have a replica (so that the users can still authenticate, even if > the connectivity to the central location is broken). > 2. As for PKI - I'd prefer to build a hierarchy: central server would be > RootCA and each site would be a separate SubCA (signed by the RootCA). > > I tried to implement this, but seems that it is impossible... > I've installed the replica for LDAP/Kerberos successfully, using > ipa-replica-install. But now I cannot add a SubCA to it: > > $ sudo ipa-ca-install --external-ca --ca-subject="CN=FreeIPA-SubCA,O=WOOF.NET" > --ca-subject cannot be used when installing a CA replica > > So looks like on LDAP replica server I can only install CA replica... not a > full SubCA... > Is there a way to solve this? > > * One way, of course, is to install a separate Dogtag CA on each site, and > keep CA-less FreeIPA server just for the LDAP/Kerberos replica... This is not possible. All masters in IPA are equal peers with the exception of the optional services (CA, DNS, etc). So creating a new master via ipa-replica-install creates an equal peer so there is no concept of making it somehow subservient in any way. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] LDAP replica + Sub-CA on one FreeIPA server
Hi, I am considering FreeIPA for a multi-site project, to provide both PKI and LDAP services. So ideally, I would like to have one separate FreeIPA server on each site + one central FreeIPA server. And this is what I have in mind: 1. The central FreeIPA server will be my master for LDAP/Kerberos. And each site will have a replica (so that the users can still authenticate, even if the connectivity to the central location is broken). 2. As for PKI - I'd prefer to build a hierarchy: central server would be RootCA and each site would be a separate SubCA (signed by the RootCA). I tried to implement this, but seems that it is impossible... I've installed the replica for LDAP/Kerberos successfully, using ipa-replica-install. But now I cannot add a SubCA to it: $ sudo ipa-ca-install --external-ca --ca-subject="CN=FreeIPA-SubCA,O=WOOF.NET" --ca-subject cannot be used when installing a CA replica So looks like on LDAP replica server I can only install CA replica... not a full SubCA... Is there a way to solve this? * One way, of course, is to install a separate Dogtag CA on each site, and keep CA-less FreeIPA server just for the LDAP/Kerberos replica... --- Regards, Dmitry Perets ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: New FreeIPA Server Setup
Ben Archuleta via FreeIPA-users wrote: > Hello All, > > I am in the process of setting up a FreeIPA server to replace an ancient > NIS (last updated in 2013-ish). I can manually recreate the accounts > (about 280) for the most part but the issue I can’t seem to work around > is migrating the passwords over. From what I can tell there is no way to > carry over the hashes as they are and it looks like my only option is to > goto each person and have them re-input their password into FreeIPA. > > Is there a tool that can help with this issue or any tips from people > who have upgraded from a NIS to IPA? It's in the docs, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating-from-nis rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: New FreeIPA Server Setup
On 10/18/18 4:34 PM, Ben Archuleta via FreeIPA-users wrote: Hello All, I am in the process of setting up a FreeIPA server to replace an ancient NIS (last updated in 2013-ish). I can manually recreate the accounts (about 280) for the most part but the issue I can’t seem to work around is migrating the passwords over. From what I can tell there is no way to carry over the hashes as they are and it looks like my only option is to goto each person and have them re-input their password into FreeIPA. Is there a tool that can help with this issue or any tips from people who have upgraded from a NIS to IPA? Hi, did you have a look at this wiki? https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords Once the users are imported, each user can go to the migration web page: https://ipaserver.example.com/ipa/migration and re-enter his password. This will generate the kerberos hash for the user. HTH, flo Regards, Ben Archuleta IT Services Specialist ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Diagnose cause of Directory Services failure
Thank you! The descriptions of the issue that I found do reflect what I experienced: https://pagure.io/389-ds-base/issue/49815 https://bugzilla.redhat.com/show_bug.cgi?id=1605554 DS Version: 389-ds-base-1.3.7.5-24.el7_5.x86_64 I've applied your recommended solution and will report back if the issue resurfaces. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] New FreeIPA Server Setup
Hello All, I am in the process of setting up a FreeIPA server to replace an ancient NIS (last updated in 2013-ish). I can manually recreate the accounts (about 280) for the most part but the issue I can’t seem to work around is migrating the passwords over. From what I can tell there is no way to carry over the hashes as they are and it looks like my only option is to goto each person and have them re-input their password into FreeIPA. Is there a tool that can help with this issue or any tips from people who have upgraded from a NIS to IPA? Regards, Ben Archuleta IT Services Specialist ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Export CA from FreeIPA to new FreeIPA
Hi Fraser, Actually my goal would be to have two identical stand alone servers. For instance maybe add a server as a replica and then separate them from each other, or maybe export the CA's and issued certs and then import them to a new server.But I'm not sure how to do either of those. I did try to add a server as a replica and then run ipa-replica-manage del server-name on both, but when I try to delete the master from the replica it complains that it can't be removed. I tried ipa-replica-manage del master-server-name --force and that works but then the ipa tools break and I can no longer login to the web portal. So i know I'm doing something wrong. Any advice would be helpful. Thanks, Ralph > On Tue, Oct 16, 2018 at 7:18 PM Fraser Tweedale > wrote: > >> On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via >> FreeIPA-users wrote: >> > Hello, >> > I have a FreeIPA server that is currently running as a CA only, no >> clients >> > connect, no LDAP entries have ever been made, no DNS etc... The original >> > ipa CA is how it was setup during the initial install. >> > A second CA was created, company.com CA, and certs have been created >> from >> > this CA. >> > I've setup two new freeipa boxes and have them replicated and migrated >> our >> > openldap users and groups. >> > >> > What we would like to do now is to export the company,com CA from the >> > "freeipa CA only" and import it into the new freeipa environment. >> > I haven't been able to find anything about doing this in my web >> searches so >> > far. >> > >> > Can somebody help me with this? >> > >> > Thanks, >> > Ralph >> >> Hi Ralph, >> >> It's not clear what you want to accomplish. Do you want to: >> >> - Import the company.com CA certificate into FreeIPA so that IPA >> servers and clients will use it as a trusted CA? >> (Use `ipa-cacert-manage install` to do this). >> >> - Reissue the IPA CA certificate as a subordinate of the company.com >> CA? You can use `ipa-cacert-manage renew --external-ca` to do >> this. >> >> - Something else? >> >> Cheers, >> Fraser >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org