[Freeipa-users] Re: migrate-ds doesn't migrate roles?
Mitchell Smith via FreeIPA-users wrote: > Hi, > > I am migrating users off an old 4.3.1 FreeIPA cluster to a new 4.6.4 FreeIPA > cluster via the ‘ipa migrate-ds’ command. > > ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts > --group-objectclass=posixgroup > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > --user-ignore-objectclass=mepOriginEntry --with-compat ldap://172.16.1.156 > > First issue I ran in to is that it didn’t retain the nsAccountLock flag for > users so all my disabled users were enabled again, that was an easy fix. > > Second issue I ran in to is that roles were not migrated and applied to > users, I could manually create the roles and apply them to users, but I am > wondering why these weren’t migrated by migrate-ds? > > It is my understanding that this is the intended usage of migrate-ds, to > migrate from one FreeIPA to another, dropping important objects like roles > seems fairly critical? The intended usage is to migrate from a pure LDAP server to IPA. Only users and groups are migrated. There is a long-standing RFE to implement IPA to IPA migration: https://pagure.io/freeipa/issue/3656 rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] migrate-ds doesn't migrate roles?
Hi, I am migrating users off an old 4.3.1 FreeIPA cluster to a new 4.6.4 FreeIPA cluster via the ‘ipa migrate-ds’ command. ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://172.16.1.156 First issue I ran in to is that it didn’t retain the nsAccountLock flag for users so all my disabled users were enabled again, that was an easy fix. Second issue I ran in to is that roles were not migrated and applied to users, I could manually create the roles and apply them to users, but I am wondering why these weren’t migrated by migrate-ds? It is my understanding that this is the intended usage of migrate-ds, to migrate from one FreeIPA to another, dropping important objects like roles seems fairly critical? Your feedback and suggestions would be greatly appreciated. Thanks ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: AD trust and external group memberships, sssd issue?
Hello all, I found the following URL, which "corrected" the problem using the workaround provided by Thorsten - although it should be fixed in our SSSD version (1.16.2.13): https://bugzilla.redhat.com/show_bug.cgi?id=1359208 Thanks! John DeSantis Il giorno mer 3 apr 2019 alle ore 15:57 John Desantis ha scritto: > > Hello all! > > Due to how our organization is moving, we'll be forced to upgrade our > current IPA installation. In a nutshell, this involves using a > one-way AD trust. > > So, with the latest versions of RHEL and IPA offered on our Satellite > server, I was able to get an installation up and running and AD trust > established; because of the work of all of the IPA developers, this > was quite easy - THANK YOU. > > I've noticed that there seems to be a major delay in how often an > external user's group membership is updated. In fact, it seems that I > have to run sss_cache -u against the external user in order to verify > additions/removals from the group in question. > > Since I'm still in a testing phase, I am performing the queries on the > only two provisioned nodes in the new realm, the IPA servers > themselves. Has any other user with the same configuration run into > this issue, too? If so, anything to double-check? > > I'm certain that this is an sss configuration issue, but after > searching through google and this mailing list, I can't seem to find > any real "solution". > > Thanks, > John DeSantis ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] AD trust and external group memberships, sssd issue?
Hello all! Due to how our organization is moving, we'll be forced to upgrade our current IPA installation. In a nutshell, this involves using a one-way AD trust. So, with the latest versions of RHEL and IPA offered on our Satellite server, I was able to get an installation up and running and AD trust established; because of the work of all of the IPA developers, this was quite easy - THANK YOU. I've noticed that there seems to be a major delay in how often an external user's group membership is updated. In fact, it seems that I have to run sss_cache -u against the external user in order to verify additions/removals from the group in question. Since I'm still in a testing phase, I am performing the queries on the only two provisioned nodes in the new realm, the IPA servers themselves. Has any other user with the same configuration run into this issue, too? If so, anything to double-check? I'm certain that this is an sss configuration issue, but after searching through google and this mailing list, I can't seem to find any real "solution". Thanks, John DeSantis ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Import hosts from text file
Hi All, this is my first post and probably not my last. Can anyone tell me where to find a script to import hosts from a text file? I already found this thread: https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html The export script works, but I'm lost with the import script. Any help would be appreciated. With kind regards, Cornelis ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Sharing domain name with existing 389 server
> phil.barone--- via FreeIPA-users wrote: > > You seem to be using the terms openldap and 389 interchangably. They are > different things. > Hmm, that shows what I know. Sorry, just disregard openldap. > Are you advertising the LDAP SRV records in your existing > infrastructure, I'm not sure what is meant by advertising. We use dnsmasq because it dumbs down a lot of the details so am not familiar with the term. Can you show me how to tell if I am? > or do you plan to? If not then it would probably work fine. > > rob Thanks Rob. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Sharing domain name with existing 389 server
phil.barone--- via FreeIPA-users wrote: > Sorry, new to all this. My intent is to add an IPA environment to an existing > local openldap 389server test environment. > > The Deployment Recommendations document warns about overlaps with existing > active directory domains but does not mention 389server domains. My intention > is to share a local subnet and the same domain name with an existing > 389server configuration. > > The environments will made up of separate systems and have their own dns > servers(each have their own LDAP) but will need to ssh back and forth. > > These are CentOS 6.5(389 1.2.11-15) and CentOS 7.6(ipa-server 4.6.4-10.el7) > environments using dnsmasq(2.48-13 and 2.76-7) > > Hosts files: > > 389server(dns: dnsvr1.test.hfgs.net) > server1.test.company.net > server2.test.company.net > server11.test.company.net > server12.test.company.net > > IPA(dns: ipasvr1.test.hfgs.net) > server11.test.company.net > server12.test.company.net > server1.test.company.net > server2.test.company.net > > Is this viable? > If not, What do i need to do to get add this second IPA environment? You seem to be using the terms openldap and 389 interchangably. They are different things. Are you advertising the LDAP SRV records in your existing infrastructure, or do you plan to? If not then it would probably work fine. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Sharing domain name with existing 389 server
Sorry, new to all this. My intent is to add an IPA environment to an existing local openldap 389server test environment. The Deployment Recommendations document warns about overlaps with existing active directory domains but does not mention 389server domains. My intention is to share a local subnet and the same domain name with an existing 389server configuration. The environments will made up of separate systems and have their own dns servers(each have their own LDAP) but will need to ssh back and forth. These are CentOS 6.5(389 1.2.11-15) and CentOS 7.6(ipa-server 4.6.4-10.el7) environments using dnsmasq(2.48-13 and 2.76-7) Hosts files: 389server(dns: dnsvr1.test.hfgs.net) server1.test.company.net server2.test.company.net server11.test.company.net server12.test.company.net IPA(dns: ipasvr1.test.hfgs.net) server11.test.company.net server12.test.company.net server1.test.company.net server2.test.company.net Is this viable? If not, What do i need to do to get add this second IPA environment? Thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] basic password reset page?
Hello Everyone, I was wondering if anyone here knew of a basic password reset page for FreeIPA? It must have: * No hostname restriction, i.e. if the IPA domain is dev.example.net the reset page should be able to be viewed from password.example.com * Easily edited/styled, i.e. to remove any references to OTP, and to use our own terms/language/styles. Nice to have: * No use of Kerberos. (same as the no hostname restriction) I've tried using a couple of different pages found on github but haven't found one that really fits all our requirements. Thank you, Anthony Clark ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: new servers not creating DNS entries
Hi, Can anyone throw some light on this, I m also stuck here for past few days with the same error, tried reinstalling client,rebuilding the VM again, adding manual dns entrynothing seems to work. Thanks for your help, Gotham ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] User certs in the webUI
Just noticed that when I view a user in the web UI I cannot see their certificates. From a command line the certs show up just fine. I'm browsing with Firefox 66.0.2 on a RHEL 7.6 system, servers are on 4.6.4 and CentOS 7.5 or 7.6. I did try the latest google-chrome and it behaved the same. Used a windows desktop and firefox and the certs show up in the webUI just fine. What is it about browsers on Linux that keeps that field from showing up? -- Stephen Berg, IT Specialist, Oceanography Division, Code 7309 Naval Research Laboratory W: (228) 688-5738 DSN: (312) 823-5738 C: (228) 365-0162 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: System Account for Client Enrollment
Dear Alexander Trust you are well. You are very helful. I am trying to configure Libree NMS with FreeIPA but having below issues. When I do ldapsearch, I get below error. Please help me on this, what do I need to do. Thanks Sent from Mail for Windows 10 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org