[Freeipa-users] Re: FreeIPA 2-way trust with MS AD
Yuri Krysko via FreeIPA-users wrote: > Hello, > > > > I know if the past (late 2018) there was a question about not enough > clarity as to what is actually a 2-way trust between FreeIPA and MS AD. > Technically, there does not seem to be any difference between 1-way and > 2-way trusts. Question: is there a more concrete timeline when you guys > plan to implement capability for IdM users to login to MS resources? Nothing more than it's being worked on, as it has been for the past several years. It's particularly challenging because the changes span multiple large projects that we influence but don't control so some needed changes come faster than others. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] FreeIPA 2-way trust with MS AD
Hello, I know if the past (late 2018) there was a question about not enough clarity as to what is actually a 2-way trust between FreeIPA and MS AD. Technically, there does not seem to be any difference between 1-way and 2-way trusts. Question: is there a more concrete timeline when you guys plan to implement capability for IdM users to login to MS resources? Thanks, Yuri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On 9/10/20 6:48 PM, Radoslaw Kujawa via FreeIPA-users wrote: I will coordinate with Jan to check if it is the same problem on his Ubuntu. Indeed, all of these problems boil down to a missing krb5-pkinit package. I was confused, because even though krb5-pkinit was missing, the Smart Card authentication _was_ working (when OTP was disabled). So it didn't occur to me that could be the cause. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Help - using aci for sync of userpassword hashes
Hi Rob (and others).. Thank you for taking the time to respond.. I tried the suggested solution and it does not seem to allow the google user to modify ipa_pwd_extop Specificly I tried the following: ``` dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncMamagersDNs passSyncManagersDNs: uid=google,cn=users,cn=accounts,dc=XXX,dc=XXX ``` But the service still is not syncing password hashes (I am using Google Cloud Directory Sync, it only reads hashes (from ldap) and compares them to stored hashes, and updates the stored hashes if a new password has been set i ldap, there are no writes from google to ldap), as seen when running GCDS in debug mode (it dosent get userPassword attribute): ``` [2020-09-11 10:32:15,938+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Executing LDAP rule, scope "SUBTREE", filter "memberof=cn=mail,cn=groups,cn=accounts,dc=dsl,dc=lan" [2020-09-11 10:32:15,943+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "uid" [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "mail" [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "givenName" [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "sn" ``` I have been suggested to try adding permissions via an aci, but am unsure of how to do this.. The following was suggested: `aci: (targetattr = "userPassword") (target = "ldap:///cn=users,cn=accounts,dc=,dc=") (version 3.0;acl "Allow password read";allow (read,compare,search)(groupdn = "ldap:///");)` What would I need to specify as "groupdn"? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org