[Freeipa-users] Re: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8

2021-12-12 Thread Christophe Trefois via FreeIPA-users 
Gotcha. The replies came in in parallel. 

Thanks for the details Alexander ! 

Sent from my iPhone
Team Leader R3

> On 13 Dec 2021, at 08:32, Alexander Bokovoy  wrote:
> 
> On ma, 13 joulu 2021, Christophe Trefois wrote:
>> Shouldn’t it be up to the solution provider to answer this question rather 
>> than leave it up to the user?
>> 
>> pki is part of freeipa, it’s not my choice to install it.
>> 
>> We will check over at pki-ca anyway.
> 
> See my other response in the thread which came first. I think we are not
> affected at all because by default Dogtag does not use log4j in all
> supported distributions.
> 
> 
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8

2021-12-12 Thread Christophe Trefois via FreeIPA-users 
Shouldn’t it be up to the solution provider to answer this question rather than 
leave it up to the user? 

pki is part of freeipa, it’s not my choice to install it. 

We will check over at pki-ca anyway. 
Thanks 

> 
> On 13 Dec 2021, at 08:08, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> On ma, 13 joulu 2021, GAURAV Pande via FreeIPA-users wrote:
>> Hi Team ,
>> Could you please let me know if FreeIPA version 4.6.8 is being impacted
>> with CVE-2021-44228 log4j2 Vulnerability ? and if Yes , what changes can be
>> applied to remediate it ?
> 
> FreeIPA itself does not have Java components. pki-ca does, so the
> question would rather be for PKI mailing list.
> 
> Please do not duplicate threads, there is already one for this
> discussion.
> 
> If you are using web-interface to look at the freeipa-users@ mailing
> list, please also do not forged about proper quoting to what you
> respond.
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Is FreeIPA affected by log4shell?

2021-12-12 Thread Christophe Trefois via FreeIPA-users 
Hi,

We checked the RHEL advisories, and saw that RHEL 7 and 8 seem not impacted by 
log4shell and RedHat IDM is not explicitly mentioned neither as being safe nor 
as being vulnerable.

Seeing as pki-tomcat is being used, we found these versions of log4j on the CA 
master nodes. 

log4j1.2.17   java-archive
log4j-over-slf4j 1.7.4java-archive
log4j12  1.7.4java-archive

It would be great if somebody could help shed some light on this.

Thanks
T
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Is FreeIPA affected by log4shell?

2021-12-12 Thread Christophe Trefois via FreeIPA-users 
Hi,

We checked the RHEL advisories, and saw that RHEL 7 and 8 seem not impacted by 
log4shell and RedHat IDM is not explicitly mentioned neither as being safe nor 
as being vulnerable.

Seeing as pki-tomcat is being used, we found these versions of log4j on the CA 
master nodes. 

log4j1.2.17   java-archive
log4j-over-slf4j 1.7.4java-archive
log4j12  1.7.4java-archive

It would be great if somebody could help shed some light on this.

Thanks
T
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: 2 factor authentication in Freeipa

2020-03-31 Thread Christophe TREFOIS via FreeIPA-users 
Does this help ?

https://blog.delouw.ch/2014/07/13/using-otp-tokens-and-2fa-with-freeipa-4-0/

The only inconvenience is that people have to paste the password + otp in the 
same line and enter in the password field.

-Original Message-
From: dmitriys via FreeIPA-users  
Sent: Tuesday, 31 March 2020 15:21
To: freeipa-users@lists.fedorahosted.org
Cc: dmitriys 
Subject: [Freeipa-users] 2 factor authentication in Freeipa

Hi!
I use Freeipa VERSION: 4.8.0, API_VERSION: 2.233

I want use Freeipa as user store for other web services (like jira, 
jenkins,gitlab etc). For security reasons we need 2 factor authentication. I 
read about OTP in Freeipa but allmost post about host authentication ? How i 
can setup OTP for user login ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sss_ssh_authorizedkeys slow on IPA-server

2020-02-09 Thread Christophe TREFOIS via FreeIPA-users 
Have you check authentication source order in nsswitch.conf ? Maybe there it 
hit some timeout or so.

From: Winfried de Heiden via FreeIPA-users 

Sent: dimanche 9 février 2020 13:55
To: freeipa-users@lists.fedorahosted.org
Cc: Winfried de Heiden 
Subject: [Freeipa-users] sss_ssh_authorizedkeys slow on IPA-server

Hi all,

For some reason, for a particular user, sss_ssh_authorizedkeys is extremely 
slow on the IPA-server:

time /usr/bin/sss_ssh_authorizedkeys 
~
real 0m9.520s
user 0m0.022s
sys 0m0.018s

It will return all the public keys, but is is slow, causing SSH-login delays 
using a ssh-keys.

On another CentOS Stream (8.1) IPA-client, using the same IPA-server:

time /usr/bin/sss_ssh_authorizedkeys 
~
real 0m0.020s
user 0m0.005s
sys 0m0.003s

Some difference...
Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will 
bring back performance, but sound like a poor workaround.

Any idea what is happening here?

Some more details:
CentOS Linux release 8.1.1911 (Core) (stream)
ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
sssd-common-2.2.0-19.el8.x86_64

Winfried

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sequence rollover

2019-12-21 Thread Christophe TREFOIS via FreeIPA-users 
Dear all,

Does anybody have any insights to give us ?

Thanks a lot,
Christophe


From: Sarah PETER via FreeIPA-users 
Sent: mercredi 18 décembre 2019 10:19
To: FreeIPA users list 
Cc: Sarah PETER 
Subject: [Freeipa-users] Sequence rollover

Dear all,

since a few days we get the following message about 1-2 times a day in the 
error logs of several of our replicas:

INFO - csngen_new_csn - Sequence rollover; local offset updated.

Is this something we should be worried about?

We ran the readNsState.py script from 
https://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html
 and for one of the replicas it shows a big offset for the ipaca domain:

nsState is DwBM4/ldAAoAngUAAABF0g==
Little Endian
For replica cn=replica,cn=dc\3Duni\2Cdc\3Dlu,cn=mapping tree,cn=config
  fmtstr=[H6x3QH6x]
  size=40
  len of nsstate is 40
  CSN generator state:
Replica ID: 15
Sampled Time  : 1576657740
Gen as csn: 5df9e34c538290015
Time as str   : Wed Dec 18 09:29:00 2019
Local Offset  : 10
Remote Offset : 1438
Seq. num  : 53829
System time   : Wed Dec 18 09:30:07 2019
Diff in sec.  : 67
Day:sec diff  : 0:67

nsState is RwQAAAD+DtVdAAsADgAFAA==
Little Endian
For replica cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
  fmtstr=[H6x3QH6x]
  size=40
  len of nsstate is 40
  CSN generator state:
Replica ID: 1095
Sampled Time  : 1574244094
Gen as csn: 5dd50efe00051095
Time as str   : Wed Nov 20 11:01:34 2019
Local Offset  : 11
Remote Offset : 14
Seq. num  : 5
System time   : Wed Dec 18 09:30:07 2019
Diff in sec.  : 2413713
Day:sec diff  : 27:80913


However, there has not been a message about time/clock skew or any other error 
messages for that matter. We are running CentOS 7.7 with ipa-server 4.6.5-11.

Best regards,
Sarah


Sarah Peter
LCSB Bioinformatics Core & UL HPC Team

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
sarah.pe...@uni.lu 
http://lcsb.uni.lu
-
This message is confidential and may contain privileged information. It is 
intended for the named recipient only. If you receive it in error please notify 
me and permanently delete the original message and any copies.
-

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA/IdM versions on RHEL8

2019-12-06 Thread Christophe TREFOIS via FreeIPA-users 
There is difference between ipa-client and ipa-server.

> On 6 Dec 2019, at 18:32, Vinícius Ferrão via FreeIPA-users 
>  wrote:
> 
> Hi Christian
> 
>> On 6 Dec 2019, at 14:04, Christian Heimes via FreeIPA-users 
>> > > wrote:
>> 
>> On 06/12/2019 17.48, Vinícius Ferrão via FreeIPA-users wrote:
>>> Hello, this is probably a comercial question and not a technical one,
>>> but I’m curious about it.
>>> 
>>> As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8
>>> with some interesting features.
>> RHEL 8.0 has 4.7.1. RHEL 8.1 already ships with IPA 4.8.0.
> 
> Yes, I’m was an amateur:
> Installing group/module packages:
> ipa-client   x86_64   
> 4.8.0-11.module+el8.1.0+4247+9f3fd721  
> rhel-8-for-x86_64-appstream-rpms   266 k
> 
> So FreeIPA will not have separation on AppStreams. It will always be updated 
> to the last version during minor releases of RHEL8.
> 
>> Spoiler alert: You may find additional information if you search for
>> "rebase ipa" on the Red Hat Bugzilla.
> 
> Thanks for this! :)
> 
> But there’s no oficial roadmap from Red Hat, right? I should always get it on 
> Bugzilla.
> 
>> Christian
>> 
>> -- 
>> Christian Heimes
>> Principal Software Engineer, Identity Management and Platform Security
>> 
>> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>> Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill,
>> Thomas Savage
>> 
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>  
> 
> 
> ---
> 
> This e-mail can not be trusted due to SPF/DKIM validation failed.
> 
> ---



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: No Login on GUI

2019-12-06 Thread Christophe TREFOIS via FreeIPA-users 
Have you checked certificates ?

https://www.freeipa.org/page/Certmonger#Get_a_list_of_currently_tracked_certificates
 


Have you check Kerberos logs, Dirsv logs, Tomcat logs?

https://www.freeipa.org/page/Troubleshooting/Administration_and_Web_UI 

 
> On 6 Dec 2019, at 17:29, Christian Reiss via FreeIPA-users 
>  wrote:
> 
> Hey Angus,
> 
> thanks for replying. Allow me to reply inline:
> 
> On 06/12/2019 16:00, Angus Clarke wrote:
>> Have you checked your times are in sync within 5 minutes?
> 
> Yes. And it's monitored.
> 
>> Have you checked DNS is working for all node entries between all nodes?
> 
> Yes. And it's monitored. Even PTR <-> A check.
> 
>> Have you used ipactl [status|restart|stop]?
> 
> Yes.
> 
> [root@auth1:~] # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
> [root@auth2:~] # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
> auth3 is down.
> 
>>  -> Do you see certain services fail and have you checked their logs?
> 
> Well thats the wild thing. ipa cli (host remove, host add etc) all work from 
> auth1 (which the webui does not allow access). And all changes are propagated 
> to auth2. Same for the other way around.
> 
> It's just the login to auth1.
> 
>> I'm hoping your remaining IPA server is the renewal master:
>> On remaining good server:
>> kinit admin
>> ipa config-show | grep "IPA CA renewal master"
> 
> auth1 and auth2 agree on auth1 being the IPA CA renewal master.
> 
>> If it is then the following rebuild instructions should be ok.
>> If it is not, then you prolly need some other advice (I haven't faced that 
>> situation yet ...)
> > [...]
> 
> The following items seem to mix my two problems.
> 
> a) auth1 web login broken,
> b) auth3 needs re-setup.
> 
> Any clue on how to debug the web login (or lack thereof) issue?
> Chedked httpd logs, nothing to see there in the error logs
> 
> Cheers,
> Chris.
> 
> -- 
> Christian Reiss - em...@christian-reiss.de /"\  ASCII Ribbon
>   supp...@alpha-labs.net   \ /Campaign
> X   against HTML
> WEB alpha-labs.net / \   in eMails
> 
> GPG Retrieval https://gpg.christian-reiss.de
> GPG ID ABCD43C5, 0x44E29126ABCD43C5
> GPG fingerprint = 9549 F537 2596 86BA 733C  A4ED 44E2 9126 ABCD 43C5
> 
> "It's better to reign in hell than to serve in heaven.",
>  John Milton, Paradise lost.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ---
> 
> This e-mail can not be trusted due to SPF/DKIM validation failed.
> 
> ---
> 



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: OPENSTACK INSTEANCE AUTO REGISTER ON IPA SERVER DOMAIN

2019-07-22 Thread Christophe TREFOIS via FreeIPA-users 
In my view, you should put the ipa-client-install parts in the user-data script 
and perhaps use the community templates of foreman as a starting point.

https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/user_data/kickstart_default_user_data.erb
 


and

https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/snippet/freeipa_register.erb
 



> On 22 Jul 2019, at 15:58, NAZAN CENGIZ via FreeIPA-users 
>  wrote:
> 
> Hi,
> We have a RedHat Openstack (Queens) lab and IPA Server.
> We  installing IPA Client a Openstack insteance then on insteance is adding 
> DNS on  IPA server as below.
> openstack server create  --image image1 --flavor onap_worker_flavor  
> --key-name onapkeypair --network onapnet1  --security-group onapsg --wait 
> siem --user-data /home/stack/custominit.yaml --user-data 
> /opt/images/openstack-sh 
> #on siem insteance
> sudo hostnamectl set-hostname siem.5ghvl.local
> sudo yum install ipa-client
> sudo ipa-client-install --hostname=`hostname -f` --mkhomedir 
> --server=ipa.5ghvl.local --domain 5ghvl.local --realm 5GHVL.LOCAL
> #on openstack director
> openstack server stop  siem.5ghvl.local
> openstack server image create --name siem_image siem.5ghvl.local
> openstack image set siem_image --public
> openstack server create  --image siem_image --flavor onap_worker_flavor  
> --key-name onapkeypair --network onapnet1  --security-group onapsg --wait 
> new_siem --user-data /home/stack/custominit.yaml --user-data 
> /opt/images/openstack-sh 
> Then siem machine turn to image (siem_image)
> Then siem_image turn to virtual machine .New insteance has ipa client but it 
> is not adding domain.
> We goal ;auto register virtual machine on IPA Server.But only host is on IPA 
> server.(siem.5ghvl.local).
> new_siem.5ghvl.local is not on IPA server.
> Could you please help me?
> Best Regards.
> 
> 
> This e-mail and any attached files are confidential and may be legally 
> privileged. If you are not the addressee, any disclosure, reproduction, 
> copying, distribution, or other dissemination or use of this communication is 
> strictly prohibited. If you have received this transmission in error please 
> notify the sender immediately and then delete this mail.
> E-mail transmission cannot be guaranteed to be secure or error free as 
> information could be intercepted, corrupted, lost, destroyed, arrive late or 
> incomplete, or contain viruses. The sender therefore does not accept 
> liability for any errors or omissions in the contents of this message which 
> arise as a result of e-mail transmission or changes to transmitted date not 
> specifically approved by the sender.
> If this e-mail or attached files contain information which do not relate to 
> our professional activity we do not accept liability for such information.
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ---
> 
> This e-mail can not be trusted due to SPF/DKIM validation failed.
> 
> ---
> 



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Upgrade path in CentOS 7

2019-07-05 Thread Christophe TREFOIS via FreeIPA-users 
Perfect, thank you Francois. I was actually on that page, but must have been 
blind :)

Thank you !

> On 4 Jul 2019, at 00:06, François Cami  wrote:
> 
> Hi,
> 
> On Wed, Jul 3, 2019 at 11:37 PM Christophe TREFOIS via FreeIPA-users
>  wrote:
>> 
>> Hi,
>> 
>> 
>> 
>> Is it required to upgrade via every minor release of CentOS, say 7.2,7.3,7.4 
>> etc to have a successful IPA upgrade, or can one also go from 7.2 to 7.6 
>> directly?
> 
> The official docs:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/updating-migrating#update-ipa-prereqs
> 
> mention "Red Hat recommends upgrading to the next version only."
> 
> Cheers
> François
> 
>> 
>> 
>> Any advice will be appreciated,
>> 
>> Thanks,
>> 
>> 
>> 
>> Chris
>> 
>> 
>> 
>> 
>> 
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ---
> 
> This e-mail can not be trusted due to SPF/DKIM validation failed.
> 
> ---
> 



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Upgrade path in CentOS 7

2019-07-03 Thread Christophe TREFOIS via FreeIPA-users 
Hi,

Is it required to upgrade via every minor release of CentOS, say 7.2,7.3,7.4 
etc to have a successful IPA upgrade, or can one also go from 7.2 to 7.6 
directly?

Any advice will be appreciated,
Thanks,

Chris


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replication sync issues

2018-11-02 Thread Christophe TREFOIS via FreeIPA-users 
Hi,

Have you look at the reinitialize option rather than force-sync?

At least, it is the option we always use.

Best,

-Original Message-
From: Grant Janssen via FreeIPA-users  
Sent: mardi 30 octobre 2018 17:46
To: FreeIPA users list 
Cc: Grant Janssen 
Subject: [Freeipa-users] replication sync issues

I have these errors in the syslog of the primary, the syslog on the secondary 
is clean.

Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.104092627 -0700] 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389) - Can't locate CSN 5afd965100020060 in the changelog (DB 
rc=-30988). If replication stops, the consumer may need to be reinitialized.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105088278 -0700] 
NSMMReplicationPlugin - changelog program - 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389): CSN 5afd965100020060 not found, we aren't as up to date, or 
we purged Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105750108 
-0700] NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389): Data required to update replica has been purged from the 
changelog. The replica must be reinitialized.

I initiated a resync, but the errors continue to pile up on the primary.

grant@ef-idm02:~[20181030-9:36][#115]$ ipa-replica-manage force-sync --from 
ef-idm01.production.efilm.com Directory Manager password: 

ipa: INFO: Setting agreement 
cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping
 tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping
 tree,cn=config grant@ef-idm02:~[20181030-9:37][#116]$

thanx

- grant



This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

2018-07-09 Thread Christophe TREFOIS via FreeIPA-users 
From that I know you could trigger a refresh by restarting certmonger.

> On 9 Jul 2018, at 07:38, Thomas Letherby via FreeIPA-users 
>  wrote:
> 
> Hello Fraser,
> 
> As I've been playing around with this before I dig in further I pulled the 
> expiry for the certificates across all the places I know to look, if I have a 
> cert listed, it's expired:
> 
> certutil -d /etc/pki/pki-tomcat/alias -L Up to date
> 
> certutil -d /etc/dirsrv/slapd-I-DOMAIN-NET -L 
> I.DOMAIN.NET  IPA CA
> 
> certutil -d /etc/httpd/alias -L
> Signing-Cert
> I.DOMAIN.NET  IPA CA
> 
> getcert-list all up to date.
> 
> ipa-getcert list all up to date
> 
> ldapsearch -Y GSSAPI -h `hostname` -p 389 -b "cn=I.DOMAIN.NET 
>  IPA 
> CA,cn=certificates,cn=ipa,cn=etc,dc=i,dc=DOMAIN,dc=net"
> Expired
> 
> ldapsearch -Y GSSAPI -h `hostname` -p 389 -b uid=pkidbuser,ou=people,o=ipaca 
> "(objectclass=*)" usercertificate
> 1 - Expired
> 2 - Expired
> 3 - In date
> 
> I've managed to narrow down the expiries to a crossover of one day, and 
> setting the date to that day allows Tomcat-PKI to start, but the above 
> results show that the certs haven't updated yet, but they may do in the next 
> few hours?
> 
> Thomas
> 
> 
> 
> On Sun, Jul 8, 2018 at 11:23 AM Fraser Tweedale  > wrote:
> On Fri, Jul 06, 2018 at 09:21:44PM -0700, Thomas Letherby wrote:
> > Hello Fraser,
> > 
> > The serial numbers appear to match, but if I run ipa-certupdate I get the
> > following:
> > 
> > ipa-certupdate
> > trying https://server1.i.domain.net/ipa/json 
> > 
> > Connection to https://server1.i.domain.net/ipa/json 
> >  failed with [SSL:
> > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
> > 
> > Tomcat is the only service that appears to be failing with the following
> > error:
> > 
> > Internal Database Error encountered: Could not connect to LDAP server host
> > xipa1.i.xrs444.net  port 636 Error 
> > netscape.ldap.LDAPException: Unable to
> > create socket: org.mozilla.jss.ssl.SSLSocketException:
> > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
> > Peer's Certificate has expired. (-1)
> > 
> > But it should now be valid as I set the date back. If I set the date to
> > today I get this error:
> > 
> > Internal Database Error encountered: Could not connect to LDAP server host
> > xipa1.i.xrs444.net  port 636 Error 
> > netscape.ldap.LDAPException: Unable to
> > create socket: org.mozilla.jss.ssl.SSLSocketException:
> > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12195)
> > Peer does not recognize and trust the CA that issued your certificate. (-1)
> > 
> > Looks like it can't load because the certificate it uses isn't valid, if I
> > roll the clock back so the CA cert is, the certificate Tomcat is using
> > isn't valid and if I roll forward the CA cert isn't.
> > 
> > How can I break this catch 22?
> > 
> Which is the not-yet-valid certificate at the time to which you
> rolled back?  The subsystemCert or the 389DS server certificate?
> 
> In either case, you can look in the Dogtag certificate repository
> (ou=certificateRepository,ou=ca,o=ipaca) for a version of the
> certificate that is valid at the relevant time.  Copy the cert data
> (you can base64-decode the value to get the binary DER certificate
> data).  Then you can delete the not-yet-valid-at-that-time
> certificate from the NSSDB and add the appropriate certificate using
> 
> certutil -d  -A -i 
> 
> If the certificate in question is the Dogtag subsystemCert, you will
> furthermore need to fix up the data in the uid=pkidbuser entry to
> match the "current" certificate.
> 
> HTH,
> Fraser
> 
> 
> > Thanks,
> > 
> > Thomas
> > 
> > 
> > 
> > 
> > On Fri, Jun 29, 2018 at 12:10 AM Fraser Tweedale  > >
> > wrote:
> > 
> > > On Thu, Jun 28, 2018 at 06:01:18PM -0700, Thomas Letherby wrote:
> > > > Hello all,
> > > >
> > > > Here's the info:
> > > >
> > > > certutil -d /etc/dirsrv/slapd-I-domain-NET -L
> > > >
> > > > Certificate Nickname Trust
> > > > Attributes
> > > >
> > > >  SSL,S/MIME,JAR/XPI
> > > >
> > > > Server-Cert  u,u,u
> > > > O=domain,ST=Arizona,C=US CT,C,C
> > > > I.domain.NET  IPA CA  
> > > > CT,C,C
> > > >
> > > > I.domain.NET  IPA CA is out of date for those.
> > > >
> > > Try running ipa-certupdate.  It will update the IPA CA certificate
> > > in the various trust stores including the DS NSSDB.
> > >
> > > It reads the certificates from
> > >
> > >   cn=YOUR.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,{basedn}
> > >
> > > so you should probably check that

[Freeipa-users] Re: Upgrade from CentOS 7.3 to 7.4 - Safe?

2017-11-10 Thread Christophe TREFOIS via FreeIPA-users 
Hi,

How did you proceed? One by one just a yum update on all pending packages?

--

Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb

[Facebook]<https://www.facebook.com/trefex>  [Twitter] 
<https://twitter.com/Trefex>   [Google Plus] 
<https://plus.google.com/+ChristopheTrefois/>   [Linkedin] 
<https://www.linkedin.com/in/trefoischristophe>   [skype] 
<http://skype:Trefex?call>


This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original 
message and any copies.




On 10 Nov 2017, at 00:30, Lachlan Musicman via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

On 10 November 2017 at 10:17, Christophe TREFOIS via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
Hi,

Is it considered safe to go from CentOS 7.3 FreeIPA 4.4 to CentOS 7.4 with 
FreeIPA 4.5?

Anything that we should know? Any issues? Things to consider?

Should we run yum update on all pending packages replica by replica?

Thanks for any feedback or stories you might have encountered.


We upgraded our test env and tested it and that worked as we expected. So we 
then did the same to our production env, and that also worked as expected. 
Which was really nice :)


cheers
L.

--
"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is 
the insistence that we cannot ignore the truth, nor should we panic about it. 
It is a shared consciousness that our institutions have failed and our 
ecosystem is collapsing, yet we are still here — and we are creative agents who 
can shape our destinies. Apocalyptic civics is the conviction that the only way 
out is through, and the only way through is together. "

Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org