[Freeipa-users] Re: FreeIPA 4.6.1 cannot bind on 636 but can connect on port.
Hi, I can do! Can it be that the certificate, self signed, is more of a security issue now and that causes the problem ? In the past I was able to use a selfsigned one for internal tests. Cheers, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.6.1 cannot bind on 636 but can connect on port.
No-one a clue about this ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: API 3005 Unknown option:
OK, I'm not really getting further with this, this is how far I got: from ipaserver.plugins.user import user from ipaserver.plugins.user import user_add from ipalib import api, cli, Str, _ def your_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) super(user_add, self).pre_callback(ldap, dn, entry_attrs, attrs_list, *keys, **options) print("it's here") # orig_entry_attrs = ldap.get_entry(dn, ['customPerson']) # entry_attrs['customPerson'] = orig_entry_attrs['customPerson'] # entry_attrs['customPerson'].append(entry_attrs['mailstoragepath']) user.takes_params += ( Str('mailstoragepath*', cli_name='mailstoragepath', label=_('Email Storage Path'), ), ) user.possible_objectclasses.append('customPerson') user.default_attributes.append('mailstoragepath') # This errors on a IPA restart when uncommented #user.user_add.register_pre_callback(your_callback) -- >>> api.Command['user_add'](sn='test_1', givenname='name of test1', >>> uid='test_1', mailstoragepath='candy') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 464, in __do_call params = self.args_options_2_params(*args, **options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 531, in args_options_2_params params = dict(self.__options_2_params(options)) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 564, in __options_2_params option=unused_keys.pop()) ipalib.errors.OptionError: Unknown option: mailstoragepath What am I doing wrong here ? Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore: a bytes-like object is required, not 'str'
Hi Christian, Thanks for the heads up! I will remove that part of code, that will fix it for the time being! Cheers, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore: a bytes-like object is required, not 'str'
Hi, Yes Fedora 27, not sure if I had the same on the latest 4.5.4 on F26 as that installed was broked in some strange way without any changes and has kinda the same issue I thought. What I run now on F27 is: # rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base freeipa-server-4.6.1-3.fc27.x86_64 freeipa-client-4.6.1-3.fc27.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.3.7.8-1.fc27.x86_64 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] API 3005 Unknown option:
HI Guys, I have added my own userattribute which works perfectly fine from the webgui and the cli but not using the API where I get this error from as response: 3005 Unknown option: I thought this would lineup easily, what goes wrong ? Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Private PEN for OID not accepted
Hi, Thanks, you got me in the right direction as well! Cheers, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ipa-restore: a bytes-like object is required, not 'str'
On a fresh installed IPA server where I do a backup and restore right after installation I get: a bytes-like object is required, not 'str' The ipa-restore command failed. See /var/log/iparestore.log for more information 2018-01-23T04:05:29Z DEBUG stderr= 2018-01-23T04:05:29Z DEBUG Creating log directories for dogtag 2018-01-23T04:05:29Z INFO Restoring from userRoot in MY-DOMAIN-TLD 2018-01-23T04:05:29Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_restore.py", line 396, in run self.ldif2db(instance, backend, online=options.online) File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_restore.py", line 554, in ldif2db ldif_parser.parse() File "/usr/lib64/python3.6/site-packages/ldif.py", line 470, in parse return self.parse_entry_records() # parse() File "/usr/lib64/python3.6/site-packages/ldif.py", line 460, in parse_entry_records self.handle(dn,entry) File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_restore.py", line 130, in handle self.writer.unparse(dn, entry) File "/usr/lib64/python3.6/site-packages/ldif.py", line 210, in unparse self._unparseAttrTypeandValue('dn', dn) File "/usr/lib64/python3.6/site-packages/ldif.py", line 158, in _unparseAttrTypeandValue self._unfold_lines(': '.join([attr_type, attr_value.decode('ascii')])) File "/usr/lib64/python3.6/site-packages/ldif.py", line 121, in _unfold_lines self._output_file.write(line) 2018-01-23T04:05:29Z DEBUG The ipa-restore command failed, exception: TypeError: a bytes-like object is required, not 'str' 2018-01-23T04:05:29Z ERROR a bytes-like object is required, not 'str' 2018-01-23T04:05:29Z ERROR The ipa-restore command failed. See /var/log/iparestore.log for more information What goes wrong here ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled
Which details do you need ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled
Hi, I needed to respond on this one, sorry for my delay. I were Forward Zones with Zone Forwarders. I finally fixed it all with delegation, or am I wrong here ? Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] FreeIPA 4.6.1 cannot bind on 636 but can connect on port.
Hi Guys, I have some strange issue where FreeIPA 4.6.1 accepts telnet connections on port 636 but no bind. Both are successful on 389. This didn't happen on 4.5.4. Any idea ? Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server response
Hi, It seems my test-server was borked but I have no clue why as nothing fancy was done on it. WIll update this when something like the same happens again. Cheers, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response
Hello, I'm facing an issue on my IPA server (currently 4.6.1, same happened on 4.5.4) with kerberos tickets. As was investigating this and tried to add a server with a admin ticket I get the following on and the IPA server itself and on a client with freeipa-admintools as well: $kinit admin $klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@domain.tld Valid starting Expires Service principal 01/21/2018 22:52:35 01/22/2018 22:52:29 HTTP/ipa-01.domain@domain.tld 01/21/2018 22:52:30 01/22/2018 22:52:29 krbtgt/domain@domain.tld $ipa service-add HTTP/client-01.domain@domain.tld ipa: ERROR: No valid Negotiate header in server response What is going wrong here ? I cannot find much about it. Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Private PEN for OID not accepted
HI guys. I'm having an issue with my private PEN when I want to add an objectclass and an attribute with the following ldif (9 is a replacement for my private PEN registered at Iana) The following output is what I get: modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: attribute type myAttributeName: Unknown attribute syntax OID "1.3.6.1.4.1.9.1.1.2.2.1" modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: object class ( 1.1.2.1.1 NAME 'customPerson' SUP top SYNTAX 1.3.6.1.4.1.9.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' ): Failed to parse objectclass, error(2) at ( 1.3.6.1.4.1.9.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' )) And this is the (as far as I know) good ldif: dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 1.1.2.2.1 NAME 'myAttributeName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.9.1.1.2.2.1 X-ORIGIN 'Extending FreeIPA' ) dn: cn=schema changetype: modify add: objectClasses objectClasses: ( 1.1.2.1.1 NAME 'customPerson' SUP top SYNTAX 1.3.6.1.4.1.9.1.1.2.1.1 AUXILIARY MAY ( myAttributeName ) X-ORIGIN 'Extending FreeIPA' ) This should work as far as I know and discussed on IRC and I also read it here: https://www.redhat.com/archives/freeipa-users/2017-January/msg00222.html I hope someone can explain what could be going wrong. Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled
I checked that all but it was no solution. As the forwarded subdomain had a parent I think I needed the delegation anyways. I need to setup another test for it but I'm pretty sure the same happens. Can you check if it's a bug or so ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled
I need to retest it but what I did was: - Create forward only zone for a subdomain - Add the delegation for the subdomain to the parent Nslookups did not work. I disabled the forward zone and it started to work. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled
HI Martin, I disabled them from the GUI. What do you want to know about the config ? Cheers, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Plugin for simple user attribute / textfield in Gui
Hi Guys, Comparing to the great demo of Ab: https://github.com/abbra/freeipa-userstatus-plugin I was wondering if someone created something like it but for a simple textfield as well. Reinventing the wheel is not good so maybe someone has a working example/plugin. Thanks! Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Forwarders don't work when enabled but do work when disabled
Hi, Happy and Healty 2018 first of all! I have something strange on: # ipa --version VERSION: 4.5.4, API_VERSION: 2.228 Forwarders are not working when they are enabled but when I disable them they work perfectly fine. What kind of strange thing is this ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] adduser using keytab does not work, using kinit credential it does
I try to add a user using a principal where has been received a keytab for, the user and it's group are owner, chmod is 600 as it should be. The user can create a valid credential using this keytab. When I call the user_add command I get the following error. Array ( [error] => Array ( [code] => 2100 [data] => Array ( [info] => Could not read UPG Definition originfilter. Check your permissions. ) [message] => Insufficient access: Could not read UPG Definition originfilter. Check your permissions. [name] => ACIError ) [id] => [principal] => testuser/ipa-01.mydomain.tld@MY.DOMAIN [result] => [version] => 4.4.4 ) Everything goes well when I do a 'kinit testuser' and created a credential and then call the user_add function again. Where could this go wrong ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Get userstatus back from ldap login
I have solved this by some statuscodes. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: WebGui Cert back to selfsigned
Hi Florence, Sorry for my late response but that was indeed an option and I tried already to set back the time which worked but failed after a couple of times. I got the info out which I needed as it was a testbox so I installed a new one after all! Thanks for the headsup! Cheers, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Get userstatus back from ldap login
Hi guys, I thought by default (because of security reasons) it was not possible to get back from a login if the useraccount exists when you login but it was possible to make some setting to have this available. Is someone able to tell me how to do this so my ldap clients het back the right status ? Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install
I can update this with the fact that an install with 4.5.4-0.fc26 goes well on F26! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install
Does this still exists ? I have the same on a 4.6.1 install, ipa-certupdate seems to fail. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Server-Cert not found on setup-le.sh, does also not exist
I'm trying to install an Let's Encrypt certificate using the setup-le.sh script provides by the freeipa github repo. It all goes fine but it finishes/stops with: ipa: INFO: Systemwide CA database updated. ipa.ipaclient.install.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command was successful certutil: Server-Cert is neither a key-type nor a nickname: SEC_ERROR_BAD_DATABASE: security library: bad database. In none of the Databases there is any Server-Cert named cert anymore, so what am I missing here ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] WebGui Cert back to selfsigned
Hi Guys, Is there a proven way to set the WebGui cert back to a self signed one ? I have installed an expired 3rd party certificate and want to move back to a selfsigned cert and later on to an letsEncrypt one. Setting back the time before the expiration of the certificate on the server would be a start and also disable all nameservers in /etc/resolv.conf so the time is not updated on an ipa start/restart. But what then ? Is there no "reset command/way available" ? Thanks! Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Fwd: Change subdomain
Hi Guys, When you have a subdomain with hosts in it is it possible to change that subdomain in a simple way ? Normal DNS server can do but as LDAP is involved I hope this is possible as well! Thanks, Matt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org