[Freeipa-users] Re: Expired Certificates.
Is the Cert Store 's CA same ? It same just import again a valid cert then Should be fine .. On Thu, Jan 17, 2019 at 11:31 AM Bhavin Vaidya via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > We rebooted our Primary FreeIPA server (ds01) and then it will not start > pki-tomcatd, Kerberos will also not work, though it starts. > We realized that 2 certificates have expired. > we tried stopped ipa, stopped NTP, going back to Dec 14th, 2018 and > restarted certmonger, bring back date but still no luck. > > this is our primary, and we do have 2 local and 2 remote FreeIPA server on > them only one of the certificate (June 15th, 2018) is showing expired and > others are good. > > Do we have to go back on date before June 15th, 2018 on ds01? > Details are: > > [root@ds01 ~]# cat /etc/centos-release > CentOS Linux release 7.4.1708 (Core) > > [root@ds01 ~]# ipa ca-find > > 1 CA matched > > Name: ipa > Description: IPA CA > Authority ID: 606<...SNIP..>450 > Subject DN: CN=Certificate Authority,O=DOMAIN.COM > Issuer DN: CN=Certificate Authority,O=DOMAIN.COM > > Number of entries returned 1 > > > [root@ds02 ~]# ipa ping > --- > IPA server version 4.5.0. API version 2.228 > > [root@ds01 ~]# KRB5_TRACE=/dev/stdout kinit admin > [5509] 1547598366.261229: Getting initial credentials for ad...@domain.com > [5509] 1547598366.267532: Sending request (171 bytes) to DOMAIN.COM > [5509] 1547598366.268593: Resolving hostname ds01.domain.com > [5509] 1547598366.269479: Sending initial UDP request to dgram > 192.1xx.xxx.xxx:88 > [5509] 1547598367.270712: Initiating TCP connection to stream > 192.1xx.xxx.xxx:88 > [5509] 1547598367.270884: Sending TCP request to stream 192.1xx.xxx.xxx:88 > [5509] 1547598372.338780: Received answer (171 bytes) from dgram > 192.1xx.xxx.xxx:88 > [5509] 1547598372.338841: Terminating TCP connection to stream > 192.1xx.xxx.xxx:88 > [5509] 1547598372.338989: Response was from master KDC > [5509] 1547598372.339095: Received error from KDC: -1765328324/Generic > error (see e-text) > kinit: Generic error (see e-text) while getting initial credentials > > > [root@ds01 ~]# getcert list > Number of certificates and requests being tracked: 9. > Request ID '20180228053337': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=ds01.domain.com,O=DOMAIN.COM > subject: CN=ds01.domain.com,O=DOMAIN.COM > expires: 2019-03-07 06:24:12 UTC > principal name: krbtgt/domain@domain.com > certificate template/profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20180315021457': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Audit,O=DOMAIN.COM > expires: 2020-02-25 04:27:49 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20180315021500': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=OCSP Subsystem,O=DOMAIN.COM > expires: 2020-02-25 04:28:38 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20180315021501': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pk
[Freeipa-users] follow the freeipa 3.0 procedure add attributes but fail;
hi all: https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf I added the attribute successfully but the plugin of JS fail to display a field and cannot save Any idea now I m using freeipa 4.5 ...seem not same as the pdf using. Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Make custom attribute fail in UI and SAVE Button
Dear all: I follow the guide of freeipa 3.0 abt web plugin web ui. At command base I successfully made a custom attribute called Employee " Commencement Date" . I can add using script / command. BUT in web UI , it Display "Commencent date" Label only and cannot display edit field and allow me edit. After That I changed to Multivalue the field come out but still the save button is grey I cannot save again. Which part I made wrong ? please advise . thx define(['freeipa/phases','freeipa/user'], function(phases, user_mod) { // helper function function get_item(array, attr, value) { for (var i=0,l=array.length; i___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
Same Like this Lable no field no edit no save but fine in command base ...any different freeipa4.0 vs 3.0 procedure? [image: 內置圖片 2] 2017-11-09 14:44 GMT+08:00 Pavel Vomacka : > > On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote: > > Hi, > > Dear all: > > I follow the guide of freeipa 3.0 abt web plugin web ui. At command base I > successfully made > a custom attribute called Employee " Commencement Date" . I can add using > script / command. > > BUT in web UI , it Display "Commencent date" Label only and cannot > display edit field and allow me edit. > > After That I changed to Multivalue the field come out but still the save > button is grey I cannot save again. > > Which part I made wrong ? please advise . thx > > define(['freeipa/phases','freeipa/user'], > function(phases, user_mod) { > // helper function > function get_item(array, attr, value) { > for (var i=0,l=array.length; i if (array[i][attr] === value) return array[i]; > } > return null; > } > > var cdate_plugin = {}; > > cdate_plugin.add_c_date = function() { > var facet = get_item(user_mod.entity_spec.facets, '$type', 'details'); > var section = get_item(facet.sections, 'name', 'identity'); > section.fields.push({ > $name: 'comDate', > > The dollar character should be at the beginning of type attribute not the > name. So try to change it to: > name: 'comDate', > $type: 'multivalued' > > type: 'multivalued', > > label: 'Commencement Date' > }); > return true; > }; > > phases.on('customization', cdate_plugin.add_c_date); > > return cdate_plugin; > }); > > > Does it help? > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > -- > Pavel^3 Vomacka > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
Add like this ...now the label gone nothing shown. section.fields.push({ flags: ['w_if_no_aci'] $type: 'multivalued', name: 'comDate', label: 'Commencement Date' }); 2017-11-09 15:50 GMT+08:00 Pavel Vomacka : > > > On 11/09/2017 08:36 AM, barry...@gmail.com wrote: > > Same Like this Lable no field no edit no save but fine in command base > ...any different freeipa4.0 vs 3.0 procedure? > > Do you have IPA 4.x ? Or which version? > > Try to add following line into the specification of your new field: > > flags: ['w_if_no_aci'] > > > [image: 內置圖片 2] > > 2017-11-09 14:44 GMT+08:00 Pavel Vomacka : > >> >> On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote: >> >> Hi, >> >> Dear all: >> >> I follow the guide of freeipa 3.0 abt web plugin web ui. At command base >> I successfully made >> a custom attribute called Employee " Commencement Date" . I can add using >> script / command. >> >> BUT in web UI , it Display "Commencent date" Label only and cannot >> display edit field and allow me edit. >> >> After That I changed to Multivalue the field come out but still the save >> button is grey I cannot save again. >> >> Which part I made wrong ? please advise . thx >> >> define(['freeipa/phases','freeipa/user'], >> function(phases, user_mod) { >> // helper function >> function get_item(array, attr, value) { >> for (var i=0,l=array.length; i> if (array[i][attr] === value) return array[i]; >> } >> return null; >> } >> >> var cdate_plugin = {}; >> >> cdate_plugin.add_c_date = function() { >> var facet = get_item(user_mod.entity_spec.facets, '$type', >> 'details'); >> var section = get_item(facet.sections, 'name', 'identity'); >> section.fields.push({ >> $name: 'comDate', >> >> The dollar character should be at the beginning of type attribute not the >> name. So try to change it to: >> name: 'comDate', >> $type: 'multivalued' >> >> type: 'multivalued', >> >> label: 'Commencement Date' >> }); >> return true; >> }; >> >> phases.on('customization', cdate_plugin.add_c_date); >> >> return cdate_plugin; >> }); >> >> >> Does it help? >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> >> >> -- >> Pavel^3 Vomacka >> >> > > -- > Pavel^3 Vomacka > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
Now work at certain area limitation: It can update successfully BUT no view on UI , then I tried replace "textarea" as before it come a big field but also no view my result. ( but it really updated) section.fields.push({ flags: ['w_if_no_aci'], $type: 'multivalued', name: 'comDate', label: 'Commencement Date' }); [image: 內置圖片 1] 2017-11-09 16:06 GMT+08:00 Pavel Vomacka : > > > On 11/09/2017 09:00 AM, barry...@gmail.com wrote: > > Add like this ...now the label gone nothing shown. > > section.fields.push({ > flags: ['w_if_no_aci'] >$type: 'multivalued', >name: 'comDate', > label: 'Commencement Date' > > }); > > Yes, that's because of missing colon at the end of 'flags: ...' line. You > can open Developer Console in browser (F12) and you will see an error. > > > > 2017-11-09 15:50 GMT+08:00 Pavel Vomacka : > >> >> >> On 11/09/2017 08:36 AM, barry...@gmail.com wrote: >> >> Same Like this Lable no field no edit no save but fine in command base >> ...any different freeipa4.0 vs 3.0 procedure? >> >> Do you have IPA 4.x ? Or which version? >> >> Try to add following line into the specification of your new field: >> >> flags: ['w_if_no_aci'] >> >> >> [image: 內置圖片 2] >> >> 2017-11-09 14:44 GMT+08:00 Pavel Vomacka : >> >>> >>> On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote: >>> >>> Hi, >>> >>> Dear all: >>> >>> I follow the guide of freeipa 3.0 abt web plugin web ui. At command base >>> I successfully made >>> a custom attribute called Employee " Commencement Date" . I can add >>> using script / command. >>> >>> BUT in web UI , it Display "Commencent date" Label only and cannot >>> display edit field and allow me edit. >>> >>> After That I changed to Multivalue the field come out but still the save >>> button is grey I cannot save again. >>> >>> Which part I made wrong ? please advise . thx >>> >>> define(['freeipa/phases','freeipa/user'], >>> function(phases, user_mod) { >>> // helper function >>> function get_item(array, attr, value) { >>> for (var i=0,l=array.length; i>> if (array[i][attr] === value) return array[i]; >>> } >>> return null; >>> } >>> >>> var cdate_plugin = {}; >>> >>> cdate_plugin.add_c_date = function() { >>> var facet = get_item(user_mod.entity_spec.facets, '$type', >>> 'details'); >>> var section = get_item(facet.sections, 'name', 'identity'); >>> section.fields.push({ >>> $name: 'comDate', >>> >>> The dollar character should be at the beginning of type attribute not >>> the name. So try to change it to: >>> name: 'comDate', >>> $type: 'multivalued' >>> >>> type: 'multivalued', >>> >>> label: 'Commencement Date' >>> }); >>> return true; >>> }; >>> >>> phases.on('customization', cdate_plugin.add_c_date); >>> >>> return cdate_plugin; >>> }); >>> >>> >>> Does it help? >>> >>> >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> >>> >>> -- >>> Pavel^3 Vomacka >>> >>> >> >> -- >> Pavel^3 Vomacka >> >> > > -- > Pavel^3 Vomacka > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
The will disappear after saved pressed . it will chnage to in ldap but the UI field blank not store. define(['freeipa/phases','freeipa/user'], function(phases, user_mod) { // helper function function get_item(array, attr, value) { for (var i=0,l=array.length; i: > > > On 11/09/2017 09:18 AM, barry...@gmail.com wrote: > > Now work at certain area limitation: > > It can update successfully BUT no view on UI , then I tried replace > "textarea" as before it come a big field but also no view my result. ( but > it really updated) > > Could you please reformulate it? I'm not sure whether I understand what's > the problem now. > > > section.fields.push({ > flags: ['w_if_no_aci'], >$type: 'multivalued', >name: 'comDate', > label: 'Commencement Date' > > }); > > [image: 內置圖片 1] > > > > 2017-11-09 16:06 GMT+08:00 Pavel Vomacka : > >> >> >> On 11/09/2017 09:00 AM, barry...@gmail.com wrote: >> >> Add like this ...now the label gone nothing shown. >> >> section.fields.push({ >> flags: ['w_if_no_aci'] >>$type: 'multivalued', >>name: 'comDate', >> label: 'Commencement Date' >> >> }); >> >> Yes, that's because of missing colon at the end of 'flags: ...' line. You >> can open Developer Console in browser (F12) and you will see an error. >> >> >> >> 2017-11-09 15:50 GMT+08:00 Pavel Vomacka : >> >>> >>> >>> On 11/09/2017 08:36 AM, barry...@gmail.com wrote: >>> >>> Same Like this Lable no field no edit no save but fine in command base >>> ...any different freeipa4.0 vs 3.0 procedure? >>> >>> Do you have IPA 4.x ? Or which version? >>> >>> Try to add following line into the specification of your new field: >>> >>> flags: ['w_if_no_aci'] >>> >>> >>> [image: 內置圖片 2] >>> >>> 2017-11-09 14:44 GMT+08:00 Pavel Vomacka : >>> >>>> >>>> On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote: >>>> >>>> Hi, >>>> >>>> Dear all: >>>> >>>> I follow the guide of freeipa 3.0 abt web plugin web ui. At command >>>> base I successfully made >>>> a custom attribute called Employee " Commencement Date" . I can add >>>> using script / command. >>>> >>>> BUT in web UI , it Display "Commencent date" Label only and cannot >>>> display edit field and allow me edit. >>>> >>>> After That I changed to Multivalue the field come out but still the >>>> save button is grey I cannot save again. >>>> >>>> Which part I made wrong ? please advise . thx >>>> >>>> define(['freeipa/phases','freeipa/user'], >>>> function(phases, user_mod) { >>>> // helper function >>>> function get_item(array, attr, value) { >>>> for (var i=0,l=array.length; i>>> if (array[i][attr] === value) return array[i]; >>>> } >>>> return null; >>>> } >>>> >>>> var cdate_plugin = {}; >>>> >>>> cdate_plugin.add_c_date = function() { >>>> var facet = get_item(user_mod.entity_spec.facets, '$type', >>>> 'details'); >>>> var section = get_item(facet.sections, 'name', 'identity'); >>>> section.fields.push({ >>>> $name: 'comDate', >>>> >>>> The dollar character should be at the beginning of type attribute not >>>> the name. So try to change it to: >>>> name: 'comDate', >>>> $type: 'multivalued' >>>> >>>> type: 'multivalued', >>>> >>>> label: 'Commencement Date' >>>> }); >>>> return true; >>>> }; >>>> >>>> phases.on('customization', cdate_plugin.add_c_date); >>>> >>>> return cdate_plugin; >>>> }); >>>> >>>> >>>> Does it help? >>>> >>>> >>>> ___ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>> >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>>> >>> >>> -- >>> Pavel^3 Vomacka >>> >>> >> >> -- >> Pavel^3 Vomacka >> >> > > -- > Pavel^3 Vomacka > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
Hi: May be I missed write something on JSON.. But I can use in command shell successfully. ipa user-mod apigee --setattr comDate= then ldap will appear user-show all will see. Any reference link if I missed ? 2017-11-09 17:43 GMT+08:00 Pavel Vomacka : > > > On 11/09/2017 10:34 AM, barry...@gmail.com wrote: > > The will disappear after saved pressed . it will chnage to in > ldap but the UI field blank not store. > > Now I understand, thank you. Could you please show me how you specified > this new option in python code? Or you can check API Browser (IPA Server -> > API Browser) in WebUI and find user-mod command there. > > The value is load from JSON which is returned by server (user-show). Then > basically WebUI go through all fields in page and tries to find attribute > in JSON response which is called the same as value of 'name' attribute in > field spec (in your case 'comDate'). Do you see 'comDate' attribute in JSON > response? (You can check that in developer console in browser in Network > tab, in respective call.) > > define(['freeipa/phases','freeipa/user'], > > function(phases, user_mod) { > > // helper function > > function get_item(array, attr, value) { > > for (var i=0,l=array.length; i > if (array[i][attr] === value) return array[i]; > > } > > return null; > > } > > > var cdate_plugin = {}; > > > cdate_plugin.add_c_date = function() { > > var facet = get_item(user_mod.entity_spec.facets, '$type', 'details'); > > var section = get_item(facet.sections, 'name', 'identity'); > > section.fields.push({ > flags: ['w_if_no_aci'], > $type: 'multivalued', > name: 'comDate', > label: 'Commencement Date' > > }); > > return true; > > }; > > > phases.on('customization', cdate_plugin.add_c_date); > > > return cdate_plugin; > > }); > > [image: 內置圖片 1] > > 2017-11-09 16:51 GMT+08:00 Pavel Vomacka : > >> >> >> On 11/09/2017 09:18 AM, barry...@gmail.com wrote: >> >> Now work at certain area limitation: >> >> It can update successfully BUT no view on UI , then I tried replace >> "textarea" as before it come a big field but also no view my result. ( but >> it really updated) >> >> Could you please reformulate it? I'm not sure whether I understand what's >> the problem now. >> >> >> section.fields.push({ >> flags: ['w_if_no_aci'], >>$type: 'multivalued', >>name: 'comDate', >> label: 'Commencement Date' >> >> }); >> >> [image: 內置圖片 1] >> >> >> >> 2017-11-09 16:06 GMT+08:00 Pavel Vomacka : >> >>> >>> >>> On 11/09/2017 09:00 AM, barry...@gmail.com wrote: >>> >>> Add like this ...now the label gone nothing shown. >>> >>> section.fields.push({ >>> flags: ['w_if_no_aci'] >>>$type: 'multivalued', >>>name: 'comDate', >>> label: 'Commencement Date' >>> >>> }); >>> >>> Yes, that's because of missing colon at the end of 'flags: ...' line. >>> You can open Developer Console in browser (F12) and you will see an error. >>> >>> >>> >>> 2017-11-09 15:50 GMT+08:00 Pavel Vomacka : >>> >>>> >>>> >>>> On 11/09/2017 08:36 AM, barry...@gmail.com wrote: >>>> >>>> Same Like this Lable no field no edit no save but fine in command base >>>> ...any different freeipa4.0 vs 3.0 procedure? >>>> >>>> Do you have IPA 4.x ? Or which version? >>>> >>>> Try to add following line into the specification of your new field: >>>> >>>> flags: ['w_if_no_aci'] >>>> >>>> >>>> [image: 內置圖片 2] >>>> >>>> 2017-11-09 14:44 GMT+08:00 Pavel Vomacka : >>>> >>>>> >>>>> On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote: >>>>> >>>>> Hi, >>>>> >>>>> Dear all: >>>>> >>>>> I follow the guide of freeipa 3.0 abt web plugin web ui. At command >>>>> base I successfully made >>>>> a custom attribute called Employee " Commence
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
Finally I found which location is wrong , IT is in the JS "comDate"If I rename it to "comdate" small letter it can saved and display, I claim on ldap customPerson is using this "comDate" so I mislead that I should use same in JS and Plugin... ANYONE can explain ?...as I still have some confusion why it work. ( I try change all to comDate in plugin but it fail) attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.2 NAME 'comDate' EQUALITY caseIgnoreMatch function(phases, user_mod) { // helper function function get_item(array, attr, value) { for (var i=0,l=array.length; i: > On to, 09 marras 2017, barrykfl--- via FreeIPA-users wrote: > >> Hi: >> >> May be I missed write something on JSON.. >> >> But I can use in command shell successfully. ipa user-mod apigee >> --setattr comDate= then ldap will appear user-show all will see. >> >> Any reference link if I missed ? >> > See https://github.com/abbra/freeipa-userstatus-plugin as an example of > how you can do that in a full plugin. > > > > >> 2017-11-09 17:43 GMT+08:00 Pavel Vomacka : >> >> >>> >>> On 11/09/2017 10:34 AM, barry...@gmail.com wrote: >>> >>> The will disappear after saved pressed . it will chnage to in >>> ldap but the UI field blank not store. >>> >>> Now I understand, thank you. Could you please show me how you specified >>> this new option in python code? Or you can check API Browser (IPA Server >>> -> >>> API Browser) in WebUI and find user-mod command there. >>> >>> The value is load from JSON which is returned by server (user-show). Then >>> basically WebUI go through all fields in page and tries to find attribute >>> in JSON response which is called the same as value of 'name' attribute in >>> field spec (in your case 'comDate'). Do you see 'comDate' attribute in >>> JSON >>> response? (You can check that in developer console in browser in Network >>> tab, in respective call.) >>> >>> define(['freeipa/phases','freeipa/user'], >>> >>> function(phases, user_mod) { >>> >>> // helper function >>> >>> function get_item(array, attr, value) { >>> >>> for (var i=0,l=array.length; i>> >>> if (array[i][attr] === value) return array[i]; >>> >>> } >>> >>> return null; >>> >>> } >>> >>> >>> var cdate_plugin = {}; >>> >>> >>> cdate_plugin.add_c_date = function() { >>> >>> var facet = get_item(user_mod.entity_spec.facets, '$type', >>> 'details'); >>> >>> var section = get_item(facet.sections, 'name', 'identity'); >>> >>> section.fields.push({ >>> flags: ['w_if_no_aci'], >>> $type: 'multivalued', >>> name: 'comDate', >>> label: 'Commencement Date' >>> >>> }); >>> >>> return true; >>> >>> }; >>> >>> >>> phases.on('customization', cdate_plugin.add_c_date); >>> >>> >>> return cdate_plugin; >>> >>> }); >>> >>> [image: 內置圖片 1] >>> >>> 2017-11-09 16:51 GMT+08:00 Pavel Vomacka : >>> >>> >>>> >>>> On 11/09/2017 09:18 AM, barry...@gmail.com wrote: >>>> >>>> Now work at certain area limitation: >>>> >>>> It can update successfully BUT no view on UI , then I tried replace >>>> "textarea" as before it come a big field but also no view my result. ( >>>> but >>>> it really updated) >>>> >>>> Could you please reformulate it? I'm not sure whether I understand >>>> what's >>>> the problem now. >>>> >>>> >>>> section.fields.push({ >>>> flags: ['w_if_no_aci'], >>>>$type: 'multivalued', >>>>name: 'comDate', >>>> label: 'Commencement Date' >>>> >>>> }); >>>> >>>> [image: 內置圖片 1] >>>> >>>> >>>> >>>> 2017-11-09 16:06 GMT+08:00 Pavel Vomacka : >>>> >>>> >>>>> >>
[Freeipa-users] anyone trial freeipa load balancing will it make the mess?
Hi all: Any one try ha proxy/nginx/ etc LB . I tried use ldirector before. it seem when A<>B syn if u still load balancing it with different weight. May cause not update of one side server ...so finally I only apply HA. Any one have better LB solution have reference ? (or it ;s not necessary LB actually) Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
So I have one more question is that: If have several custom attributes should open servral new folders in different /usr/share/ipa/ui/js/plugins/ ? can it write in single file? thx Regards 2017-11-13 18:48 GMT+08:00 Alexander Bokovoy : > On ma, 13 marras 2017, barry...@gmail.com wrote: > >> Finally I found which location is wrong , IT is in the JS "comDate"If >> I >> rename it to "comdate" small letter it can saved and display, >> >> I claim on ldap customPerson is using this "comDate" so I mislead that I >> should use same in JS and Plugin... ANYONE can explain ?...as I still have >> some confusion why it work. ( I try change all to comDate in plugin but it >> fail) >> > Since attribute names are case-insensitive, we normalize them in IPA > framework to lower case because dictionary keys are case-sensitive. > > So just use lower case everywhere and it should work. > > > >> attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.2 >> NAME 'comDate' EQUALITY caseIgnoreMatch >> >> >> function(phases, user_mod) { >>// helper function >>function get_item(array, attr, value) { >> for (var i=0,l=array.length; i>if (array[i][attr] === value) return array[i]; >> } >> return null; >> } >> >> var cdate_plugin = {}; >> >> cdate_plugin.add_c_date = function() { >>var facet = get_item(user_mod.entity_spec.facets, '$type', 'details'); >>var section = get_item(facet.sections, 'name', 'identity'); >>section.fields.push({ >> name: 'comdate', >> type: 'multivalued', >> label: 'Commencement Date' >>}); >>return true; >> }; >> >> phases.on('customization', cdate_plugin.add_c_date); >> >> return cdate_plugin; >> }); >> >> from ipaserver.plugins.user import user >> from ipalib.parameters import Str >> from ipalib.text import _ >> from ipalib import _ >> user.takes_params += ( >>Str('comdate?', >>cli_name='comdate', >>label=_('Commencement Date'), >>), >>) >> user.default_attributes.append('comdate') >> >> >> 2017-11-09 20:20 GMT+08:00 Alexander Bokovoy : >> >> On to, 09 marras 2017, barrykfl--- via FreeIPA-users wrote: >>> >>> Hi: >>>> >>>> May be I missed write something on JSON.. >>>> >>>> But I can use in command shell successfully. ipa user-mod apigee >>>> --setattr comDate= then ldap will appear user-show all will see. >>>> >>>> Any reference link if I missed ? >>>> >>>> See https://github.com/abbra/freeipa-userstatus-plugin as an example of >>> how you can do that in a full plugin. >>> >>> >>> >>> >>> 2017-11-09 17:43 GMT+08:00 Pavel Vomacka : >>>> >>>> >>>> >>>>> On 11/09/2017 10:34 AM, barry...@gmail.com wrote: >>>>> >>>>> The will disappear after saved pressed . it will chnage to in >>>>> ldap but the UI field blank not store. >>>>> >>>>> Now I understand, thank you. Could you please show me how you specified >>>>> this new option in python code? Or you can check API Browser (IPA >>>>> Server >>>>> -> >>>>> API Browser) in WebUI and find user-mod command there. >>>>> >>>>> The value is load from JSON which is returned by server (user-show). >>>>> Then >>>>> basically WebUI go through all fields in page and tries to find >>>>> attribute >>>>> in JSON response which is called the same as value of 'name' attribute >>>>> in >>>>> field spec (in your case 'comDate'). Do you see 'comDate' attribute in >>>>> JSON >>>>> response? (You can check that in developer console in browser in >>>>> Network >>>>> tab, in respective call.) >>>>> >>>>> define(['freeipa/phases','freeipa/user'], >>>>> >>>>> function(phases, user_mod) { >>>>> >>>>> // helper function >>>>> >>>>> function get_item(array, attr, value) { >>>>> >>>&g
[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button
anywhere can explain the following RFC of ldap ? I have confuse how come and must use this ...can I random gen some number .. 2.25.28639311321113238241701611583088740684.14.2.1 < it used custom person class so if relate to it I should use .2 .3 .4 .5 etc ??? 28639311321113238241701611583088740684. ( random gen?) 2.25.28639311321113238241701611583088740684.14.2.2 NAME 'favoriteColorName' 2017-11-15 18:07 GMT+08:00 Alexander Bokovoy : > On ke, 15 marras 2017, barry...@gmail.com wrote: > >> So I have one more question is that: >> >> If have several custom attributes should open servral new folders in >> different /usr/share/ipa/ui/js/plugins/ ? can it write in single file? thx >> > It is up to you. I'd do it in a single one and would try to make the > code as common as possible for all of them. > > -- > / Alexander Bokovoy > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] any reference for HA solution and backup /restore
Hi all: setup two servers replicas want make HA and backup / restore ..any where have reference especially backup / restore is necessary. Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] cluster and LDAP service
HI: I already config cluster of 2 servers using corosys and peacemaker. But the Virtual ip is the resource only. Is it possible to make ldap 389/639 as a detection of fail then switch? Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Promote ipa-client-install to a replica successful but system become unstable
Dear all: two servers replica but the latter one become unstable. I success promote a client to replcia master . but after reboot the response is slow and the certomanger start fail and remote login ssh very slow delay half minuets boot log found certmanger fail to start and login service fail: just can proof that if i remove all ipa client it is fine again and login service fine. Any idea how come ? as i used 3.0 before soit use gpg to install replcia server, but now it use ipa-client-install first then promote to ipa-replica-install later. [1;31mFAILED [0m] Failed to start Zabbix Agent. See 'systemctl status zabbix_agentd.service' for details. [ [1;31mFAILED [0m] Failed to start Login Service. See 'systemctl status systemd-logind.service' for details. [ [32m OK [0m] Stopped Login Service. Starting Login Service... [ [1;31mFAILED [0m] Failed to start Login Service. See 'systemctl status systemd-logind.service' for details. [ [32m OK [0m] Stopped Login Service. Starting Login Service... [ [32m OK [0m] Started /etc/rc.d/rc.local Compatibility. Starting Terminate Plymouth Boot Screen... Starting Wait for Plymouth Boot Screen to Quit... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Promote ipa-client-install to a replica successful but system become unstable
Attahced the log shown Fail of centomenger and login service . Actually the cluster is working fine but slow and unstable . login service fail and cert monitor fail. [ [1;31mFAILED [0m] Failed to start NIS/YP (Network Information Service) Clients to NIS Domain Binder. See 'systemctl status ypbind.service' for details. [ [32m OK [0m] Reached target User and Group Name Lookups. Starting Login Service... Nov 27 19:06:36 central03 kernel: [ 1472.395446] NFSD: starting 90-second grace period (net 81ad9d40) Nov 27 19:06:37 central03 kernel: [ 1472.619881] fuse init (API version 7.22) Starting Permit User Sessions... Starting Zabbix Agent... [ [32m OK [0m] Started Permit User Sessions. [ [32m OK [0m] Started Command Scheduler. Starting Command Scheduler... [ [32m OK [0m] Started Job spooling tools. Starting Job spooling tools... [ [1;31mFAILED [0m] Failed to start Zabbix Agent. See 'systemctl status zabbix_agentd.service' for details. [ [32m OK [0m] Started PKI Tomcat Server pki-tomcat. [ [32m OK [0m] Reached target PKI Tomcat Server. [ [32m OK [0m] Listening on ipa-otpd socket. [ [32m OK [0m] Started Identity, Policy, Audit. [ [1;31mFAILED [0m] Failed to start Login Service. See 'systemctl status systemd-logind.service' for details. [ [32m OK [0m] Stopped Login Service. Starting Login Service... [ [1;31mFAILED [0m] Failed to start Certificate monitoring and PKI enrollment. See 'systemctl status certmonger.service' for details. [ [1;31mFAILED [0m] Failed to start Login Service. See 'systemctl status systemd-logind.service' for details. [ [32m OK [0m] Stopped Login Service. Starting Login Service... [ [32m OK [0m] Started /etc/rc.d/rc.local Compatibility. Starting Wait for Plymouth Boot Screen to Quit... Starting Terminate Plymouth Boot Screen... 2017-11-28 16:20 GMT+08:00 Florence Blanc-Renaud : > On 11/28/2017 08:25 AM, barrykfl--- via FreeIPA-users wrote: > >> Dear all: >> >> two servers replica but the latter one become unstable. >> >> I success promote a client to replcia master . >> but after reboot the response is slow and the certomanger start fail >> and remote login ssh very slow delay half minuets >> >> boot log found certmanger fail to start and login service fail: >> just can proof that if i remove all ipa client it is fine again and login >> service fine. >> >> Any idea how come ? as i used 3.0 before soit use gpg to install replcia >> server, >> >> but now it use ipa-client-install first then promote to >> ipa-replica-install later. >> >> [1;31mFAILED [0m] Failed to start Zabbix Agent. >> See 'systemctl status zabbix_agentd.service' for details. >> [ [1;31mFAILED [0m] Failed to start Login Service. >> See 'systemctl status systemd-logind.service' for details. >> [ [32m OK [0m] Stopped Login Service. >> Starting Login Service... >> [ [1;31mFAILED [0m] Failed to start Login Service. >> See 'systemctl status systemd-logind.service' for details. >> [ [32m OK [0m] Stopped Login Service. >> Starting Login Service... >> [ [32m OK [0m] Started /etc/rc.d/rc.local Compatibility. >> Starting Terminate Plymouth Boot Screen... >> Starting Wait for Plymouth Boot Screen to Quit... >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> Hi, > > do you have any error message related to certmonger that could help > diagnose the certmonger failure? > > sudo systemctl status certmonger > sudo journalctl -u certmonger > sudo journalctl -t certmonger > > Flo > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ipa-client-install --uninstall commands
Dear all: Simple question ..Is this command enough to disjoin from an existing IPA master.? Want to test some servers.. joined a master is .ipa-client-install --uninstall can remove all config from my master server ??? Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Cluster fail with certmenger fail
Hi All: I did on centos 7 with replication of servers no problem but after install cluster I try reboot , it cause cermonger service faul and login serveice fail , when I ssh to this A serverit take half minutes or FTP always time out. After that I have to stop cluster in B server and try stop in A also ,,,then the service is fine again , It seem that I cannot start cluster service at A. yum -y install corosync pacemaker pcs boot error: Starting Login Service... [ [1;31mFAILED [0m] Failed to start Login Service. [root@(LIVEA)~]$ systemctl --failed UNIT LOAD ACTIVE SUBDESCRIPTION ● certmonger.service loaded failed failed Certificate monitoring and PKI enrollm ● ypbind.service loaded failed failed NIS/YP (Network Information Service) C Error getting authority: Error initializing authority: Error calling StartServiceByName for org.freedesktop.PolicyKit1: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Activation of org.freedesktop.PolicyKit1 timed out (g-dbus-error-quark, 20) Seem every reboot I have to stop the cluster first ..then boot fine then manual start cluster. ANY idea ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] corosycnc conflict with certmonger always`
Already set a cluster of 2 nodes can work fine but evey reboot corosync seem conflict with certmonger service and login service and cause ssh shell login slow. and idea.? other funct of freeipa / HA actually is working fine. It seem will fail login service and zabbix agent also for the corosync. after that I diabale zabbix agent seem login service can work but still certmanger is fail with corosync started,. systemctl --failed UNIT LOAD ACTIVE SUBDESCRIPTION ● certmonger.service loaded failed failed Certificate monitoring and PKI enrollm ● zabbix_agentd.service loaded failed failed Zabbix Agent [ [32m OK [0m] Stopped Login Service. Starting Login Service... Jan 10 14:32:32 central03 kernel: [97458.949608] off_oom_killer_ (2027): /proc/970/oom_adj is deprecated, please use /proc/970/oom_score_adj instead. [ [1;31mFAILED [0m] Failed to start Login Service. Starting Command Scheduler... [ [1;31mFAILED [0m] Failed to start Zabbix Agent. See 'systemctl status zabbix_agentd.service' for details. Error getting authority: Error initializing authority: Error calling StartServiceByName for org.freedesktop.PolicyKit1: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Activation of org.freedesktop.PolicyKit1 timed out (g-dbus-error-quark, 20) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Corosync or user multi environment seem conflict with ipa
Hi: I have the corosyc peacemaker cluster working fine on basic function. BUt tried to reboot one node the HA work ...but after reboot . It "sometimes" make certmonger.service fail? 10 times may 6 times fail but reboot several times it work again. I discovered that the most case happen together is that session-1.scope or session-2.scope not load at that time. Any idea ? is it dependency issue ? I already tried many combination . e.g. start certmonger.service before coroysnc / dbus.service same happening. Normal: session-1.scope loaded active running Session 1 of user root alsa-state.service loaded active running Manage Sound Card State (restore and store) atd.service loaded active running Job spooling tools certmonger.service loaded active running Certificate monitoring and PKI en coroysnc.service Running Fail: alsa-state.service loaded active running Manage Sound Card State (restore and store) atd.service loaded active running Job spooling tools certmonger.service Failed Certificate monitoring and PKI en coroysnc.service Running ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] any one have issue at centos7 ?
Hi : when reboot the server the certomenger.service always fail It is not cluster just a signle server. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] centos7 with ipa always start fail
hi: Any one has such exp ,certomonger always fail after reboot. Dbus service / other service seem working fine. Any systemctl cannot run Also it is not cluster any hints. systemctl daemon-reload Error getting authority: Error initializing authority: Error calling StartServiceByName for org.freedesktop.PolicyKit1: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Activation of org.freedesktop.PolicyKit1 timed out (g-dbus-error-quark, 20) Failed to execute operation: Connection timed out thk barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] certmonger .service fail to start
Auto reboot fail , I just try manual bootup cermonger.service still fail sudo systemctl -f start certmonger.service Jan 30 11:03:01 dbus[537]: [system] Activating systemd to h Jan 30 11:03:01 dbus-daemon[537]: dbus[537]: [system] Activ Jan 30 11:03:13 systemd-logind[2922]: Failed to enable subs Jan 30 11:03:13 systemd-logind[2922]: Failed to fully start Jan 30 11:03:13 dbus[537]: [system] Failed to activate serv Jan 30 11:03:13 systemd[1]: systemd-logind.service: main pr Jan 30 11:03:13 dbus-daemon[537]: dbus[537]: [system] Faile Jan 30 11:03:13 systemd[1]: Failed to start Login Service. */usr/lib/polkit-1/polkitd* *10:59:23.458: Loading rules from directory /etc/polkit-1/rules.d10:59:23.458: Loading rules from directory /usr/share/polkit-1/rules.d10:59:23.461: Finished loading, compiling and executing 7 rulesEntering main event loopConnected to the system bus10:59:23.463: Acquired the name org.freedesktop.PolicyKit1 on the system bus11:00:28.891: Registered Authentication Agent for unix-process:2388:46107 (system bus name :1.55 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)11:01:58.994: Unregistered Authentication Agent for unix-process:2388:46107 (system bus name :1.55, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)* *Any idea ...already no cluster just single server , every systemctl command fail and slow login.* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] running log show late
Hi: Any one find that the log of systemctl | grep running show late in putty? dirsrv@ABC-COM.service loaded active running 389 Directory Server ABC.COM. systemctl | grep running < after reboot type this not show 389 sever need wait half - 1 min and retype then show . Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] IPA 4.5 with radius server
Hi : Anyone has exp to use freeipa 4.0 above as radius server ? e.g want wifi use radius everyone carry ldap password. How to implement ? need special plugin ? seem it need new attribute can generate harsh password and syn with LDAP together ? Thx and Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: IPA 4.5 with radius server
I have some confuse in the following sample: https://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html host.ipa.example.net.au > if I have a cluster of ldap should I only need config install in one server only or two? if two then I may need change another host to host1.ipa.example.net.au <http://host.ipa.example.net.au/>host2.ipa.example.net.au <http://host.ipa.example.net.au/> etc 2018-02-06 17:47 GMT+08:00 Giulio Casella via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > I'm not sure I completely understand your needs, but I can try. > I use freeradius, on same host as freeipa. > > Just configure freeradius to use ldap (usually in > /etc/raddb/sites-enabled/default): > > Auth-Type LDAP { > ldap > } > > Then configure ldap parameters (server, bind identity, bind password, > base_dn) to suit your needs, usually in /etc/raddb/mods-enabled/ldap. > > > HTH > > Cheers, > Giulio > > On 6 Feb 2018, at 10:16, barrykfl--- via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org <mailto:freeipa-us...@lists.fe >> dorahosted.org>> wrote: >> >> Hi : >> >> Anyone has exp to use freeipa 4.0 above as radius server ? e.g want wifi >> use radius everyone carry ldap password. >> How to implement ? need special plugin ? seem it need new >> attribute can generate harsh password and syn with LDAP together ? >> > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] some confusion of reading this doc abt radius
Hi: all I m reading this : http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html It need create a service ac under radius/host.ipa.example.net...@ipa.example.net.au,\ cn=services,cn=accounts,dc=ipa,dc=example,dc=net,dc=au' - BUt which file ldif I should point to ? or just ignore use anther paratemeter ldapmodify -f or ldapmodify -x -D ..?? THX dn: krbprincipalname=radius/host.ipa.example.net...@ipa.example.net.au,cn= services,\ cn=accounts,dc=ipa,dc=example,dc=net,dc=au changetype: modify add: objectClass objectClass: simpleSecurityObject - add: userPassword userPassword: ldapmodify -f -D 'cn=Directory Manager' -W -H ldap://host.ipa .example.net.au -Z ldapwhoami -Z -D 'krbprincipalname=radius/ host.ipa.example.net...@ipa.example.net.au,\ cn=services,cn=accounts,dc=ipa,dc=example,dc=net,dc=au' - W ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Install radius but fail to start in centos7
yum install freeradius freeradius-utils freeradius-ldap freeradius-krb5 succesfuuly. But cannot start with following error and idea? : Unregistered Authentication Agent for unix-process:12922:607417 (system bus name :1.53, object path /org/freedesktop/PolicyKit1/Au ref doc: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 thx ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] PKI Tomcat Server conflict with PWM
Hi all: I used to centos 6 freeipa and install PWM together with CA service there is no problem. BUt now we change to centos 7 seem PKI Tomcat Server by default will launch 8443 and 8080 port . Now I installed PWM (password manager) but pki tomcat 8080 port conflict with pwm 's 8080 port , I can changed port no. But 8443 seem still fail to display if I changed to 8444 etc Any idea ? can I stop pki tomacat 's 8080 / 8443 ? barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Backup idea of disaster
Hi all: any one has better solution of freeipa backup ? assume all ldap db crash ,all ca fail, no backup of cert ...etc but need cleanly install one with same hostname. and we have /usr/sbin/ipa-backup ldif backup . Can I use an old image but restore back ldif such backup? or any better solution for clean install with this ldif copy. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Backup idea of disaster
any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files. is it possible to use very old vm image plus the regular ldif backup recovery? 2018年3月1日 上午7:02 於 "Rob Crittenden" 寫道: > barrykfl--- via FreeIPA-users wrote: > > Hi all: > > > > any one has better solution of freeipa backup ? assume all ldap db crash > > ,all ca fail, no backup of cert ...etc but need cleanly install one with > > same hostname. > > > > and we have /usr/sbin/ipa-backup ldif backup . > > > > Can I use an old image but restore back ldif such backup? > > > > or any better solution for clean install with this ldif copy. > > If you have a full backup of a master with a CA and have saved it > off-machine and your machine dies then you can re-install using the > EXACT SAME OPTIONS. > > Then restore the backup. Then re-initialize all other masters (this > should all be documented already). > > If you have only one master with a CA and it dies and you have no > backups then you are pretty much hosed at the moment. > > IPA is so much more than just an LDIF. > > _Could_ you use an LDIF to restore the data minus the certs? Yeah, > probably, with a whole ton of work and expertise. Would it be worth the > trouble and would you ever fully trust that you got it 100% right? > > The best solution is to maintain multiple masters and > 1 CA. If one > dies then you delete it and provision a new master. You can maintain the > old name if you want. > > Or if you use VMs you can use disk snapshots to maintain backups. > > rob > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Backup idea of disaster
ic ..but the full restore can success run in clean installed master with new CA overwrite? e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others? 2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud : > On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: > >> any ref. full backup.of 4.5? >> I only can found v3 . will it recover all cert ca related ? I tried such >> recover in v3 it seem it broken the relationship of others agreement. or I >> missed the backup of some files. >> >> Hi, > > you can find the doc for 4.5 in https://access.redhat.com/docu > mentation/en-us/red_hat_enterprise_linux/7/html/linux_domain > _identity_authentication_and_policy_guide/backup-restore > > The full backup of a master with CA also contains the certs and the CA. > > HTH, > Flo > > is it possible to use very old vm image plus the regular ldif backup >> recovery? >> >> 2018年3月1日 上午7:02 於 "Rob Crittenden" > rcrit...@redhat.com>> 寫道: >> >> barrykfl--- via FreeIPA-users wrote: >> > Hi all: >> > >> > any one has better solution of freeipa backup ? assume all ldap >> db crash >> > ,all ca fail, no backup of cert ...etc but need cleanly install >> one with >> > same hostname. >> > >> > and we have /usr/sbin/ipa-backup ldif backup . >> > >> > Can I use an old image but restore back ldif such backup? >> > >> > or any better solution for clean install with this ldif copy. >> >> If you have a full backup of a master with a CA and have saved it >> off-machine and your machine dies then you can re-install using the >> EXACT SAME OPTIONS. >> >> Then restore the backup. Then re-initialize all other masters (this >> should all be documented already). >> >> If you have only one master with a CA and it dies and you have no >> backups then you are pretty much hosed at the moment. >> >> IPA is so much more than just an LDIF. >> >> _Could_ you use an LDIF to restore the data minus the certs? Yeah, >> probably, with a whole ton of work and expertise. Would it be worth >> the >> trouble and would you ever fully trust that you got it 100% right? >> >> The best solution is to maintain multiple masters and > 1 CA. If one >> dies then you delete it and provision a new master. You can maintain >> the >> old name if you want. >> >> Or if you use VMs you can use disk snapshots to maintain backups. >> >> rob >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Backup idea of disaster
Tried those command before ,,,seem the web page and LDAP separate or I missed some parts. it can turn on the ldap but the web page not allow to login ...mostly it related to ? 2018-03-02 17:24 GMT+08:00 Florence Blanc-Renaud : > On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote: > >> ic ..but the full restore can success run in clean installed master with >> new CA overwrite? >> >> e.g. master with CA and ldap all crashed with replication servers but >> data aslo crashed...can it be use as restore using the same hostname and >> rebuild the replication agreements with others? >> >> Hi, > > yes, the doc explains how to restore in a multi-master environment: > https://access.redhat.com/documentation/en-us/red_hat_enterp > rise_linux/7/html/linux_domain_identity_authentication_and_ > policy_guide/restore#restore-multiple-masters > > HTH, > Flo > > 2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud > f...@redhat.com>>: >> >> On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: >> >> any ref. full backup.of 4.5? >> I only can found v3 . will it recover all cert ca related ? I >> tried such recover in v3 it seem it broken the relationship of >> others agreement. or I missed the backup of some files. >> >> Hi, >> >> you can find the doc for 4.5 in >> https://access.redhat.com/documentation/en-us/red_hat_enterp >> rise_linux/7/html/linux_domain_identity_authentication_and_ >> policy_guide/backup-restore >> <https://access.redhat.com/documentation/en-us/red_hat_enter >> prise_linux/7/html/linux_domain_identity_authentication_and_ >> policy_guide/backup-restore> >> >> The full backup of a master with CA also contains the certs and the >> CA. >> >> HTH, >> Flo >> >> is it possible to use very old vm image plus the regular ldif >> backup recovery? >> >> 2018年3月1日 上午7:02 於 "Rob Crittenden" > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com >> >> <mailto:rcrit...@redhat.com>>> 寫道: >> >> barrykfl--- via FreeIPA-users wrote: >> > Hi all: >> > >> > any one has better solution of freeipa backup ? assume >> all ldap >> db crash >> > ,all ca fail, no backup of cert ...etc but need cleanly >> install >> one with >> > same hostname. >> > >> > and we have /usr/sbin/ipa-backup ldif backup . >> > >> > Can I use an old image but restore back ldif such backup? >> > >> > or any better solution for clean install with this ldif >> copy. >> >> If you have a full backup of a master with a CA and have >> saved it >> off-machine and your machine dies then you can re-install >> using the >> EXACT SAME OPTIONS. >> >> Then restore the backup. Then re-initialize all other >> masters (this >> should all be documented already). >> >> If you have only one master with a CA and it dies and you >> have no >> backups then you are pretty much hosed at the moment. >> >> IPA is so much more than just an LDIF. >> >> _Could_ you use an LDIF to restore the data minus the >> certs? Yeah, >> probably, with a whole ton of work and expertise. Would it >> be worth the >> trouble and would you ever fully trust that you got it 100% >> right? >> >> The best solution is to maintain multiple masters and > 1 >> CA. If one >> dies then you delete it and provision a new master. You can >> maintain the >> old name if you want. >> >> Or if you use VMs you can use disk snapshots to maintain >> backups. >> >> rob >> >> >> >> ___ >> FreeIPA-users mailing list -- >> freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] MAKE REPLCATION SERVER 1 WAY
Hi all: is it possible make the replication server 1 way ? I got radius/ldap config server in far remote site .. so no need mutual replication. remote site just make a slave one way is ok. Regards ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] timestamp of ipa backup and test on backup restore
hi : any timestamp expiry of the ipa backup copy ? My steps are: On orginal server , I backup a copy then I shut it down. Then I reinstall an new one with same host name and I can really restore from the backup. (test finish) after that I shutown the new server , and want to get back the orginal server but this time it fail to start chain of service ipa , dirsrv, etc What happen actually ? soon I tried to recover from the backup and found the dse.ldif was missed , lucky I have backup of this and restore successful and able to start all services. Does the server backup has timestamp if I restore success once. then the orginal server will crashed etc. ? ( these two servers same hostname same ip but didn't turn on at same time.) Regards ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] any freeipa master slave configuration
Hi: I m seeking a replication of master - slave mode of free ipa ? Is there such mode ? as I saw actually 2 nodes configuration acutally called master - master . Regards ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: any freeipa master slave configuration
Hi: I want to make cluster of 3 nodes ...does this graph shown servers need 2 virtual ips if not made single point of failure ? 2018-03-15 18:12 GMT+08:00 Florence Blanc-Renaud : > On 03/15/2018 11:04 AM, barrykfl--- via FreeIPA-users wrote: > >> Hi: >> >> I m seeking a replication of master - slave mode of free ipa ? >> >> Is there such mode ? as I saw actually 2 nodes configuration acutally >> called master - master . >> >> Regards >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> Hi, > > FreeIPA currently supports only master-master replication mode (also > called read-write replicas). > > Hope this clarifies, > Flo > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: any freeipa master slave configuration
So if short time after server 1 recovery it will syn back correct data right ? 2018-03-15 18:38 GMT+08:00 Florence Blanc-Renaud : > On 03/15/2018 11:23 AM, barrykfl--- via FreeIPA-users wrote: > >> Hi: >> >> I want to make cluster of 3 nodes ...does this graph shown servers need 2 >> virtual ips if not made single point of failure ? >> >> The issue with this topology is that a failure of server1 would lead to a > situation where server2 and server3 do not communicate and replicate with > each other. > > This type of topology is described in "Discouraged topology" in IdM guide > [1]. The recommendation would be to create a replication agreement between > server2 and server3 as described in "Setting up replication between two > servers" [2]. > > HTH, > Flo > > [1] https://access.redhat.com/documentation/en-us/red_hat_enterp > rise_linux/7/html-single/linux_domain_identity_authenti > cation_and_policy_guide/#managing-topology-graph-ui > [2] https://access.redhat.com/documentation/en-us/red_hat_enterp > rise_linux/7/html-single/linux_domain_identity_authenti > cation_and_policy_guide/#managing-topology-ui-set-up > > 2018-03-15 18:12 GMT+08:00 Florence Blanc-Renaud > f...@redhat.com>>: >> >> On 03/15/2018 11:04 AM, barrykfl--- via FreeIPA-users wrote: >> >> Hi: >> >> I m seeking a replication of master - slave mode of free ipa ? >> >> Is there such mode ? as I saw actually 2 nodes configuration >> acutally >> called master - master . >> >> Regards >> >> >> >> ___ >> FreeIPA-users mailing list -- >> freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> Hi, >> >> FreeIPA currently supports only master-master replication mode (also >> called read-write replicas). >> >> Hope this clarifies, >> Flo >> >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] migration command cannot enable user
Dear all: I used this migration command migrate users but the user does not work. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. even now i want to del it said account not exists,. but can really shown on UI. How to allow kerbros accounts activate be default and all works ? ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --with-compat ldap://a.b.com:389 thx barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZWEFXOR5A6JTK3C4ABYKNEWWQY4KZSAF/
[Freeipa-users] Re: migration command cannot enable user
all usernames migrated but cannot login even I used https://your.domain/ipa/migration/ to verified successfully ...It still say password incorrect. then I want to delete all burtit said no entry when I press del. 2018-05-22 1:36 GMT+08:00 Rob Crittenden : > barrykfl--- via FreeIPA-users wrote: > > Dear all: > > > > I used this migration command migrate users but the user does not work. > > How does the user not work? What did you use to confirm it? > > > > > IPA is unable to generate Kerberos keys unless provided > > with clear text passwords. All migrated users need to > > login at https://your.domain/ipa/migration/ before they > > can use their Kerberos accounts. > > > > even now i want to del it said account not exists,. but can really shown > > on UI. > > Can you try on the command-line: > > % ipa user-show someuser > % ipa user-del someuser > > rob > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/J6XKIVWI2DPF7UHAHWYOXBHDCFIMARMQ/
[Freeipa-users] Re: migration command cannot enable user
example 1 Operations Error Some entries were not deleted Hide details <https://central03.wisers.com/ipa/ui/#> - aaron: user not found example 2 Is it possible to skip the password migration process so user no need confirm once ( all password harsh transffered so user use same password? Regards 2018-05-22 2:13 GMT+08:00 Rob Crittenden : > barry...@gmail.com wrote: > > all usernames migrated but cannot login even I > > used https://your.domain/ipa/migration/ > > <https://your.domain/ipa/migration/> to verified successfully ...It > > still say password incorrect. > > Be sure that user you are binding to the remote server with has read > access to the userPassword attribute. IPA will not complain if it does > not get a password set. > > > then I want to delete all burtit said no entry when I press del. > > Not enough information to help you here. The command-line is easier to > debug in this regard. > > rob > > > > > 2018-05-22 1:36 GMT+08:00 Rob Crittenden > <mailto:rcrit...@redhat.com>>: > > > > barrykfl--- via FreeIPA-users wrote: > > > Dear all: > > > > > > I used this migration command migrate users but the user does not > work. > > > > How does the user not work? What did you use to confirm it? > > > > > > > > IPA is unable to generate Kerberos keys unless provided > > > with clear text passwords. All migrated users need to > > > login at https://your.domain/ipa/migration/ > > <https://your.domain/ipa/migration/> before they > > > can use their Kerberos accounts. > > > > > > even now i want to del it said account not exists,. but can really > shown > > > on UI. > > > > Can you try on the command-line: > > > > % ipa user-show someuser > > % ipa user-del someuser > > > > rob > > > > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OYT2OEHT3HFBZDOWLY7FS3XBASVD6MER/
[Freeipa-users] Error after migration all user from ldap
Hi : I migrated use commands form ipa 3 to ipa 4 ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --with-compat ldap://abc.cde.com:389 Fine I saw everything work entries there ...but I want del account it said user not found.. (Modify info is ok) ...any idea ??? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TKYJ5PK62XLGNG7NIONIPWFUOEMQEF64/
[Freeipa-users] Re: Error after migration all user from ldap
admin ….but this is new IPA 4.0 admin not IPA 3.0 admin ….BUT I tried del IPA4.0 's admin and migrated 3.0 one which follow old same ID ..same situation occur. del fail. 2018-05-29 22:17 GMT+08:00 Barry : > admin ….but this is new IPA 4.0 admin not IPA 3.0 admin ….BUT I tried del > IPA4.0 's admin and migrated 3.0 one which follow old same ID ..same > situation occur. del fail. > > 2018-05-29 21:33 GMT+08:00 Florence Blanc-Renaud : > >> On 05/29/2018 12:26 PM, barrykfl--- via FreeIPA-users wrote: >> >>> >>> Hi : >>> >>> >>> I migrated use commands form ipa 3 to ipa 4 >>> >>> ipa migrate-ds --user-container=cn=users,cn=accounts >>> --group-container=cn=groups,cn=accounts --with-compat ldap:// >>> abc.cde.com:389 <http://abc.cde.com:389> >>> >>> Fine I saw everything work entries there ...but I want del account it >>> said user not found.. >>> >>> (Modify info is ok) ...any idea ??? >>> >>> >>> >>> >>> >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>> rahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.or >>> g/archives/list/freeipa-users@lists.fedorahosted.org/message >>> /TKYJ5PK62XLGNG7NIONIPWFUOEMQEF64/ >>> >>> Hi, >> >> which user is authenticated in the WebUI? Is it the admin or another user? >> >> Can you provide the content of /var/log/dirsrv/slapd-domxxx/access (you >> may need to wait a few minutes because it's buffered) when you try to >> perform the delete? >> >> Flo >> > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WBRZBARK2TTOZVSSXGJSC3NTHJTV3VRM/
[Freeipa-users] Re: Error after migration all user from ldap
As too long log enclosed in a txt file, the log related to use admin to login find aaron and then del , user not found, 0 entry updated. (row335) Realm is same. seem not bind .. 2018-05-29 22:18 GMT+08:00 : > admin ….but this is new IPA 4.0 admin not IPA 3.0 admin ….BUT I tried del > IPA4.0 's admin and migrated 3.0 one which follow old same ID ..same > situation occur. del fail. > > 2018-05-29 22:17 GMT+08:00 Barry : > >> admin ….but this is new IPA 4.0 admin not IPA 3.0 admin ….BUT I tried del >> IPA4.0 's admin and migrated 3.0 one which follow old same ID ..same >> situation occur. del fail. >> >> 2018-05-29 21:33 GMT+08:00 Florence Blanc-Renaud : >> >>> On 05/29/2018 12:26 PM, barrykfl--- via FreeIPA-users wrote: >>> >>>> >>>> Hi : >>>> >>>> >>>> I migrated use commands form ipa 3 to ipa 4 >>>> >>>> ipa migrate-ds --user-container=cn=users,cn=accounts >>>> --group-container=cn=groups,cn=accounts --with-compat ldap:// >>>> abc.cde.com:389 <http://abc.cde.com:389> >>>> >>>> Fine I saw everything work entries there ...but I want del account it >>>> said user not found.. >>>> >>>> (Modify info is ok) ...any idea ??? >>>> >>>> >>>> >>>> >>>> >>>> ___ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>>> rahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedoraproject.or >>>> g/archives/list/freeipa-users@lists.fedorahosted.org/message >>>> /TKYJ5PK62XLGNG7NIONIPWFUOEMQEF64/ >>>> >>>> Hi, >>> >>> which user is authenticated in the WebUI? Is it the admin or another >>> user? >>> >>> Can you provide the content of /var/log/dirsrv/slapd-domxxx/access (you >>> may need to wait a few minutes because it's buffered) when you try to >>> perform the delete? >>> >>> Flo >>> >> >> > [29/May/2018:21:35:48.197510890 -0400] conn=162 fd=103 slot=103 connection from 192.168.1.91 to 192.168.1.91 [29/May/2018:21:35:48.202250020 -0400] conn=162 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [29/May/2018:21:35:48.207119157 -0400] conn=162 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=cde,dc=com" [29/May/2018:21:35:48.212266769 -0400] conn=162 op=1 UNBIND [29/May/2018:21:35:48.212290665 -0400] conn=162 op=1 fd=103 closed - U1 [29/May/2018:21:35:55.971030311 -0400] conn=5 op=1246 SRCH base="dc=cde,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=WELLKNOWN/anonym...@cde.com)(krbPrincipalName:caseIgnoreIA5Match:=WELLKNOWN/anonym...@cde.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [29/May/2018:21:35:55.971595826 -0400] conn=5 op=1246 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:21:35:55.971730391 -0400] conn=5 op=1247 SRCH base="cn=ipaConfig,cn=etc,dc=cde,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [29/May/2018:21:35:55.971829454 -0400] conn=5 op=1247 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:21:35:55.971992407 -0400] conn=5 op=1248 SRCH base="cn=cde.COM,cn=kerberos,dc=cde,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [29/May/2018:21:35:55.972073522 -0400] conn=5 op=1248 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:21:35:55.972204658 -0400] conn=5 op=1249 SRCH base="dc=cde,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/cde@cde.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/cde@cde.com)))" attr
[Freeipa-users] concept at migration of http://server.com/ipa/migration
Hi all: After I migrated to new Servers .using migrateds command..I used server.com:389 connect and embedded in 3 rd opensource. I found user can login successfully ...but the http://server.com/ipa/ui cannot ... user have to use http://server.com/ipa/migration then can success login the UI. So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail.. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/
[Freeipa-users] Are freeipa kerberos account and freeipa user ldap account two differenct things?
I used the following command trsnafere acc/group from 3.0 -4.0 successfuly ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://abc.cde.com BUT not all users transfer Kerberos account http://abc.cde.com/ipa/migration The strange is that I use abc.cde.com:389 in some 3rd party apps it can still read all users 's passwords. SO kerberos account and ldap accounts are different things ? LDAP passwords success transferred? I no need to askall users to http://abc.cde.com/ipa/migration change right ? the Admin UI only need admin to launch .. Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KLM3IFOKSWNGQE27KKCXWQHJP5PCJTSQ/
[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration
Yes I read the point knew they are difference ..But if most users 90% no need access httsps://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos auth affecting user in such situation? users don't self edit UI info even password they ask administartor to reset for them. Point 6 in document: It is possible to use LDAP authentication in Identity Management instead of Kerberos authentication, which means that Kerberos hashes are not required for users. However, this limits the capabilities of Identity Management and is not recommended. 2018-05-31 14:26 GMT+08:00 Ernedin Zajko : > Dear barrykfl, > > you may find nicely documented procedure at [1]: > > cheers, > --- Ernedin ZAJKO > eza...@root.ba > > [1] https://access.redhat.com/documentation/en-us/red_hat_ > enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ > guide/migrating_from_a_directory_server_to_ipa > > > > > 340282366920938463463374607431768211456 > On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko wrote: > > > > Hi there, > > > > UI uses Kerberos... > > > > Regards, > > > > --- > > > > EZajko > > @root.ba > > > > On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> > >> Hi all: > >> > >> After I migrated to new Servers .using migrateds command..I used > server.com:389 connect and embedded in > >> 3 rd opensource. > >> > >> I found user can login successfully ...but > >> > >> the http://server.com/ipa/ui cannot ... > >> > >> user have to use http://server.com/ipa/migration then can success > login the UI. > >> > >> So what are the difference is these password migration ? actually at 3 > rd part opensource user use ldap password login successfully but the UI > fail.. > >> > >> > >> ___ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: https://lists.fedoraproject.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/ > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LKDGLUEINE2A2JTLSEUME6HBXNRHFEKW/
[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration
ys but we use third party passwd manager to allow user change password on anther site different address .( But most users ask admin reset for them) Users won't touch any ldap server address UI. 2018-05-31 15:43 GMT+08:00 Ernedin Zajko : > Dear barrykfl, > > one of the issues that will emerge - users updating (changing) > passwords (if you want them to use ipa ui) > > regards, > --- Ernedin ZAJKO > eza...@root.ba > > > 340282366920938463463374607431768211456 > > On Thu, May 31, 2018 at 9:06 AM wrote: > > > > Yes I read the point knew they are difference ..But if most users 90% no > need access httsps://myserver.com/ipa/UI and just use ldap authorization > ...so I don't need ask user migration or change password ? our users 90% > use 3rd party open source and LDAP Auth. ??? actual what example of > Kerberos auth affecting user in such situation? users don't self edit UI > info even password they ask administartor to reset for them. > > > > Point 6 in document: > > It is possible to use LDAP authentication in Identity Management instead > of Kerberos authentication, which means that Kerberos hashes are not > required for users. However, this limits the capabilities of Identity > Management and is not recommended. > > > > 2018-05-31 14:26 GMT+08:00 Ernedin Zajko : > >> > >> Dear barrykfl, > >> > >> you may find nicely documented procedure at [1]: > >> > >> cheers, > >> --- Ernedin ZAJKO > >> eza...@root.ba > >> > >> [1] https://access.redhat.com/documentation/en-us/red_hat_ > enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ > guide/migrating_from_a_directory_server_to_ipa > >> > >> > >> > >> > 340282366920938463463374607431768211456 > >> On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko wrote: > >> > > >> > Hi there, > >> > > >> > UI uses Kerberos... > >> > > >> > Regards, > >> > > >> > --- > >> > > >> > EZajko > >> > @root.ba > >> > > >> > On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> >> > >> >> Hi all: > >> >> > >> >> After I migrated to new Servers .using migrateds command..I used > server.com:389 connect and embedded in > >> >> 3 rd opensource. > >> >> > >> >> I found user can login successfully ...but > >> >> > >> >> the http://server.com/ipa/ui cannot ... > >> >> > >> >> user have to use http://server.com/ipa/migration then can success > login the UI. > >> >> > >> >> So what are the difference is these password migration ? actually at > 3 rd part opensource user use ldap password login successfully but the UI > fail.. > >> >> > >> >> > >> >> ___ > >> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> >> To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > >> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> >> List Guidelines: https://fedoraproject.org/ > wiki/Mailing_list_guidelines > >> >> List Archives: https://lists.fedoraproject. > org/archives/list/freeipa-users@lists.fedorahosted.org/message/ > D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/ > > > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7EXS3GQFGECMBHH2XRUGJK5MXMAL65SQ/
[Freeipa-users] error keep continue comes out after shutdown for a week
Hi All; One of server of cluster shutdown for a week now return normal . But the comes as below: I already reintialize it worked success but the error keep log in the log file it already make the log size big. The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. ARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=caToABC.xxx.com" (ABC:389): Thx Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Y4GYC7PHGQI25ZLK5GTL73VHYHIEOLZH/
[Freeipa-users] Errors comes out after reinitaize the replication
ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=abc,dc=com does not exist Any idea ..thx ...no big impact but keep logging error. Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/C6PDOEHCKSWEDRQDLLKARA666SDSXUFO/
[Freeipa-users] Stop samba sevice and winbind
Hi all : Any idea how to skip boot of smb.server and win bind ...or uninstall them without affect ..thx Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Y3UFHXFGHD2GQOXGSGEUFWTZRQU7QDRH/