Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
>
> I purposely used rather weak working in my blog to ensure that one
> thinks carefully about making this kind of change. If your original
> master can be brought back up that is definitely the best way to resolve
> it.
>

ok, I'll try this first.


>
> If it was nuked from orbit then yeah the you'll need to manually set it.
>
> Note that you can use ipa-replica-manage to do this as well and it has a
> much less scary syntax:
>
> $ ipa-replica-manage dnarange-set yourhost.example.com
> 168970-168979
>

definitely less scary !


>
> I guess the range 168960-168969 is the rest of the original
> range, presumably assigned to the original master?
>

I am not sure to follow. The default used my master is 13400-13420
right ?
So I could set 13500-13520 for instance. Or did I miss something ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Rob Crittenden 
Alexander Bokovoy wrote:
> On Fri, 08 Jan 2016, Karl Forner wrote:
>> Ok.
>>
>> I read a work-around on https://blog-rcritten.rhcloud.com/?p=50
>>
>> It says that if one has figured out a safe new range for the replica, the
>> range could be set using:
>>
>> ldapmodify -x -D 'cn=Directory Manager' -W
>> Enter LDAP Password:
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> changetype: modify
>> replace: dnaNextValue
>> dnaNextValue: 168970
>> -
>> replace: dnaMaxValue
>> dnaMaxValue: 168979
>> ^D
>>
>> modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config"
>>
>>
>> I suppose this can be dangerous, but would you consider it as a
>> work-around, or should it be avoided at all means ?
> 
> Rob is one of FreeIPA project original developers and he wrote this
> code, so he knows it well. To derive dnaMaxValue/dnaNextValue you need to
> consult older server's data, if it is still available (in
> /etc/dirsrv/slapd-INSTANCE/dse.ldif).
> 
> At worst you'd need to back out the change if things would work.

I purposely used rather weak working in my blog to ensure that one
thinks carefully about making this kind of change. If your original
master can be brought back up that is definitely the best way to resolve it.

If it was nuked from orbit then yeah the you'll need to manually set it.

Note that you can use ipa-replica-manage to do this as well and it has a
much less scary syntax:

$ ipa-replica-manage dnarange-set yourhost.example.com 168970-168979

I guess the range 168960-168969 is the rest of the original
range, presumably assigned to the original master?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Rob Crittenden 
Karl Forner wrote:
> 
> 
> I purposely used rather weak working in my blog to ensure that one
> thinks carefully about making this kind of change. If your original
> master can be brought back up that is definitely the best way to
> resolve it.
> 
> 
> ok, I'll try this first.
>  
> 
> 
> If it was nuked from orbit then yeah the you'll need to manually set it.
> 
> Note that you can use ipa-replica-manage to do this as well and it has a
> much less scary syntax:
> 
> $ ipa-replica-manage dnarange-set yourhost.example.com
>  168970-168979
> 
> 
> definitely less scary !
>  
> 
> 
> I guess the range 168960-168969 is the rest of the original
> range, presumably assigned to the original master?
> 
> 
> I am not sure to follow. The default used my master is
> 13400-13420 right ?
> So I could set 13500-13520 for instance. Or did I miss something ?
>  
> 

My example was based on the ldif you proposed.

What the DNA plugin would have done is split the original range in two.
If you want to stick with that it's fine but you'll never get back
whatever was remaining of that original 100k, at least not
automatically. It all depends on what your needs are.

Using 13410-13419 is probably what you want.

Otherwise you are just picking a new range out of the blue.

There is no tie-in now between the idrange and the DNA range but there
may be at some point. At that time things could go sideways if you pick
a new DNA range that isn't reflected in the idrange.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
> >
> > I am not sure to follow. The default used my master is
> > 13400-13420 right ?
> > So I could set 13500-13520 for instance. Or did I miss something
> ?
> >
> >
>
> My example was based on the ldif you proposed.
>
> What the DNA plugin would have done is split the original range in two.
> If you want to stick with that it's fine but you'll never get back
> whatever was remaining of that original 100k, at least not
> automatically. It all depends on what your needs are.
>
> Using 13410-13419 is probably what you want.
>

Ok, I get it.



> Otherwise you are just picking a new range out of the blue.
>
> There is no tie-in now between the idrange and the DNA range but there
> may be at some point. At that time things could go sideways if you pick
> a new DNA range that isn't reflected in the idrange.
>

thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to secure the access to ldap with IPA

2016-01-08 Thread bahan w 
Hello !

I configured my IPA server 3.0.0.42 without SSL/TLS access to the LDAP and
I would like to enable this for the ldap.

Is there something specific to use with FreeIPA or may I follow the DS389
doc
http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#configuring-tlsssl-enabled-389-directory-server
?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to secure the access to ldap with IPA

2016-01-08 Thread Martin Kosek 
On 01/08/2016 11:58 AM, bahan w wrote:
> Hello !
> 
> I configured my IPA server 3.0.0.42 without SSL/TLS access to the LDAP and
> I would like to enable this for the ldap.
> 
> Is there something specific to use with FreeIPA or may I follow the DS389
> doc
> http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#configuring-tlsssl-enabled-389-directory-server
> ?
> 
> Best regards.
> 
> Bahan

Hello,

How did you again configured FreeIPA LDAP without SSL/TLS access? This is
mandatory part of FreeIPA LDAP configuration, we always enable TLS, AFAIK.

BTW, did you consider moving to RHEL-7? It has much newer and cooler FreeIPA
version there :-)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Setup of freeipa 4.2.3 failed

2016-01-08 Thread Markus Roth 
Hi all,

I tried to install freeipa server (freeipa-server.armv7hl  4.2.3-
1.1.fc23), but the installation failed.

-
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: adding default schema
  [4/43]: enabling memberof plugin
  [5/43]: enabling winsync plugin
  [6/43]: configuring replication version plugin
  [7/43]: enabling IPA enrollment plugin
  [8/43]: enabling ldapi
  [9/43]: configuring uniqueness plugin
  [10/43]: configuring uuid plugin
  [11/43]: configuring modrdn plugin
  [12/43]: configuring DNS plugin
  [13/43]: enabling entryUSN plugin
  [14/43]: configuring lockout plugin
  [15/43]: creating indices
  [16/43]: enabling referential integrity plugin
  [17/43]: configuring certmap.conf
  [18/43]: configure autobind for root
  [19/43]: configure new location for managed entries
  [20/43]: configure dirsrv ccache
  [21/43]: enable SASL mapping fallback
  [22/43]: restarting directory server
  [23/43]: adding default layout
  [24/43]: adding delegation layout
  [25/43]: creating container for managed entries
  [26/43]: configuring user private groups
  [27/43]: configuring netgroups from hostgroups
  [28/43]: creating default Sudo bind user
  [29/43]: creating default Auto Member layout
  [30/43]: adding range check plugin
  [31/43]: creating default HBAC rule allow_all
  [32/43]: creating default CA ACL rule
  [33/43]: adding entries for topology management
  [34/43]: initializing group membership
  [35/43]: adding master entry
  [36/43]: initializing domain level
  [37/43]: configuring Posix uid/gid generation
  [38/43]: adding replication acis
  [39/43]: enabling compatibility plugin
  [40/43]: activating sidgen plugin
  [41/43]: activating extdom plugin
  [42/43]: tuning directory server
  [43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
  [1/25]: creating certificate server user
  [2/25]: configuring certificate server instance
  [3/25]: stopping certificate server instance to update CS.cfg
  [4/25]: backing up CS.cfg
  [5/25]: disabling nonces
  [6/25]: set up CRL publishing
  [7/25]: enable PKIX certificate path discovery and validation
  [8/25]: starting certificate server instance
  [9/25]: creating RA agent certificate database
  [10/25]: importing CA chain to RA certificate database
  [11/25]: fixing RA database permissions
  [12/25]: setting up signing cert profile
  [13/25]: setting audit signing renewal to 2 years
  [14/25]: restarting certificate server
  [15/25]: requesting RA certificate from CA
  [16/25]: issuing RA agent certificate
  [17/25]: adding RA agent as a trusted user
  [18/25]: authorizing RA to modify profiles
  [19/25]: configure certmonger for renewals
  [20/25]: configure certificate renewals
  [21/25]: configure RA certificate renewal
  [22/25]: configure Server-Cert certificate renewal
  [23/25]: Configure HTTP to proxy connections
  [24/25]: restarting certificate server
  [25/25]: Importing IPA certificate profiles
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [error] RuntimeError: Certificate issuance failed
ipa.ipapython.install.cli.install_tool(Server): ERRORCertificate
issuance failed 

---

The last messages in the log file (/var/log/ipaserver-install.log):

 File "/usr/lib/python2.7/site-
packages/ipaserver/install/dsinstance.py", line 637, in __enable_ssl
self.nickname, self.fqdn, cadb)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 419, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Certificate issuance failed
2016-01-08T09:33:47Z ERROR Certificate issuance failed

any ideas about this error?

Markus-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread bahan w 
Re.

Thank you for your answer, I forgot to re-add Freeipa-users mailing list.

So I cannot modify the userPassword only and when I generate a keytab with
ipa-getkeytab it doesn't update the userPassword.
Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it
solved in a newer version of IPA ?

Best regards.

Bahan

On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy 
wrote:

> On Fri, 08 Jan 2016, bahan w wrote:
>
>> Hello Alexander.
>>
>> Thank you for your answer.
>>
> Please don't ask in private, use freeipa-users@ mailing list.
>
> Is there a way to modify the field userPassword only ?
>> Do you know if ldappasswd modify something else ?
>>
> There is no way to modify userPassword attribute only. When you are
> modifying userPassword attribute in FreeIPA, IPA's password plugin will
> update all other password attributes, if there are any.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to secure the access to ldap with IPA

2016-01-08 Thread bahan w 
Re.

I installed the server like this :

###
ipa-server-install -r  -n  --hostname=
-p '' -a '' --no-ntp --no-ssh --no-sshd -U
###

And for the clients :
###
ipa-client-install --domain= --realm= --fixed-primary
--server= --principal=admin --password=''
--mkhomedir --hostname= --no-ntp --no-ssh --no-sshd
--unattended --force-join
###

And when I check the /etc/openldap/ldap.conf, indeed :
###
#File modified by ipa-client-install

URI ldaps://
BASE dc=
TLS_CACERT /etc/ipa/ca.crt
###

So yes it is already enabled ^_^.
Thank you for your answer.

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Setup of freeipa 4.2.3 failed

2016-01-08 Thread Martin Babinsky 

On 01/08/2016 01:06 PM, Markus Roth wrote:

Hi all,

I tried to install freeipa server (freeipa-server.armv7hl
  4.2.3-1.1.fc23), but the installation failed.

-
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
   [1/43]: creating directory server user
   [2/43]: creating directory server instance
   [3/43]: adding default schema
   [4/43]: enabling memberof plugin
   [5/43]: enabling winsync plugin
   [6/43]: configuring replication version plugin
   [7/43]: enabling IPA enrollment plugin
   [8/43]: enabling ldapi
   [9/43]: configuring uniqueness plugin
   [10/43]: configuring uuid plugin
   [11/43]: configuring modrdn plugin
   [12/43]: configuring DNS plugin
   [13/43]: enabling entryUSN plugin
   [14/43]: configuring lockout plugin
   [15/43]: creating indices
   [16/43]: enabling referential integrity plugin
   [17/43]: configuring certmap.conf
   [18/43]: configure autobind for root
   [19/43]: configure new location for managed entries
   [20/43]: configure dirsrv ccache
   [21/43]: enable SASL mapping fallback
   [22/43]: restarting directory server
   [23/43]: adding default layout
   [24/43]: adding delegation layout
   [25/43]: creating container for managed entries
   [26/43]: configuring user private groups
   [27/43]: configuring netgroups from hostgroups
   [28/43]: creating default Sudo bind user
   [29/43]: creating default Auto Member layout
   [30/43]: adding range check plugin
   [31/43]: creating default HBAC rule allow_all
   [32/43]: creating default CA ACL rule
   [33/43]: adding entries for topology management
   [34/43]: initializing group membership
   [35/43]: adding master entry
   [36/43]: initializing domain level
   [37/43]: configuring Posix uid/gid generation
   [38/43]: adding replication acis
   [39/43]: enabling compatibility plugin
   [40/43]: activating sidgen plugin
   [41/43]: activating extdom plugin
   [42/43]: tuning directory server
   [43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
   [1/25]: creating certificate server user
   [2/25]: configuring certificate server instance
   [3/25]: stopping certificate server instance to update CS.cfg
   [4/25]: backing up CS.cfg
   [5/25]: disabling nonces
   [6/25]: set up CRL publishing
   [7/25]: enable PKIX certificate path discovery and validation
   [8/25]: starting certificate server instance
   [9/25]: creating RA agent certificate database
   [10/25]: importing CA chain to RA certificate database
   [11/25]: fixing RA database permissions
   [12/25]: setting up signing cert profile
   [13/25]: setting audit signing renewal to 2 years
   [14/25]: restarting certificate server
   [15/25]: requesting RA certificate from CA
   [16/25]: issuing RA agent certificate
   [17/25]: adding RA agent as a trusted user
   [18/25]: authorizing RA to modify profiles
   [19/25]: configure certmonger for renewals
   [20/25]: configure certificate renewals
   [21/25]: configure RA certificate renewal
   [22/25]: configure Server-Cert certificate renewal
   [23/25]: Configure HTTP to proxy connections
   [24/25]: restarting certificate server
   [25/25]: Importing IPA certificate profiles
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
   [1/3]: configuring ssl for ds instance
   [error] RuntimeError: Certificate issuance failed
ipa.ipapython.install.cli.install_tool(Server): ERRORCertificate
issuance failed

---

The last messages in the log file (/var/log/ipaserver-install.log):

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
637, in __enable_ssl
 self.nickname, self.fqdn, cadb)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
 cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 419, in issue_server_cert
 raise RuntimeError("Certificate issuance failed")

2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Certificate issuance failed
2016-01-08T09:33:47Z ERROR Certificate issuance failed

any ideas about this error?

Markus




Sounds similar to https://fedorahosted.org/freeipa/ticket/5376, but I 
can not be sure without seeing installation log 
(/var/log/ipaserver-install.log).


As a workaround, you can try to re-run the installation in verbose mode 
using '-v' option and see if it succeeds. Be prepared for a lot of 
garbage spouted on the output, though.


--
Martin^3 Babinsky

--
Manage your subscription for the

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, bahan w wrote:

Hello !

I send you this mail, because I have a problem with a user who needs keytab
and password.
I already sent a mail some time ago, and the answer was to use the option
-P of the ipa-getkeytab command.

I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
cannot move to earlier versions unfortunately.

Here is what do :

I create the user test001
###
ipa user-add --first=test --last=test test001
###

Initiate an OTP for user test001
###
ipa passwd test001 pwd001
###

Then I set a permanent password
###
kinit test001
Password for test001@MYREALM:
Password expired.  You must change it now.
Enter new password: pwd002pwd002
Enter it again: pwd002pwd002
###

Then I perform an ldapsearch :
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

It worked.

Then I generated a keytab for this user with a password :
###
ipa-getkeytab -s  -p test001 -k
/etc/security/keytabs/test001.headless.keytab -P
New Principal Password: pwd003pwd003
Verify Principal Password: pwd003pwd003
Keytab successfully retrieved and stored in:
/etc/security/keytabs/test001.headless.keytab
###

Then I perform a new ldapsearch
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

When I enter the password pwd003pwd003, it does not work with the following
result :
###
Enter LDAP Password:pwd003pwd003
ldap_bind: Invalid credentials (49)
###

When i use the old password pwd002pwd002, it works.

So my question :
When I create the ipa-getkeytab, how can I also set the password in the
ldap ?
May I use ldappasswd ?

When you are using ipa-getkeytab it only changes kerberos keys. It
is a separate attribute from userPassword.

When you run kpasswd or 'ipa passwd', those will cause updating all
password attributes thanks to special IPA password plugin that
synchronizes userPassword value with all other attributes.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread bahan w 
Hello !

I send you this mail, because I have a problem with a user who needs keytab
and password.
I already sent a mail some time ago, and the answer was to use the option
-P of the ipa-getkeytab command.

I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
cannot move to earlier versions unfortunately.

Here is what do :

I create the user test001
###
ipa user-add --first=test --last=test test001
###

Initiate an OTP for user test001
###
ipa passwd test001 pwd001
###

Then I set a permanent password
###
kinit test001
Password for test001@MYREALM:
Password expired.  You must change it now.
Enter new password: pwd002pwd002
Enter it again: pwd002pwd002
###

Then I perform an ldapsearch :
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

It worked.

Then I generated a keytab for this user with a password :
###
ipa-getkeytab -s  -p test001 -k
/etc/security/keytabs/test001.headless.keytab -P
New Principal Password: pwd003pwd003
Verify Principal Password: pwd003pwd003
Keytab successfully retrieved and stored in:
/etc/security/keytabs/test001.headless.keytab
###

Then I perform a new ldapsearch
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

When I enter the password pwd003pwd003, it does not work with the following
result :
###
Enter LDAP Password:pwd003pwd003
ldap_bind: Invalid credentials (49)
###

When i use the old password pwd002pwd002, it works.

So my question :
When I create the ipa-getkeytab, how can I also set the password in the
ldap ?
May I use ldappasswd ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, Karl Forner wrote:

If you never added users through this IPA server, it has no subset of ID
range
allocated to IDs issued on this server. To obtain this subset, it needs
to talk back to the master on first allocation. Master is missing, thus
it couldn't talk to it.



thanks.

But if I understand, I just can not add any users from my replica ?
Does not it defeat the purpose of the replica as a failover server ?
Or obtaining the subset of IDs should be part of the process of setting-up
a replica ?

ID range is relatively scarce. We don't split it across multiple
replicas automatically because most of them will not be used to create
users and thus their sub-ranges will be wasted.

Documentation for the DNA plugin:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/dna-attributes.html

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
Hello,

If I go to active users, click Add, fill in log, first and last name, then
click "Add", I get the error message:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

I also tried to add a staged user. This works, but when I try to activate
it, I get the same error:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.


I looked in the IPA Server -> ID Ranges tab:
first id: 13400
nb of ids: 20
type: local domain range

The freeIPA server is a CA-replica, and the main server is currently down.

What could be the problem ?

Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
> If you never added users through this IPA server, it has no subset of ID
> range
> allocated to IDs issued on this server. To obtain this subset, it needs
> to talk back to the master on first allocation. Master is missing, thus
> it couldn't talk to it.
>

thanks.

But if I understand, I just can not add any users from my replica ?
Does not it defeat the purpose of the replica as a failover server ?
Or obtaining the subset of IDs should be part of the process of setting-up
a replica ?

 Best,

>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Rob Crittenden 
Karl Forner wrote:
> Hello,
> 
> If I go to active users, click Add, fill in log, first and last name,
> then click "Add", I get the error message:
> Operations error: Allocation of a new value for range cn=posix
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
> failed! Unable to proceed.
> 
> I also tried to add a staged user. This works, but when I try to
> activate it, I get the same error:
> Operations error: Allocation of a new value for range cn=posix
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
> failed! Unable to proceed.
> 
> 
> I looked in the IPA Server -> ID Ranges tab:
> first id: 13400
> nb of ids: 20
> type: local domain range
> 
> The freeIPA server is a CA-replica, and the main server is currently down.
> 
> What could be the problem ?

http://blog-rcritten.rhcloud.com/?p=50

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
Ok.

I read a work-around on https://blog-rcritten.rhcloud.com/?p=50

It says that if one has figured out a safe new range for the replica, the
range could be set using:

ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextValue
dnaNextValue: 168970
-
replace: dnaMaxValue
dnaMaxValue: 168979
^D

modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"


I suppose this can be dangerous, but would you consider it as a
work-around, or should it be avoided at all means ?






On Fri, Jan 8, 2016 at 5:17 PM, Alexander Bokovoy 
wrote:

> On Fri, 08 Jan 2016, Karl Forner wrote:
>
>> If you never added users through this IPA server, it has no subset of ID
>>> range
>>> allocated to IDs issued on this server. To obtain this subset, it needs
>>> to talk back to the master on first allocation. Master is missing, thus
>>> it couldn't talk to it.
>>>
>>>
>> thanks.
>>
>> But if I understand, I just can not add any users from my replica ?
>> Does not it defeat the purpose of the replica as a failover server ?
>> Or obtaining the subset of IDs should be part of the process of setting-up
>> a replica ?
>>
> ID range is relatively scarce. We don't split it across multiple
> replicas automatically because most of them will not be used to create
> users and thus their sub-ranges will be wasted.
>
> Documentation for the DNA plugin:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/dna-attributes.html
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, Karl Forner wrote:

Ok.

I read a work-around on https://blog-rcritten.rhcloud.com/?p=50

It says that if one has figured out a safe new range for the replica, the
range could be set using:

ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextValue
dnaNextValue: 168970
-
replace: dnaMaxValue
dnaMaxValue: 168979
^D

modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"


I suppose this can be dangerous, but would you consider it as a
work-around, or should it be avoided at all means ?


Rob is one of FreeIPA project original developers and he wrote this
code, so he knows it well. To derive dnaMaxValue/dnaNextValue you need to
consult older server's data, if it is still available (in
/etc/dirsrv/slapd-INSTANCE/dse.ldif).

At worst you'd need to back out the change if things would work.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread Simo Sorce 
On Fri, 2016-01-08 at 15:49 +0100, bahan w wrote:
> Re.
> 
> Thank you for your answer, I forgot to re-add Freeipa-users mailing list.
> 
> So I cannot modify the userPassword only and when I generate a keytab with
> ipa-getkeytab it doesn't update the userPassword.
> Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it
> solved in a newer version of IPA ?

Hi Bahan,
this is a behavior of the older getkeytab control, that is in used in
RHEL6 (ipa 3.x versions). Due to the way this operation was built we do
not get a clear text password on the server so we can't generate
userPassword Hashes.

In ipa4.x a better control has been introduced and userPassword is also
updated (as well as password policies are enforced) when a user uses
ipa-getkeytab.

On older server what you can do to keep using a password as well as a
keytab is to first set the password with kpasswd and the use
ipa-getkeytab with the same password to store a keytab. This should
leave things in sync IIRC.

HTH,
Simo.

> Best regards.
> 
> Bahan
> 
> On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy 
> wrote:
> 
> > On Fri, 08 Jan 2016, bahan w wrote:
> >
> >> Hello Alexander.
> >>
> >> Thank you for your answer.
> >>
> > Please don't ask in private, use freeipa-users@ mailing list.
> >
> > Is there a way to modify the field userPassword only ?
> >> Do you know if ldappasswd modify something else ?
> >>
> > There is no way to modify userPassword attribute only. When you are
> > modifying userPassword attribute in FreeIPA, IPA's password plugin will
> > update all other password attributes, if there are any.
> >
> > --
> > / Alexander Bokovoy
> >
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, Karl Forner wrote:

Hello,

If I go to active users, click Add, fill in log, first and last name, then
click "Add", I get the error message:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

I also tried to add a staged user. This works, but when I try to activate
it, I get the same error:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.


I looked in the IPA Server -> ID Ranges tab:
first id: 13400
nb of ids: 20
type: local domain range

The freeIPA server is a CA-replica, and the main server is currently down.

What could be the problem ?

If you never added users through this IPA server, it has no subset of ID range
allocated to IDs issued on this server. To obtain this subset, it needs
to talk back to the master on first allocation. Master is missing, thus
it couldn't talk to it.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project