Re: [Freeipa-users] List SPAM

2017-04-27 Thread Lachlan Musicman 
On 24 April 2017 at 12:24, Prasun Gera  wrote:

> That doesn't work very well. The spam bots use different emails. And gmail
> marks the entire message thread as spam, not just the spam reply.
>
> On Sun, Apr 23, 2017 at 7:20 AM, Dewangga Bachrul Alam <
> dewangg...@xtremenitro.org> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Mark as spam, and they gone from my inbox. :)
>>
>>


If you are using gmail:

 - block the email address
 - mark the message as spam (not the thread)
 - you can then delete the message in question


Note that this can still cause issues wrt workplace and SFW images, as
Gmail automatically "previews" images.

I leave them to deal with at home and have reported the problem to my
manager and IT team so they know it's not my fault - as both acknowledge
and understand that this forum has been very valuable to us wrt getting
things working.

L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Creating another sudo rules full

2017-04-27 Thread Dewangga Bachrul Alam 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello!

Is it possible to create another sudo rules that same with
sudo_rule_full or admin privileges, it means that the user can run
`sudo su -` without password.

I've create the similar rules, but no luck.

[root@idm ~]# ipa sudorule-show sudo_rules_rekanalar
  Rule name: sudo_rules_rekanalar
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: rekanalar
  Host Groups: rekanalarservers
  Sudo Option: !authenticate

## Client
[user@server02-v2 ~]$ sudo -l
[sudo] password for user:

But, if I change/add the user to group admins, it's success can invoke
`sudo su -` command without password.

Any helps is appreciated.
Many thanks
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQI4BAEBCAAiBQJZAqNgGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcK5+D/9G06PweGNcJrXuMANcVHysu9Wp97HfExFsGKpoDYU8t2Mip49R
OUD/mLUoPGzNpMVJwOF8V1SMJXjyKUwlnBbGTnOxTvHEzkXyQ0HMsBFVzJJ38LX8
TJItYn8DM45hlnKkVKYM3hTiGSUpNGAM4OLYFQK/AWwx+u/2w1pTjmZQCKCHndvP
/71u3octwTPPZPj2bbxlm8lhZovqPhB3JHpTGSckhvnS77t3W0L4KzaSF4omycni
GbAY8DGTIxXPp33EOJV3JKOpYRrwv5URdgtpNbfWN0l6O8VyJx8A/lamjoQ284gz
p8FJbZni1AoQ3/v2ZIbVcS7UJwqRVnhGFIwmmnlMEWz59NcrIxcxiAbsMepcTmOi
Sq010zOHz3TmRURW2CIPBHGscax0DErIviWFIO+lMy2W/7LSaPoTge4ilDyl7UBu
3uPrEOU5Kh3Z7ar0VP5Pd4FH5OJp3WBXY8tMxPG7h5KniRTuv9/WszP4+L7EFDWR
WdbZYkh1IYJUfsCvlLhYXDULjgacRPXmdQSXQkGD7b1WfmL0Wyy+TnSHKlr4X9LP
dqwKYgjVC6FokoTfRoMi/D27lwkV4PKsNA6nufze9kDxgYC/7VrAEeIFCEedWUfv
oGIBr94eMQYt8QI2GSikiUqJu0QccqtL+8ymE1lhByr9WmuxN6Ni1IhZ3w==
=MUPU
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-27 Thread Dewangga Bachrul Alam 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello!

On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
> On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
> 
> Master IPA Server: - I install 1 (one) server as master
> (self-signed) and add/modify using external CA. - I am using
> ipa-cacert-manage install then ipa-certupdate on master
> 
>> Hi,
> 
>> I think I got you wrong... Do you mean that you installed IPA
>> with an integrated IdM CA which was self-signed, then your intent
>> was to move to integrated IdM CA externally signed? In this case,
>> the right command would be ipa-cacert-manage renew --external-ca,
>> and the procedure is described in "Changing the certificate
>> chain" [1].

Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?

> 
>> The command ipa-cacert-manage install does not replace the
>> integrated IdM CA but adds the certificate as a known CA.
> 
>> Hope this clarifies, Flo
> 
>> [1] 
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
rt-chaining.html
>
>> 
> 
> Replica IPA Server: - I install 1 (one) server as client and
> promoted to ipa-replica: - I run `ipa-client-install` and
> autodiscovery - Then `ipa-replica-install --principal admin
> --admin-password `
> 
> I've hit ipa-certupdate -v to verbose the logs (attached at first 
> email). Then replica server aren't using external CA(s) like master
> did.
> 
> So, I did the same like master, using `ipa-cacert-manage` on
> replica, and it's work fine. If it's normal, then thanks for
> clarifying this.
> 
> On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
 Hi,
 
 As your email refers to self-signed and signed CA
 certificate, can you please clarify the exact steps that you
 followed? It looks like - you first installed FreeIPA with a
 self-signed CA - you added an external CA (did you use
 ipa-cacert-manage install on 1 server then ipa-certupdate on
 all replicas?) - you replaced the httpd/LDAP certificates
 with a cert signed from the external CA (you probably ran
 ipa-server-certinstall on one server).
 
 In this case it is normal that the httpd/LDAP certificates on
 the replica were not updated as they are different (each IPA
 server has his own httpd/LDAP cert which contains the
 hostname in its subject). You can check this by performing on
 each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
 -n Server-Cert | grep Subject: Subject:
 "CN=ipaserver.domain.com,O=DOMAIN.COM" ^
 
 If the goal is to replace the httpd/LDAP certificates on the 
 replica, the command ipa-server-certinstall must also be run
 on the replica with the appropriate certificate.
 
 HTH, Flo.
 
 On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
 
 Just update, manually add external CA(s) and signed
 certificated was successful, but why it's didn't
 automatically transferred to replica(s) from master.
 
 On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>> Hello!
>>> 
>>> I've successfully create replica, everything works fine
>>> but why my signed CA certificate didn't automatically
>>> transfer to another replica(s)? Is it normal?
>>> 
>>> Trying to add manually, but the certificate in
>>> replica(s) still using self-signed. Here's the output
>>> from `ipa-certupdate -v` 
>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
NdI
>
>>> 
GYh
 
>>> 
> yR
>>> 
>>> 
 LivL9gydE=
>>> 
>>> Interesting line was :
>>> 
>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external
>>> process ipa: DEBUG: args=/usr/bin/certutil -d
>>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
>>> finished, return code=255 ipa: DEBUG: stdout= ipa:
>>> DEBUG: stderr=certutil: Could not find cert: IPA CA :
>>> PR_FILE_NOT_FOUND_ERROR: File not found
>>> 
>>> ipa: DEBUG: Starting external process ipa: DEBUG: 
>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
>>> CA cert -a ipa: DEBUG: Process finished, return
>>> code=255 ipa: DEBUG: stdout= ipa: DEBUG:
>>> stderr=certutil: Could not find cert: External CA cert
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>> 
>>> FYI: The replica server previously was a client and
>>> promoted to be a replica by hitting this command: 
>>> `ipa-replica-install --principal admin
>>> --admin-password admin_password`
>>> 
>>> Any hints?
>>> 
> 
 
>> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Managed to get PKI/Tomcat patched for TLS 1.2.

*/etc/pki/pki-tomcat/server.xml*
*...*
* sslVersionRangeStream="tls1_2:tls1_2" *

*sslVersionRangeDatagram="tls1_2:tls1_2" *

*...*
Thanks, resolved.

On Thu, Apr 27, 2017 at 10:01 PM Callum Guy  wrote:

> For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0
>
> Directory server change suggested on the link are for an older version.
> Minimum TLS support can be altered as follows:
>
> */etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*
>
> dn: cn=encryption,cn=config
>
> allowWeakCipher: off
>
> cn: encryption
>
> createTimestamp: 20161130110528Z
>
> creatorsName: cn=server,cn=plugins,cn=config
>
> modifiersName: cn=Directory Manager
>
> modifyTimestamp: 20161213085006Z
>
> nsSSLClientAuth: allowed
>
> nsSSLSessionTimeout: 0
>
> nsSSL3Ciphers: default
>
> objectClass: top
>
> objectClass: nsEncryptionConfig
> sslVersionMin: TLS1.2
>
> I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
> /usr/share/pki/server/conf/server.xml seems to roughly match the linked
> article however its all tokenized as shown below:
>
> 203sslOptions="[TOMCAT_SSL_OPTIONS]"
> 204ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
> 205ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
> 206tlsCiphers="[TOMCAT_TLS_CIPHERS]"
> 207sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
> 208
>  sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
> 209sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
>
> I'll feed back if i work it out.
>
> Thanks,
>
> On Thu, Apr 27, 2017 at 8:22 PM Callum Guy  wrote:
>
>> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
>> i run into any issues - i find it difficult to locate these help pages so
>> really do appreciate the advice
>>
>> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden 
>> wrote:
>>
>>> Callum Guy wrote:
>>> > Hi All,
>>> >
>>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>>> > assessment.
>>> >
>>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>>> > non-compliant for my environment.
>>> >
>>> > Also i'm very much hoping not to break my installation!
>>> >
>>> > Does anyone have experience in this area?
>>>
>>> It depends very much on what version you are running but see
>>> https://access.redhat.com/articles/2801181 for inspiration.
>>>
>>> rob
>>>
>>>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0

Directory server change suggested on the link are for an older version.
Minimum TLS support can be altered as follows:

*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*

dn: cn=encryption,cn=config

allowWeakCipher: off

cn: encryption

createTimestamp: 20161130110528Z

creatorsName: cn=server,cn=plugins,cn=config

modifiersName: cn=Directory Manager

modifyTimestamp: 20161213085006Z

nsSSLClientAuth: allowed

nsSSLSessionTimeout: 0

nsSSL3Ciphers: default

objectClass: top

objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2

I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
/usr/share/pki/server/conf/server.xml seems to roughly match the linked
article however its all tokenized as shown below:

203sslOptions="[TOMCAT_SSL_OPTIONS]"
204ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
205ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
206tlsCiphers="[TOMCAT_TLS_CIPHERS]"
207sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
208sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
209sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"

I'll feed back if i work it out.

Thanks,

On Thu, Apr 27, 2017 at 8:22 PM Callum Guy  wrote:

> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
> i run into any issues - i find it difficult to locate these help pages so
> really do appreciate the advice
>
> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden 
> wrote:
>
>> Callum Guy wrote:
>> > Hi All,
>> >
>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>> > assessment.
>> >
>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>> > non-compliant for my environment.
>> >
>> > Also i'm very much hoping not to break my installation!
>> >
>> > Does anyone have experience in this area?
>>
>> It depends very much on what version you are running but see
>> https://access.redhat.com/articles/2801181 for inspiration.
>>
>> rob
>>
>>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if i
run into any issues - i find it difficult to locate these help pages so
really do appreciate the advice

On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden  wrote:

> Callum Guy wrote:
> > Hi All,
> >
> > I'm currently looking at hardening my FreeIPA server as part of a PCI
> > assessment.
> >
> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
> > non-compliant for my environment.
> >
> > Also i'm very much hoping not to break my installation!
> >
> > Does anyone have experience in this area?
>
> It depends very much on what version you are running but see
> https://access.redhat.com/articles/2801181 for inspiration.
>
> rob
>
>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Rob Crittenden 
Callum Guy wrote:
> Hi All,
> 
> I'm currently looking at hardening my FreeIPA server as part of a PCI
> assessment.
> 
> I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
> only TLS1.2 - both currently support TLS1.0 and unfortunately that is
> non-compliant for my environment.
> 
> Also i'm very much hoping not to break my installation!
> 
> Does anyone have experience in this area?

It depends very much on what version you are running but see
https://access.redhat.com/articles/2801181 for inspiration.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Hi All,

I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.

I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.

Also i'm very much hoping not to break my installation!

Does anyone have experience in this area?

Best Regards,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "Purge" scripts?

2017-04-27 Thread Rob Crittenden 
Robert L. Harris wrote:
> 
> "apt-get remove --purge "  or "dpkg -P " should remove all
> files.  One a previous build I tried the --uninstall and got an error. 
> Right now I'm trying the PPA and 17.04 and getting a KRB error.

As I said, configuration is not erased on package removal, on purpose
(in Fedora anyway, I've never examined the debian packaging).

Without exact error messages and logs it will be very difficult to
diagnose the problems you're having.

rob

> 
> On Thu, Apr 27, 2017 at 9:06 AM Rob Crittenden  > wrote:
> 
> Martin Bašti wrote:
> >
> >
> > On 26.04.2017 20:07, Robert L. Harris wrote:
> >>   So twice now I've tried installing freeipa on an Ubuntu 16.04
> >> system.  Both times I've gotten an error and followed the
> instructions
> >> to "fix it" and they didn't work so I removed files ( with purge ),
> >> cleaned up everything I could find related to freeipa, sssd and kerb
> >> but trying to run it again gives either a different error or the same
> >> error with a different process output indicating it's not 100% clean.
> >>
> >>Is there a known list of paths, packages or files to make sure are
> >> un-installed or wiped out to make the system 100% clean?  Preferably
> >> for Ubuntu.
> >>
> >> Robert
> >>
> >>
> >>
> >
> > Hello, could you be more specific about the errors?
> 
> I think it is a misunderstanding. Removing the packages doesn't undo the
> configuration. I think he needs to reinstall the packages and run
> ipa-server-install --uninstall (though the ipa-upgrade post-install
> command may blow up on reinstall).
> 
> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "Purge" scripts?

2017-04-27 Thread Robert L. Harris 
"apt-get remove --purge "  or "dpkg -P " should remove all
files.  One a previous build I tried the --uninstall and got an error.
Right now I'm trying the PPA and 17.04 and getting a KRB error.

On Thu, Apr 27, 2017 at 9:06 AM Rob Crittenden  wrote:

> Martin Bašti wrote:
> >
> >
> > On 26.04.2017 20:07, Robert L. Harris wrote:
> >>   So twice now I've tried installing freeipa on an Ubuntu 16.04
> >> system.  Both times I've gotten an error and followed the instructions
> >> to "fix it" and they didn't work so I removed files ( with purge ),
> >> cleaned up everything I could find related to freeipa, sssd and kerb
> >> but trying to run it again gives either a different error or the same
> >> error with a different process output indicating it's not 100% clean.
> >>
> >>Is there a known list of paths, packages or files to make sure are
> >> un-installed or wiped out to make the system 100% clean?  Preferably
> >> for Ubuntu.
> >>
> >> Robert
> >>
> >>
> >>
> >
> > Hello, could you be more specific about the errors?
>
> I think it is a misunderstanding. Removing the packages doesn't undo the
> configuration. I think he needs to reinstall the packages and run
> ipa-server-install --uninstall (though the ipa-upgrade post-install
> command may blow up on reinstall).
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "Purge" scripts?

2017-04-27 Thread Rob Crittenden 
Martin Bašti wrote:
> 
> 
> On 26.04.2017 20:07, Robert L. Harris wrote:
>>   So twice now I've tried installing freeipa on an Ubuntu 16.04
>> system.  Both times I've gotten an error and followed the instructions
>> to "fix it" and they didn't work so I removed files ( with purge ),
>> cleaned up everything I could find related to freeipa, sssd and kerb
>> but trying to run it again gives either a different error or the same
>> error with a different process output indicating it's not 100% clean.  
>>
>>Is there a known list of paths, packages or files to make sure are
>> un-installed or wiped out to make the system 100% clean?  Preferably
>> for Ubuntu.
>>
>> Robert
>>
>>
>>
> 
> Hello, could you be more specific about the errors?

I think it is a misunderstanding. Removing the packages doesn't undo the
configuration. I think he needs to reinstall the packages and run
ipa-server-install --uninstall (though the ipa-upgrade post-install
command may blow up on reinstall).

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "Purge" scripts?

2017-04-27 Thread Robert L. Harris 
   It changes each time it seems.  In a minute I'm going to do a completely
virgin install under a "script" session for Ubuntu 16.04 and 17.04 with and
with the PPAs then upload the scripts to pastebin so they can be looked at.

Robert


On Thu, Apr 27, 2017 at 9:01 AM Martin Bašti  wrote:

>
>
> On 26.04.2017 20:07, Robert L. Harris wrote:
>
>   So twice now I've tried installing freeipa on an Ubuntu 16.04 system.
> Both times I've gotten an error and followed the instructions to "fix it"
> and they didn't work so I removed files ( with purge ), cleaned up
> everything I could find related to freeipa, sssd and kerb but trying to run
> it again gives either a different error or the same error with a different
> process output indicating it's not 100% clean.
>
>Is there a known list of paths, packages or files to make sure are
> un-installed or wiped out to make the system 100% clean?  Preferably for
> Ubuntu.
>
> Robert
>
>
>
>
> Hello, could you be more specific about the errors?
>
>
> Martin
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "Purge" scripts?

2017-04-27 Thread Martin Bašti 



On 26.04.2017 20:07, Robert L. Harris wrote:
  So twice now I've tried installing freeipa on an Ubuntu 16.04 
system.  Both times I've gotten an error and followed the instructions 
to "fix it" and they didn't work so I removed files ( with purge ), 
cleaned up everything I could find related to freeipa, sssd and kerb 
but trying to run it again gives either a different error or the same 
error with a different process output indicating it's not 100% clean.


   Is there a known list of paths, packages or files to make sure are 
un-installed or wiped out to make the system 100% clean?  Preferably 
for Ubuntu.


Robert





Hello, could you be more specific about the errors?

Martin

--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA PKI Questions

2017-04-27 Thread Kendal Montgomery 
Thank you! I’ll give the re-initialization of all my replicas a try!

Kendal 

On 4/27/17, 5:58 AM, "thierry bordaz"  wrote:



On 04/26/2017 11:58 PM, Rob Crittenden wrote:
> Kendal Montgomery wrote:
>> Hi all,
>>
>>   
>>
>> I’ve been struggling the last few days with rebuilding part of my
>> FreeIPA infrastructure, which has lead me to some questions about how
>> some of the IPA infrastructure works.  To give a bit of background, I
>> have two IPA servers (my initially installed IPA server, and a replica)
>> both of which have DNS, NTP, and CA roles.  I’m running CentOS 7.3,
>> FreeIPA 4.4 currently (upgraded from original CentOS 7 installations
>> which I believe was FreeIPA 4.1? initiall).  I have several remote sites
>> that each have two IPA server replicas that have replication topology
>> segments for domain and ca suffixes back to the two on-prem IPA
>> servers.  This has been working quite well for over a year now, through
>> the upgrades, etc.  Occasionally I get an issue with getting some
>> conflicting records in LDAP, which I’ve cleared up by following some of
>> the documentation out there.  It seems when this happens however, I end
>> up getting into a situation where replication stops working, and I end
>> up needing to “refresh” the installations. I have done this once so far,
>> and am in the process again currently, by deleting each remote IPA
>> server (ipa server-del), then re-installing each server to get a clean
>> copy of the databases for everything.  Last time I had no issues doing
>> this.  This time around, I’m running into some issues with the CA
>> setup.  I seem to be able to run ipa-replica-install just fine without
>> the --setup-ca option.  I may be running into some issues identified in
>> an earlier post this week, so I’ll ask about this issue separately if I
>> continue to have problems.  In working through these issues, I realized
>> I don’t really know enough about how the interaction between the IPA
>> clients and IPA server is working, with regard to the PKI
>> infrastructure.  I have some questions on what server roles I need at
>> each site and how the PKI infrastructure works within the IPA
>> environment, and how the clients communicate to it:
>>
> You don't need to uninstall a master in order to fix replication issues.
> You can re-initialize it from a working master. I'm pretty sure that if
> you re-init one you need to re-init them all though, to be safe. I cc'd
> a couple of 389-ds devs to clarify.
Hi Kendal,

Regarding re-initialization it is a safety practice to re-init all of 
them when you need to re-init one.
It is sometime not necessary to re-init all servers but checking if it 
is necessary or not take usually more time that a full reinit. A concern 
of full reinit is if you have large database (so reinit take longer) or 
difficulty to find a calm period to do this this task.

Reading your description I understand that you had to cleanup some 
conflicting entries (ldapsearch -D 'cn=directory manager' -W -b 
"" "(objectclass=nsds5ReplConflict)" dn). The management of 
those entries will greatly improve but it is a complex task, with many 
corner cases. The better is to avoid creation of those entries. A 
recommendation to avoid those entries is, avoid parallel upgrade of IPA 
servers and do not disconnect IPA servers when doing those upgrade.

regards
>
>> 1)   How do the IPA clients discover servers with the CA role and
>> use them?
> They don't, they talk to one of the IPA masters and lets that figure it 
out.
>
> An IPA master does this by looking at cn=,
> cn=masters,cn=ipa,cn=etc,$SUFFIX
>
>> 2)   Is all this interaction done through APIs on the IPA server –
>> in other words, are these requests fielded by the IPA server and proxied
>> somehow to known servers with the CA role?
> Right.
>
>> 3)   Do the clients need “direct” access to a server with the CA
>> role to request and obtain certificates and renewals? (i.e. do I need
>> each IPA server to have the CA role)?
> Nope.
>
>> 4)   Is it sufficient to just have one server with CA role at each
>> site?  Or even just one at the main on-prem site?
> One per site may be sufficient, you want to ensure that you have > 1 CAs
> and since you have separate sites, having one at each would give you
> lots of leeway in case of catastrophe.
>
> rob




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA PKI Questions

2017-04-27 Thread Kendal Montgomery 
Excellent, thanks for the information regarding re-initialization.  I had tried 
this before, but I still ended up having issues in the logs where it says 
something along the lines of a CSN is no longer available, may need to do a 
full re-initializaion after I did that. It seems to only happen on some of the 
servers, but I wanted to make sure everything is clean at the remote sites.  I 
will give this a try again instead of removing and re-adding all of them.

Thanks for clearing up those details regarding the servers with CA roles and 
client interactions, and how to place the CA role servers. That’s very helpful! 
 I think it would be great if that were added to the documentation.

Thanks all!

Kendal

On 4/26/17, 5:58 PM, "Rob Crittenden"  wrote:

Kendal Montgomery wrote:
> Hi all,
> 
>  
> 
> I’ve been struggling the last few days with rebuilding part of my
> FreeIPA infrastructure, which has lead me to some questions about how
> some of the IPA infrastructure works.  To give a bit of background, I
> have two IPA servers (my initially installed IPA server, and a replica)
> both of which have DNS, NTP, and CA roles.  I’m running CentOS 7.3,
> FreeIPA 4.4 currently (upgraded from original CentOS 7 installations
> which I believe was FreeIPA 4.1? initiall).  I have several remote sites
> that each have two IPA server replicas that have replication topology
> segments for domain and ca suffixes back to the two on-prem IPA
> servers.  This has been working quite well for over a year now, through
> the upgrades, etc.  Occasionally I get an issue with getting some
> conflicting records in LDAP, which I’ve cleared up by following some of
> the documentation out there.  It seems when this happens however, I end
> up getting into a situation where replication stops working, and I end
> up needing to “refresh” the installations. I have done this once so far,
> and am in the process again currently, by deleting each remote IPA
> server (ipa server-del), then re-installing each server to get a clean
> copy of the databases for everything.  Last time I had no issues doing
> this.  This time around, I’m running into some issues with the CA
> setup.  I seem to be able to run ipa-replica-install just fine without
> the --setup-ca option.  I may be running into some issues identified in
> an earlier post this week, so I’ll ask about this issue separately if I
> continue to have problems.  In working through these issues, I realized
> I don’t really know enough about how the interaction between the IPA
> clients and IPA server is working, with regard to the PKI
> infrastructure.  I have some questions on what server roles I need at
> each site and how the PKI infrastructure works within the IPA
> environment, and how the clients communicate to it:
> 

You don't need to uninstall a master in order to fix replication issues.
You can re-initialize it from a working master. I'm pretty sure that if
you re-init one you need to re-init them all though, to be safe. I cc'd
a couple of 389-ds devs to clarify.

> 
> 1)   How do the IPA clients discover servers with the CA role and
> use them?

They don't, they talk to one of the IPA masters and lets that figure it out.

An IPA master does this by looking at cn=,
cn=masters,cn=ipa,cn=etc,$SUFFIX

> 2)   Is all this interaction done through APIs on the IPA server –
> in other words, are these requests fielded by the IPA server and proxied
> somehow to known servers with the CA role?

Right.

> 3)   Do the clients need “direct” access to a server with the CA
> role to request and obtain certificates and renewals? (i.e. do I need
> each IPA server to have the CA role)?

Nope.

> 4)   Is it sufficient to just have one server with CA role at each
> site?  Or even just one at the main on-prem site?

One per site may be sufficient, you want to ensure that you have > 1 CAs
and since you have separate sites, having one at each would give you
lots of leeway in case of catastrophe.

rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA PKI Questions

2017-04-27 Thread thierry bordaz 



On 04/26/2017 11:58 PM, Rob Crittenden wrote:

Kendal Montgomery wrote:

Hi all,

  


I’ve been struggling the last few days with rebuilding part of my
FreeIPA infrastructure, which has lead me to some questions about how
some of the IPA infrastructure works.  To give a bit of background, I
have two IPA servers (my initially installed IPA server, and a replica)
both of which have DNS, NTP, and CA roles.  I’m running CentOS 7.3,
FreeIPA 4.4 currently (upgraded from original CentOS 7 installations
which I believe was FreeIPA 4.1? initiall).  I have several remote sites
that each have two IPA server replicas that have replication topology
segments for domain and ca suffixes back to the two on-prem IPA
servers.  This has been working quite well for over a year now, through
the upgrades, etc.  Occasionally I get an issue with getting some
conflicting records in LDAP, which I’ve cleared up by following some of
the documentation out there.  It seems when this happens however, I end
up getting into a situation where replication stops working, and I end
up needing to “refresh” the installations. I have done this once so far,
and am in the process again currently, by deleting each remote IPA
server (ipa server-del), then re-installing each server to get a clean
copy of the databases for everything.  Last time I had no issues doing
this.  This time around, I’m running into some issues with the CA
setup.  I seem to be able to run ipa-replica-install just fine without
the --setup-ca option.  I may be running into some issues identified in
an earlier post this week, so I’ll ask about this issue separately if I
continue to have problems.  In working through these issues, I realized
I don’t really know enough about how the interaction between the IPA
clients and IPA server is working, with regard to the PKI
infrastructure.  I have some questions on what server roles I need at
each site and how the PKI infrastructure works within the IPA
environment, and how the clients communicate to it:


You don't need to uninstall a master in order to fix replication issues.
You can re-initialize it from a working master. I'm pretty sure that if
you re-init one you need to re-init them all though, to be safe. I cc'd
a couple of 389-ds devs to clarify.

Hi Kendal,

Regarding re-initialization it is a safety practice to re-init all of 
them when you need to re-init one.
It is sometime not necessary to re-init all servers but checking if it 
is necessary or not take usually more time that a full reinit. A concern 
of full reinit is if you have large database (so reinit take longer) or 
difficulty to find a calm period to do this this task.


Reading your description I understand that you had to cleanup some 
conflicting entries (ldapsearch -D 'cn=directory manager' -W -b 
"" "(objectclass=nsds5ReplConflict)" dn). The management of 
those entries will greatly improve but it is a complex task, with many 
corner cases. The better is to avoid creation of those entries. A 
recommendation to avoid those entries is, avoid parallel upgrade of IPA 
servers and do not disconnect IPA servers when doing those upgrade.


regards



1)   How do the IPA clients discover servers with the CA role and
use them?

They don't, they talk to one of the IPA masters and lets that figure it out.

An IPA master does this by looking at cn=,
cn=masters,cn=ipa,cn=etc,$SUFFIX


2)   Is all this interaction done through APIs on the IPA server –
in other words, are these requests fielded by the IPA server and proxied
somehow to known servers with the CA role?

Right.


3)   Do the clients need “direct” access to a server with the CA
role to request and obtain certificates and renewals? (i.e. do I need
each IPA server to have the CA role)?

Nope.


4)   Is it sufficient to just have one server with CA role at each
site?  Or even just one at the main on-prem site?

One per site may be sufficient, you want to ensure that you have > 1 CAs
and since you have separate sites, having one at each would give you
lots of leeway in case of catastrophe.

rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] I think I lost my CA...

2017-04-27 Thread Florence Blanc-Renaud 

On 04/26/2017 04:33 PM, Bret Wortman wrote:

So I can see my certs using cert-find, but can't get details using
cert-show or add new ones using cert-request.

# ipa cert-find
:
--
Number of entries returned 385
--
# ipa cert-show 895
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
# ipa cert-show 1 (which does not exist)
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
# ipa cert-status 895
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
#

Is this an IPV6 thing? Because ipactl shows everything green and
certmonger is running.


Hi Bret,

the issue looks similar to https://pagure.io/freeipa/issue/6575 and 
https://pagure.io/dogtagpki/issue/2570 which were IPv6 related. Note 
that IPv6 must be enabled on the machine but IPA does not require an 
IPv6 address to be configured (except for the loopback).


You can check the following:
- is PKI listening to port 8009 on IPv6 or IPv4 interface?
sudo netstat -tunpl | grep 8009
tcp6   0  0 127.0.0.1:8009  :::* LISTEN  10749/java

- /etc/pki/pki-tomcat/server.xml defines a redirection from port 8009 to 
8443, and the "address" part is important:



In the above example, it will be using localhost which can resolve 
either to IPv4 or IPv6.


- /etc/hosts must define the loopback addresses with
127.0.0.1   localhost localhost.localdomain localhost4 
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 
localhost6.localdomain6


HTH,
Flo.

Bret


On 04/26/2017 09:03 AM, Bret Wortman wrote:


Digging still deeper:

# ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)

Looks like this is an HTTP error; so is it possible that my IPA thinks
it has a CA but there's no CMS available?


On 04/26/2017 08:41 AM, Bret Wortman wrote:


Using the firefox debugger, I get these errors when trying to pop up
the New Certificate dialog:

Empty string passed to getElementById(). (5)
jquery.js:4:1060
TypeError: u is undefined
app.js:1:362059
Empty string passed to getElementById(). (5)
jquery.js:4:1060
TypeError: t is undefined
app.js:1:217432

I'm definitely not a web kind of guy so I'm not sure if this is
helpful or not. This is on 4.4.0, API Version 2.213.


Bret


On 04/26/2017 08:35 AM, Bret Wortman wrote:


Good news. One of my servers _does_ have CA installed. So why does
"Action -> New Certificate" not do anything on this or any other server?


Bret


On 04/25/2017 02:52 PM, Bret Wortman wrote:


I recently had to upgrade all my Fedora IPA servers to C7. It went
well, and we've been up and running nicely on 4.4.0 on C7 for the
past month or so.

Today, someone came and asked me to generate a new certificate for
their web server. All was good until I went to the IPA UI and tried
to perform Actions->New Certificate, which did nothing. I tried
each of our 3 servers in turn. All came back with no popup window
and no error, either.

I suspect the problem might be that we no longer have a CA server
due to the method I used to upgrade the servers. I likely missed a
"--setup-ca" in there somewhere, so my rolling update rolled over
the CA.

What's my best hope of recovery? I never ran this before, so I'm
not sure if this shows that I'm missing a CA or not:

# ipa ca-find

1 CA matched

  Name: ipa
  Description IPA CA
  Authority ID: 3ce3346[...]
  Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
  Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM

Number of entries returned 1

# ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
O=DAMASCUSGRP.COM"
ipa: ERROR: Failed to authenticate to CA REST API
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@damascusgrp.com

Valid starting  Expires  Service principal
04/25/2017 18:48:26 04/26/2017 18:48:21
krbtgt/damascusgrp@damascusgrp.com
#


What's my best path of recovery?

--
*Bret Wortman*
The Damascus Group



















--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to customized freeipa certificate form

2017-04-27 Thread Fraser Tweedale 
On Thu, Apr 27, 2017 at 12:02:56PM +0530, rajkumar wrote:
> Hello Fraser,
> 
> Ok, I got similar fields,  MD5 Fingerprint and Sha1 Fingerprint value in
> certificate form in freeipa, But it values are disabled in certificate form
> in webui. suggest me how can I enable these values via webui or any other
> way.
> 
> *Reference: * https://pagure.io/freeipa/issue/6903
> 
> Thanks,
> 
Ah, I think I understand now.  You just need the existing fields to
be populated properly?  Yes, it appears to be a bug that these are
not filled out.

Thank you for reporting the issue in the bug tracker.  Could you
please indicate what version of FreeIPA you are using?

Cheers,
Fraser

> 
> On 04/27/2017 11:49 AM, Fraser Tweedale wrote:
> > On Thu, Apr 27, 2017 at 10:16:15AM +0530, rajkumar wrote:
> > > Hello Fraser,
> > > 
> > > Thanks for your quick reply, I need to add hash value field in certificate
> > > details form and write a code to get hash value of create certificated and
> > > viewed to that hash value field. Suggest me How can I do this. and also
> > > suggest latest source of freeipa.
> > > 
> > The UI will only show information from within the certificate
> > itself, or immutable metadata about it.  Do you mean that you want
> > to see a digest of the certificate?  If not, could you be more clear
> > about exactly what data you need to see, and how it is derived from
> > the certificate?
> > 
> > If you want to set your own data into the cert when issuing it,
> > could you be more clear about what data exactly, and how you want it
> > to appear in the certificate?
> > 
> > Thanks,
> > Fraser
> > 
> > > 
> > > On 04/27/2017 08:13 AM, Fraser Tweedale wrote:
> > > > On Wed, Apr 26, 2017 at 07:02:08PM +0530, rajkumar wrote:
> > > > > Hello Freeipa Team,
> > > > > 
> > > > > I am new to freeipa, I have installed freeipa for generate 
> > > > > certificate for
> > > > > our products, I have generated certificates, its works fine, but I 
> > > > > need to
> > > > > customized freeipa certificate form for add more fields. Suggest me 
> > > > > how can
> > > > > I achieve this?
> > > > > 
> > > > > Reference: please find the attachment of certificate form. I need to 
> > > > > add
> > > > > more fields to that form.
> > > > > 
> > > > What is your use case?
> > > > 
> > > > I suspect (but please clarify) that it does not really matter to you
> > > > what fields we display in the UI, but rather, what is actually in
> > > > the certificate.  Could you please clarify:
> > > > 
> > > > 1. What you actually need put into the certificate(s)
> > > > 
> > > > 2. What you want displayed when viewing a cert in the Web UI, that
> > > >  is not currently displayed.
> > > > 
> > > > Thanks,
> > > > Fraser
> > > -- 
> > > Regards,
> > > Rajkumar E
> > > r...@gworks.mobi
> > > 8675496254.
> > > 
> 
> -- 
> Regards,
> Rajkumar E
> r...@gworks.mobi
> 8675496254.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to customized freeipa certificate form

2017-04-27 Thread Fraser Tweedale 
On Thu, Apr 27, 2017 at 10:16:15AM +0530, rajkumar wrote:
> Hello Fraser,
> 
> Thanks for your quick reply, I need to add hash value field in certificate
> details form and write a code to get hash value of create certificated and
> viewed to that hash value field. Suggest me How can I do this. and also
> suggest latest source of freeipa.
> 
The UI will only show information from within the certificate
itself, or immutable metadata about it.  Do you mean that you want
to see a digest of the certificate?  If not, could you be more clear
about exactly what data you need to see, and how it is derived from
the certificate?

If you want to set your own data into the cert when issuing it,
could you be more clear about what data exactly, and how you want it
to appear in the certificate?

Thanks,
Fraser

> 
> 
> On 04/27/2017 08:13 AM, Fraser Tweedale wrote:
> > On Wed, Apr 26, 2017 at 07:02:08PM +0530, rajkumar wrote:
> > > Hello Freeipa Team,
> > > 
> > > I am new to freeipa, I have installed freeipa for generate certificate for
> > > our products, I have generated certificates, its works fine, but I need to
> > > customized freeipa certificate form for add more fields. Suggest me how 
> > > can
> > > I achieve this?
> > > 
> > > Reference: please find the attachment of certificate form. I need to add
> > > more fields to that form.
> > > 
> > What is your use case?
> > 
> > I suspect (but please clarify) that it does not really matter to you
> > what fields we display in the UI, but rather, what is actually in
> > the certificate.  Could you please clarify:
> > 
> > 1. What you actually need put into the certificate(s)
> > 
> > 2. What you want displayed when viewing a cert in the Web UI, that
> > is not currently displayed.
> > 
> > Thanks,
> > Fraser
> 
> -- 
> Regards,
> Rajkumar E
> r...@gworks.mobi
> 8675496254.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project