Re: [Freeipa-users] disable inactive accounts and delete old accounts

2017-01-09 Thread Giger, Justean 
I should add that I do not have the "disable last success" option enabled for 
the IPA server
Justean

From: Justean Giger >
Date: Friday, January 6, 2017 at 9:10 AM
To: "freeipa-users@redhat.com" 
>
Subject: disable inactive accounts and delete old accounts

I am trying to use the krblastsuccessfulauth attribute to detect accounts that 
have been inactive for >90 days as per this post: 
https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
I need to be able to disable these accounts at 90 days then delete them after 
180 days.
However, I find most of my users do not have the krblastsuccessfulauth 
attribute populated. This is not because their accounts have never been used as 
I see they do have valid passwords which expire in the future so they had to 
login at least once (not necessarily with Kerberos though). Is there another 
attribute we can/should use for this?

Justean
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] disable inactive accounts and delete old accounts

2017-01-06 Thread Giger, Justean 
I am trying to use the krblastsuccessfulauth attribute to detect accounts that 
have been inactive for >90 days as per this post: 
https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
I need to be able to disable these accounts at 90 days then delete them after 
180 days.
However, I find most of my users do not have the krblastsuccessfulauth 
attribute populated. This is not because their accounts have never been used as 
I see they do have valid passwords which expire in the future so they had to 
login at least once (not necessarily with Kerberos though). Is there another 
attribute we can/should use for this?

Justean Giger
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [E] Migration Question

2016-09-14 Thread Giger, Justean 
We did the same and have had zero issues. In fact, one overzealous colleague 
moved one out of our 5 IDM servers to Oracle while all the others were still on 
Red Hat and things still worked. I have not tried to get support for IDM with 
Oracle though so not sure how that goes.

From: 
> on 
behalf of "Armstrong, Jeffrey" 
>
Date: Wednesday, September 14, 2016 at 6:20 AM
To: "freeipa-users@redhat.com" 
>
Subject: [E] [Freeipa-users] Migration Question

Hi

My company is migrating from RedHat Linux to Oracle Linux.  I warned them that 
IdM could be a problem. Does anyone know If IPA works after the migration?

Jeff Armstrong



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Solaris 10 client configuration using profile

2014-10-15 Thread Giger, Justean 
Thank you both. I successfully set up a new profile on the server and am able 
to use it with authentication. It seems to work for existing users but I am 
having issues when I add new user access via HBAC so I am trying to figure that 
part out. There are a few options I can invoke using ldapclient manual that I 
cannot seem to add to the profile (mainly attributeMap settings) but I don't 
think that is the issue. I will plug away at it more tomorrow and see if I can 
figure it out.

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sigbjorn Lie
Sent: Saturday, October 11, 2014 11:26 AM
To: Alexander Bokovoy
Cc: sipazzo; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile




On Sat, October 11, 2014 19:54, Alexander Bokovoy wrote:
 On Sat, 11 Oct 2014, Rob Crittenden wrote:

 sipazzo wrote:
 Thank you,I know where the profile is in the directory tree and how 
 I would invoke it were it there...I don't know how to get it into 
 the directory tree so that it is available to clients. I see posts 
 giving examples of different profilesthat could be used but no post as to 
 how to add it to the directory. Sorry if I am missing something obvious.


 
 On Fri, 10/10/14, Rob Crittenden rcrit...@redhat.com wrote:


 Subject: Re: [Freeipa-users] Solaris 10 client configuration using 
 profile
 To: sipazzo sipa...@yahoo.com, freeipa-users@redhat.com
 Date: Friday, October 10, 2014, 4:53 PM


 sipazzo wrote:

 Hello, I am trying to set up a default profile for my Solaris 10 IPA 
 clients as recommended. I generated a profile on a Solaris with the 
 attributes I needed except I got an invalid parameter error when 
 specifying the domainName attribute like this -a 
 domainName=example.com even though this parameter works when I use 
 it in ldapclient manual. More of an issue though is I have been 
 unable to find documentation on getting the profile incorporated 
 into the ipa server. How do I get this profile on the ipa server and 
 make it available to my Solaris clients? Also, my understanding is 
 the clients periodically check this profile so they stay updated with the 
 latest configuration information. What generates this check? Is it time 
 based, a restart of a service or ??

 Thank you for any

 assistance.


 It's been forever since I configured a Solaris anything client but I 
 can tell you where the profile gets stored: 
 cn=profilename,cn=default,ou=profile,$SUFFIX

 IPA ships with a default
 profile of:

 dn:
 cn=default,ou=profile,$SUFFIX ObjectClass:
 top ObjectClass: DUAConfigProfile
 defaultServerList: $FQDN
 defaultSearchBase: $SUFFIX
 authenticationMethod: none
 searchTimeLimit: 15
 cn:
 default serviceSearchDescriptor:
 passwd:cn=users,cn=accounts,$SUFFIX
 serviceSearchDescriptor:
 group:cn=groups,cn=compat,$SUFFIX
 bindTimeLimit: 5
 objectClassMap:
 shadow:shadowAccount=posixAccount
 followReferrals:TRUE


 The full schema can be found at
 http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html


 So if your profile is named
 foo you'd invoke it with something like:

 # ldapclient init -a
 profileName=foo ipa.example.com

 rob



 Here is an example inspired by
 https://bugzilla.redhat.com/show_bug.cgi?id=815515


 $ ldapmodify -x -D 'cn=Directory Manager' -W
 dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
 objectClass: top
 objectClass: DUAConfigProfile
 cn: solaris_authssl_test
 authenticationMethod: tls:simple
 bindTimeLimit: 5
 credentialLevel: proxy
 defaultSearchBase: dc=example,dc=com
 defaultSearchScope: one
 defaultServerList: ipa01.example.com ipa02.example.com 
 ipa03.example.com
 followReferrals: TRUE
 objectclassMap: shadow:shadowAccount=posixAccount
 objectclassMap: printers:sunPrinter=printerService
 preferredServerList: ipa01.example.com ipa02.example.com
 profileTTL: 6000
 searchTimeLimit: 10
 serviceSearchDescriptor: 
 passwd:cn=users,cn=accounts,dc=example,dc=com
 serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
 serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
 serviceSearchDescriptor: 
 ethers:cn=computers,cn=accounts,dc=example,dc=com
 serviceSearchDescriptor: 
 automount:cn=default,cn=automount,dc=example,dc=com
 serviceSearchDescriptor:
 auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=e
 xample,dc=com
 serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
 serviceSearchDescriptor: 
 printers:ou=printers,ou=test,dc=example,dc=com
 blank line
 ^D


 You may want to check out
 https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.

 Should the profile be available anonymously? It is not in 4.x:
 $ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test # extended LDIF # # 
 LDAPv3 # base ou=profile,dc=ipacloud,dc=test with scope subtree # 
 filter: (objectclass=*) # requesting: ALL #


 # search result
 search: 2
 result: