Re: [Freeipa-users] Invalid Credentials error on migrate-ds
I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. On Mon, Jan 24, 2011 at 2:16 PM, Rob Crittenden rcrit...@redhat.com wrote: Jeff B wrote: I'm trying to test out migration from an Apple Open Directory Server to FreeIPA (unstable) The command I'm running is: ipa config-mod --enable-migration=true ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=,dc=com' --group-container='cn=groups,dc=xxx,dc=,dc=com' ldap://10.10.10.10:389 It prompts me for a password twice, then gives me a invalid credentials error ipa: INFO: Created connection context.xmlclient Password: Enter Password again to verify: ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com') ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'', binddn=u'cn=directory manager', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), schema=u'RFC2307bis', continue=False, exclude_groups=None, exclude_users=None) ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0..com/ipa/xml' ipa: DEBUG: NSSConnection init ipa0..com ipa: DEBUG: connect: host=ipa0..com port=443 ipa: DEBUG: connect: 10.10.10.11:443 ... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa0..com,O=.COM ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 ipa: DEBUG: Caught fault 2100 from server https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid credentials ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Insufficient access: Invalid credentials I'm able to connect to LDAP using the same password for cn=Directory Manager which it appears to be the user it's asking the password for. Is this user error or a bug? If user error what am I doing wrong? Thanks. Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if there is a bind error? You can use --binddn to bind as a different user. I should also note that you don't want to include basedn for the user and group containers, cn=users and cn=groups is enough. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Invalid Credentials error on migrate-ds
The Apple Open Directory uses kerberos so they aren't readable as the rood dn either. the password fields all have the same token: KioqKioqKio= I wasn't expecting to be able to import passwords so I thought I could run an import as an anonymous bind. I'll try again with a bind dn and see what hapens. On Mon, Jan 24, 2011 at 3:22 PM, Jakub Hrozek jhro...@redhat.com wrote: On 01/24/2011 08:57 PM, Jeff B wrote: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. Yes, cn=Directory Manager against Apple DS. Anonymous bind wouldn't work, because during migration, you need to read LDAP attributes that store user passwords. Those are usually not readable anonymously. Jakub ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Invalid Credentials error on migrate-ds
I'm trying to test out migration from an Apple Open Directory Server to FreeIPA (unstable) The command I'm running is: ipa config-mod --enable-migration=true ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=,dc=com' --group-container='cn=groups,dc=xxx,dc=,dc=com' ldap://10.10.10.10:389 It prompts me for a password twice, then gives me a invalid credentials error ipa: INFO: Created connection context.xmlclient Password: Enter Password again to verify: ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com') ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'', binddn=u'cn=directory manager', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), schema=u'RFC2307bis', continue=False, exclude_groups=None, exclude_users=None) ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0..com/ipa/xml' ipa: DEBUG: NSSConnection init ipa0..com ipa: DEBUG: connect: host=ipa0..com port=443 ipa: DEBUG: connect: 10.10.10.11:443 ... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa0..com,O=.COM ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 ipa: DEBUG: Caught fault 2100 from server https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid credentials ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Insufficient access: Invalid credentials I'm able to connect to LDAP using the same password for cn=Directory Manager which it appears to be the user it's asking the password for. Is this user error or a bug? If user error what am I doing wrong? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Dimitri, I didn't mean it to be an insult. yes it was unstable, very unstable for 24 hours. but also a ton of work was done in that time frame. I'm just starting to evaluate IPA and I found it encouraging that bugs got fixed quickly. I'd only suggest rolling pre2 since it seems that ipa-server-install is broken for more than just me and my environment. -Jeff On Thu, Jan 13, 2011 at 12:40 AM, Dmitri Pal d...@redhat.com wrote: Jeff B wrote: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
