from:"Zak Wolfinger"

[Freeipa-users] How to tell if a replica server is also a CA?

2017-03-07 Thread Zak Wolfinger

How can I tell if my FreeIPA 4.2.0 replica servers are also configured to be 
CAs?


-- 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Deleting a duplicate user

2016-08-23 Thread Zak Wolfinger

We were in the final stages of migrating FreeIPA from 3.0 to 4.2. During the
migration, both the 3.0 replicas and the 4.2 replicas were in the replica pool.
User account changes made to 3.0 would replicate to 4.2 just fine, but changes
wouldn’t replicate from 4.2 to 3.0.

Admins should have been aware of this and performing all changes to the 3.0
replicas. However 2 accounts were created on the 4.2 replicas and then also
added to the 3.0 replicas. This resulted in a replication conflict and each
user account has a duplicate with the same username but different UIDs.

I want to delete the duplicates. “ipa user-del” will not take the UID as an
identifier, only the username. Using just the username fails with an error due
to the duplicate accounts.

The old 3.0 replicas have all been removed from the pool and decommissioned.
It would be tons of work to bring them back into production.

Any thoughts on how to fix this issue?

Cheers,
Zak Wolfinger

Infrastructure Engineer | Emma®
zak.wolfin...@myemma.com <mailto:zak.wolfin...@myemma.com>
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)

Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com
<http://myemma.com/?utm_source=%20EmmaSignatures_medium=%20email_content=text-lin%20k_campaign=EmmaSignatu%20res-email-text-link-home>

signature.asc
Description: Message signed with OpenPGP using GPGMail
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?

2016-05-26 Thread Zak Wolfinger

I was trying to do it on the same instance.  I think I figured it out.  PWM 
uses port 8080 by default, but FreeIPA has an interface to the CA server on the 
same port.  Changed PWM to a different port and it works.

Thanks!

> On May 26, 2016, at 11:29 AM, Michael ORourke <mrorou...@earthlink.net> wrote:
> 
> Did you try installing PWM on a separate instance, or are you trying to 
> install it on the FreeIPA server?  I don't recall any issues with pki-tomcat 
> when I setup PWM (older version), but I installed it on a VM that was joined 
> to FreeIPA.
> 
> -Mike
> 
> 
> -Original Message-
>> From: Zak Wolfinger <zwolfin...@myemma.com>
>> Sent: May 23, 2016 1:56 PM
>> To: freeipa-users@redhat.com
>> Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?
>> 
>> Does anyone have this combo working?  I’m running into problems with 
>> pki-tomcat and tomcat for pwm conflicting and need some pointers.
>> 
>> Thanks!
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?

2016-05-23 Thread Zak Wolfinger

Does anyone have this combo working?  I’m running into problems with pki-tomcat 
and tomcat for pwm conflicting and need some pointers.

Thanks!


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install

2016-05-11 Thread Zak Wolfinger


> On May 11, 2016, at 9:14 AM, Zak Wolfinger <zwolfin...@myemma.com> wrote:
> 
> I’m trying to set up FreeIPA as a replica.  I’ve followed the instructions in 
> section 4 here:
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica
>  
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica>
> 
> The replica install appears to be successful, but when I try to do ‘ipactl 
> start’ I get this:
> 
> IPA is not configured (see man pages of ipa-server-install for help)
> 
> I’ve looked through the man pages but I’m not seeing what needs to be done.
> 
> Can anyone offer suggestions?
> 
> 

I tried doing an isa-server-install —uninstall and doing my isa-replica-install 
again.  Now I’m seeing this:

[error] UNWILLING_TO_PERFORM: {'info': 'modification of attribute 
nsds5replicabinddngroup is not allowed in replica entry', 'desc': 'Server is 
unwilling to perform'}

The old server is FreeIPA 3.0 and the new replica is obviously 4.3.  Am I 
missing something?


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install

2016-05-11 Thread Zak Wolfinger

I’m trying to set up FreeIPA as a replica.  I’ve followed the instructions in 
section 4 here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica
 


The replica install appears to be successful, but when I try to do ‘ipactl 
start’ I get this:

IPA is not configured (see man pages of ipa-server-install for help)

I’ve looked through the man pages but I’m not seeing what needs to be done.

Can anyone offer suggestions?




signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password Encryption Method

2016-05-03 Thread Zak Wolfinger

The old version of 389-ds-base is 1.2.11.15-48.  The version we are migrating 
to is 1.3.4.0-29


> On Apr 30, 2016, at 9:30 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> 
> Zak Wolfinger wrote:
>> Did the password encryption method change between V3.0 and newer
>> versions?  Where can I find out what method is being used?  I知 running
>> into hash issues when using GADS to sync to Google.
> 
> I don't think so, I think SSHA is still the default. Knowing what versions of 
> 389-ds-base you're asking about would probably be helpful.
> 
> rob
> 
>> 
>> Cheers,
>> *Zak Wolfinger*
>> 
>> Infrastructure Engineer  |  Emmaｮ
>> zak.wolfin...@myemma.com <mailto:zak.wolfin...@myemma.com>
>> 800.595.4401 or 615.292.5888 x197
>> 615.292.0777 (fax)
>> *
>> *
>> Emma helps organizations everywhere communicate & market in style.
>> Visit us online at www.myemma.com
>> <http://myemma.com/?utm_source=%20EmmaSignatures_medium=%20email_content=text-lin%20k_campaign=EmmaSignatu%20res-email-text-link-home>
>> 
>> 
>> 
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Password Encryption Method

2016-04-29 Thread Zak Wolfinger

Did the password encryption method change between V3.0 and newer versions?  
Where can I find out what method is being used?  I’m running into hash issues 
when using GADS to sync to Google.

Cheers,
Zak Wolfinger

Infrastructure Engineer  |  Emma®
zak.wolfin...@myemma.com <mailto:zak.wolfin...@myemma.com>
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)

Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com 
<http://myemma.com/?utm_source=%20EmmaSignatures_medium=%20email_content=text-lin%20k_campaign=EmmaSignatu%20res-email-text-link-home>


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Add CA server AFTER install?

2016-04-25 Thread Zak Wolfinger

Not having much luck with the docs / Google.  Is there a way to add the CA 
server role to a FreeIPA installation if it wasn’t included at the time of 
install?

Thanks!



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Change replica hostname and IP address?

2016-04-12 Thread Zak Wolfinger

We need to do some juggling of servers while we migrate to the latest version.

Is it possible to change the hostname and IP addresses of the replicas?  Or 
would I be better off just spinning up new ones?

Cheers,
Zak Wolfinger

Infrastructure Engineer  |  Emma®
zak.wolfin...@myemma.com <mailto:zak.wolfin...@myemma.com>
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)

Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com 
<http://myemma.com/?utm_source=%20EmmaSignatures_medium=%20email_content=text-lin%20k_campaign=EmmaSignatu%20res-email-text-link-home>

-- 


<http://www.marketingunited.com/?utm_source=signature_medium=email_campaign=marketingunited>


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration from 3.0 to 4.3.1 questions

2016-04-11 Thread Zak Wolfinger




> On Apr 11, 2016, at 12:09 PM, Martin Basti <mba...@redhat.com> wrote:
> 
> 
> 
> On 11.04.2016 19:01, Zak Wolfinger wrote:
>> We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to the 
>> latest version.
>> 
>> I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no “upgrade” 
>> but can be accomplished as a “migration”.
>> 
>> However we are not currently using CA so that may simplify things.
>> 
>> Can I just do this?
>> 1. Create a new  replica VM running 4.3.1
>> 2. Make sure it syncs up with the 3.0 primary and test
>> 3. Promote the new replica to primary
>> 4. Remove all the old 3.0 replicas
>> 5. Build new 4.3.1 replicas
>> 6. ??
>> 7. Profit
>> 
>> What do you experienced people think?  What am I missing?
>> 
> This may help
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading
>  
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading>
> 
> There is covered migration form RHEL 6 to RHEL 7, it should work
> Martin

Since we are running FreeIPA on CentOS instead of IDM on RHEL, I’m not sure how 
this warning applies to our configuration:

WARNING
If any of the instances in your IdM deployment are using Red Hat Enterprise 
Linux 6.5 or earlier, upgrade them to Red Hat Enterprise Linux 6.6 before 
upgrading a Red Hat Enterprise Linux 7.0 IdM server to the 7.1 version or 
before connecting a Red Hat Enterprise Linux 7.1 IdM replica.
anything to be concerned about here?

Thanks!

-- 


<http://www.marketingunited.com/?utm_source=signature_medium=email_campaign=marketingunited>


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Migration from 3.0 to 4.3.1 questions