Re: [Freeipa-users] nsupdate refused
On Sat, Apr 27, 2013 at 02:34:27PM -0430, Loris Santamaria wrote: Hi El sáb, 27-04-2013 a las 10:35 -0400, Guy Matz escribió: Hi! Anyone out there know how to get nsupdate to work with an IPA controlled DNS server? I have followed the instructions at http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; Your zone update policy should include something like grant host/\047foreman.collmedia@collmedia.net wildcard * ANY; After that on foreman.collmedia.net you should call kinit followed by nsupdate: # kinit -k host/foreman.collmedia.net # nsupdate -g Also the SSSD logs on a high debug level (7+ IIRC) include the full nsupdate message that might come handy when troubleshooting. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] question about bind 10 plans
HI! I am curious about your bind10 plans :) currently you are using bind9 with bind-ldap-bakend but next fedora release (f19) is going to use bind10 (and possible EL7 is going to use, but it is only my hypothesis), this leads me to think that you also are going to use bind10. But I could not find anything about how bind10 is going to work with ldap :( Best regards, Arthur Fayzullin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_**NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about bind 10 plans
On Mon, 29 Apr 2013, Артур Файзуллин wrote: HI! I am curious about your bind10 plans :) currently you are using bind9 with bind-ldap-bakend but next fedora release (f19) is going to use bind10 (and possible EL7 is going to use, but it is only my hypothesis), this leads me to think that you also are going to use bind10. But I could not find anything about how bind10 is going to work with ldap :( Both Bind 9 and Bind 10 are in Fedora 19 and there are no signs of Bind 9 going away in Fedora 19 timespan. Bind 10, while being nice modularized framework, still has work ahead. Adam Tkac and Peter Spacek can tell more but in short, Bind 10 module is on our radar. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users