Re: [Freeipa-users] changing password on user using ldappasswd

2016-01-06 Thread Martin Kosek 
On 01/06/2016 09:59 AM, FE9817 FE-DDIS.DK wrote:
> Hi,
> 
> Im trying to change password for a user, using ldap, but it hangs. Here is 
> what is done.
> 
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D 
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A
> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap://idm.com:636 )
> ldap_create
> ldap_url_parse_ext(ldap://idm.com:636)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP idm.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.10.10:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host: idm01.dap.cfcs.dk  port: 636  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Jan  6 09:29:43 2016
> 
> 
> ** ld 0x7fc7f40de370 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>outstanding referrals 0, parent count 0
>   ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>Empty
>   ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
> 
> It works when using kpasswd, but not ldappasswd. Any suggestions?

I had similar problem when kadmin did not start fully because of low entropy on
my VM, I wonder if this is your case as well. You can find out with

# systemctl status kadmin.service

But I am surprised that kadmin password change works and ldappasswd does not.
This would mean that "ipa passwd" command is also not working as it uses LDAP
way also.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] changing password on user using ldappasswd

2016-01-06 Thread Sumit Bose 
On Wed, Jan 06, 2016 at 08:59:22AM +, FE9817 FE-DDIS.DK wrote:
> Hi,
> 
> Im trying to change password for a user, using ldap, but it hangs. Here is 
> what is done.
> 
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D 
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A

I think you are using the SSL/TLS option wrongly. -p 636 indicates that
you want to use the LDAPS port where the SSL/TLS handshake is done
automatically. -Z will use the StartTLS command to start the handshake
and the second Z will require that this will be successful.

First, ldappasswd will not do an automatic SSL/TLS handshake with this
options and hence you see the hang because the server waits for the
handshake. To tell ldappasswd to do the handshake please replace '-h
idm.com' by '-H LDAPS://idm.com'.

Second, you will still see an error like 'SSL connection already
established' because the StartTLS command started due to the -Z option
see that the SSL/TLS tunnel is already established, returns the error
and since the second Z requires a success here ldappasswd fail.

Since it is redundant to do both, using the ldaps port and calling
StartTLS I would recommend to just use StartTLS as in

  ldappasswd -h idm.com -ZZ -x -D "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -A

Using the ldaps port should work with

  ldappasswd -H LDAPS://idm.com -x -D "uid=admin,cn=users,cn=accounts,dc=com" 
-W -S "uid=test000,cn=users,cn=accounts,dc=com" -A

And if you really want to double-stitch it use use a single -Z like

  ldappasswd -H LDAPS://idm.com -Z -x -D 
"uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -A

then you will still see the 'SSL connection already established' error
but ldappasswd can proceed since StartTLS is not required to be
successful. But please note that this will not increase security because
-Z/StartTLS is a no-op in this case.

HTH

bye,
Sumit

> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap://idm.com:636 )
> ldap_create
> ldap_url_parse_ext(ldap://idm.com:636)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP idm.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.10.10:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host: idm01.dap.cfcs.dk  port: 636  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Jan  6 09:29:43 2016
> 
> 
> ** ld 0x7fc7f40de370 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>outstanding referrals 0, parent count 0
>   ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>Empty
>   ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
> 
> It works when using kpasswd, but not ldappasswd. Any suggestions?
> 
> Cheers
> Emil

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA - Mixing clients using sssd for some and nscd/nslcd for others

2016-01-06 Thread bahan w 
Hello !

I send you this mail because I am using this topology :
- FreeIPA 3.0.0-42
- RHEL6.6
- Two masters (replicated)
- n clients

My question is the following :
May I use for some clients sssd and for others the couple nscd/nslcd ? I
would like to perform tests to compare both and I wondering if I can do
that ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

2016-01-06 Thread wdh 

Hi,

OK, clear. Thanks for the information!

Winny

Sumit Bose schreef op 06-01-2016 9:19:

On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote:

Hi all,

Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux 
site

we're just not able to see AD "Domain Local Groups".

Is that just not possible (a limitation of the current version that 
is), is

some extra configuration needed of is just something wrong?

Hope one can give an answer!


This is by design. As the name says the groups are 'Domain Local' i.e.
only valid in the own AD domain (not even in the whole AD forest). 
Since

the IPA domain is a completely different forest from the AD perspective
the Domain Local Groups do not apply here. IPA just does the same here
as AD does.

HTH

bye,
Sumit



Winny

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] changing password on user using ldappasswd

2016-01-06 Thread FE9817 FE-DDIS.DK 
Hi,

Im trying to change password for a user, using ldap, but it hangs. Here is what 
is done.

:~$ ldappasswd -h idm.com -ZZ -p 636 -x -D 
"uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A
Old password:
Re-enter old password:
New password:
Re-enter new password:
ldap_initialize( ldap://idm.com:636 )
ldap_create
ldap_url_parse_ext(ldap://idm.com:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP idm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7fc7f40de370 msgid 1
wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
** ld 0x7fc7f40de370 Connections:
* host: idm01.dap.cfcs.dk  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jan  6 09:29:43 2016


** ld 0x7fc7f40de370 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc7f40de370 request count 1 (abandoned 0)
** ld 0x7fc7f40de370 Response Queue:
   Empty
  ld 0x7fc7f40de370 response count 0
ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
ldap_int_select

It works when using kpasswd, but not ldappasswd. Any suggestions?

Cheers
Emil
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA - Mixing clients using sssd for some and nscd/nslcd for others

2016-01-06 Thread Lukas Slebodnik 
On (06/01/16 10:44), bahan w wrote:
>Hello !
>
>I send you this mail because I am using this topology :
>- FreeIPA 3.0.0-42
>- RHEL6.6
>- Two masters (replicated)
>- n clients
>
>My question is the following :
>May I use for some clients sssd and for others the couple nscd/nslcd ? I
>would like to perform tests to compare both and I wondering if I can do
>that ?
>
ipa-client-install has argument "--no-sssd" which shoudl configure
machine with nslcd + pam_ldap.

I have never used it. If it doesn't work you might configure
it yourself. There is no blocker.

But failover in sssd is in better state than in nslcd
and pam_ldap in rhel6.6 create ldap connection to server with
each authentication + another ldap connection in nslcd.
So load of your server might be higher that with sssd.
it depends on counf of client machines and count of users
which will use that machine.

I would like to ask why do you want to compare both.
Is sssd slow for you?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Importing from shadow: ERROR: Constraint violation: pre-hashed passwords are not valid

2016-01-06 Thread Alexander Bokovoy 

On Wed, 06 Jan 2016, Simpson Lachlan wrote:

Hi,

New install of FreeIPA 4.2.0-15.el7.centos.3 on Centos 7.2.1511 (and
I'm very new to FreeIPA)

Following the advice I got from here:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

I dumped old shadow into a csv, then wrote a small bash script to
import all the users:

#!/bin/bash
INPUT=s.csv
IFS=,

kinit admin

[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read lname pw
do

   echo "Importing user $lname"
   FIRST=${lname:0:1}
   LAST=${lname:1}

   ipa user-add $lname --first $FIRST --last $LAST --setattr 
userpassword={crypt}"$pw"


done < $INPUT

When I execute this, I get this error for every entry: "ipa: ERROR:
Constraint violation: pre-hashed passwords are not valid"

What have I done wrong?

Did you enable migration mode? The check in the password plugin is
conditioned on allowing pre-hashed passwords only when the migration
mode is on.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] changing password on user using ldappasswd

2016-01-06 Thread FE9817 FE-DDIS.DK 
Thank you Sumit for the answer, it solved my problem. 
Cheers
Emil
___
From: Sumit Bose 
Sent: Wednesday, January 6, 2016 1:03 PM
To: FE9817 FE-DDIS.DK
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] changing password on user using ldappasswd

On Wed, Jan 06, 2016 at 08:59:22AM +, FE9817 FE-DDIS.DK wrote:
> Hi,
>
> Im trying to change password for a user, using ldap, but it hangs. Here is 
> what is done.
>
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D 
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A

I think you are using the SSL/TLS option wrongly. -p 636 indicates that
you want to use the LDAPS port where the SSL/TLS handshake is done
automatically. -Z will use the StartTLS command to start the handshake
and the second Z will require that this will be successful.

First, ldappasswd will not do an automatic SSL/TLS handshake with this
options and hence you see the hang because the server waits for the
handshake. To tell ldappasswd to do the handshake please replace '-h
idm.com' by '-H LDAPS://idm.com'.

Second, you will still see an error like 'SSL connection already
established' because the StartTLS command started due to the -Z option
see that the SSL/TLS tunnel is already established, returns the error
and since the second Z requires a success here ldappasswd fail.

Since it is redundant to do both, using the ldaps port and calling
StartTLS I would recommend to just use StartTLS as in

  ldappasswd -h idm.com -ZZ -x -D "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -A

Using the ldaps port should work with

  ldappasswd -H LDAPS://idm.com -x -D "uid=admin,cn=users,cn=accounts,dc=com" 
-W -S "uid=test000,cn=users,cn=accounts,dc=com" -A

And if you really want to double-stitch it use use a single -Z like

  ldappasswd -H LDAPS://idm.com -Z -x -D 
"uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -A

then you will still see the 'SSL connection already established' error
but ldappasswd can proceed since StartTLS is not required to be
successful. But please note that this will not increase security because
-Z/StartTLS is a no-op in this case.

HTH

bye,
Sumit

> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap://idm.com:636 )
> ldap_create
> ldap_url_parse_ext(ldap://idm.com:636)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP idm.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.10.10:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host: idm01.dap.cfcs.dk  port: 636  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Jan  6 09:29:43 2016
>
>
> ** ld 0x7fc7f40de370 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>outstanding referrals 0, parent count 0
>   ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>Empty
>   ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
>
> It works when using kpasswd, but not ldappasswd. Any suggestions?
>
> Cheers
> Emil

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 / CentOS 7.2 / DNS Strangeness (Sub-domains)

2016-01-06 Thread Petr Spacek 
Please always include ipa-users list when replying.

On 6.1.2016 11:48, Devin wrote:
> Jan 06 01:37:45 idm.servers.lnx.ninja named-pkcs11[5524]: zone
> lnx.ninja/IN: NS 'idm.servers.lnx.ninja' has no address records (A or )
> Jan 06 01:37:45 idm.servers.lnx.ninja named-pkcs11[5524]: zone
> lnx.ninja/IN: not loaded due to errors.
> Jan 06 01:37:45 idm.servers.lnx.ninja named-pkcs11[5524]: zone
> servers.lnx.ninja/IN: loaded serial 1452044265

Apparently the zone lnx.ninja does not contain any (A or ) records for
name idm.servers.lnx.ninja listed in NS record. You need to fix this (add
so-called glue record) otherwise BIND will not load that zone.

I hope this helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] faking DNS autodiscovery of servers

2016-01-06 Thread Karl Forner 
Hello,

I have some web applications that use LDAP for
authentication/authorization, and which do not support LDAP auto-discovery.

I'm wondering if it's possible to fake the auto-discovery of server.
For instance, I could imagine using a DNS CNAME ldap_current.example.com
which should point to a currently available ldap server.

Then a cron job would query the DNS/ldaps to find an available ldap server,
and if different from the current, update the DNS CNAME
ldap_current.example.com.

Does it make sense ?
In that case, how to discover a working ldap server ?

Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

2016-01-06 Thread Sumit Bose 
On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote:
> Hi all,
> 
> Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site
> we're just not able to see AD "Domain Local Groups".
> 
> Is that just not possible (a limitation of the current version that is), is
> some extra configuration needed of is just something wrong?
> 
> Hope one can give an answer!

This is by design. As the name says the groups are 'Domain Local' i.e.
only valid in the own AD domain (not even in the whole AD forest). Since
the IPA domain is a completely different forest from the AD perspective
the Domain Local Groups do not apply here. IPA just does the same here
as AD does.

HTH

bye,
Sumit

> 
> Winny
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA, AD Trust and Domain Local Groups

2016-01-06 Thread wdh 

Hi all,

Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site 
we're just not able to see AD "Domain Local Groups".


Is that just not possible (a limitation of the current version that is), 
is some extra configuration needed of is just something wrong?


Hope one can give an answer!

Winny

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IE10 Dialogs close on Enter keypress

2016-01-06 Thread Jim Groffen 
Hello,

I found that when running FreeIPA Web UI on IE10 that modal dialogs close
when enter is pressed. Normal functionality is to 'submit' the dialog on an
enter keypress.

I found a solution by adding a type="button" attribute to the close button
of the dialog (in /install/ui/src/freeipa/dialog.js).

I have tested on recent Chrome, IE and Firefox versions as well as on IE10.
Seems to be no side-effects.

Attached is a patch showing the change I made. Apologies if the patch isn't
formatted correctly.

Regards,

Jim G
From 53503f6cb28c1923a841cc837b8f1e062b2d429b Mon Sep 17 00:00:00 2001
From: James Groffen 
Date: Thu, 7 Jan 2016 14:26:03 +1030
Subject: [PATCH] Set close button type attribute to 'button'.

Stops IE10 from closing the dialog on an enter keypress.

---
 install/ui/src/freeipa/dialog.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
index 22bda3e..4c157c5 100644
--- a/install/ui/src/freeipa/dialog.js
+++ b/install/ui/src/freeipa/dialog.js
@@ -395,6 +395,7 @@ IPA.dialog = function(spec) {
 
 that.title_close_button = $('', {
 'class': 'close',
+'type': 'button',
 'aria-hidden': 'true',
 click: function() {
 that.close();
-- 
1.9.5.msysgit.1

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Trying to reset the admin password and failing...

2016-01-06 Thread Steven Jones 
Hi,

Any idea how to fix this please?


[root@vuwunicoipam002 ~]# ldappasswd -ZZ -D 'cn=directory manager' -W -S 
uid=admin,cn=users,cn=accounts,dc=xx,dc=xxx,dc=xx,dc=xx  -H 
ldap://vuwunicoipam002.xxx
New password:
Re-enter new password:
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate 
SSL.
[root@vuwunicoipam002 ~]#

regards

Steven 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec

2016-01-06 Thread Carlos Raúl Laguna 
Happy new year to all, just to point out that this also affect Fedora23
Free-IPA 4.2.0 and 4.3.0 from corps. locale  are set to es_ES.UTF-8.
Regards

2016-01-05 23:32 GMT-05:00 Fraser Tweedale :

> On Mon, Jan 04, 2016 at 03:13:43PM +0100, Domineaux Philippe wrote:
> > Hello,
> >
> > Happy new year.
> >
> > So the content of my /etc/locale.conf :
> >
> > LANG="fr_FR.UTF-8"
> >
> Happy new year to you too, and thanks for the info.
>
> I reproduced the issue and there is a now a patch awaiting review.
> Ticket: https://fedorahosted.org/freeipa/ticket/5578
>
> Cheers,
> Fraser
>
> > -- Forwarded message --
> > From: Fraser Tweedale 
> > Date: 2015-12-23 5:11 GMT+01:00
> > Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte
> with
> > utf8 codec
> > To: Gmail 
> > Cc: freeipa-users@redhat.com
> >
> >
> > On Tue, Dec 22, 2015 at 08:39:09AM +0100, Gmail wrote:
> > > Here are the files you ask for:
> > >
> > Thank you.  I see Tomcat is running in an fr_FR locale. Could you
> > also provide contents of `/etc/locale.conf'?
> >
> > Cheers,
> > Fraser
> >
> > >
> > >
> > > Le 22 décembre 2015 à 02:30:06, Fraser Tweedale (ftwee...@redhat.com)
> a
> > écrit:
> > >
> > > On Mon, Dec 21, 2015 at 05:29:01PM +0100, Gmail wrote:
> > > > Hi all,
> > > >
> > > > When trying to install on a fresh new Centos 7 I’ve got this error :
> > > >
> > > > 2015-12-21T16:04:44Z DEBUG The ipa-server-install command failed,
> > exception: NetworkError: cannot connect to '
> > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't
> > decode byte 0xea in position 13: invalid continuation byte
> > > > 2015-12-21T16:04:44Z ERROR cannot connect to '
> > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't
> > decode byte 0xea in position 13: invalid continuation byte
> > > >
> > > > My freeipa-server version is :  4.2.0
> > > > I’m running a Centos 3.10.0-327.3.1.el7.x86_64
> > > >
> > > > Any idea of what goes wrong?
> > > >
> > > Thanks for reporting. I have not seen this error before. Could you
> > > please include the following log files and I will take a closer
> > > look:
> > >
> > > /var/log/ipaserver-install.log
> > > /var/log/pki/pki-tomcat/ca/debug
> > >
> > > Cheers,
> > > Fraser
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Importing from shadow: ERROR: Constraint violation: pre-hashed passwords are not valid

2016-01-06 Thread Simpson Lachlan 
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> 

> >When I execute this, I get this error for every entry: "ipa: ERROR:
> >Constraint violation: pre-hashed passwords are not valid"
> >
> >What have I done wrong?
> Did you enable migration mode? The check in the password plugin is conditioned
> on allowing pre-hashed passwords only when the migration mode is on.


Well that's embarrassing. It's even right there, on the page I quoted. Didn't 
even see that paragraph when I was reading it. 

Thank you
L.  


This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project