[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Harald Dunkel via FreeIPA-users wrote: > Hi Rob, > > On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote: >> Harald Dunkel via FreeIPA-users wrote: >>> See attachment. >>> >>> Please note the "invalid certificate". Du you remember the thread >>> on freeipa-devel about "ipa-client-install

[Freeipa-users] Maintenance mode

Stupid question, but to stop anyone from logging in anywhere - for instance during a maintenance period - is there an easy maintenance mode in IPA? Or is the best method to disable all HBAC rules? cheers L. -- "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the

[Freeipa-users] Re: User's personal group not resolving

Hi Rob, We figured out there were a relatively small number of id clashes between uids and gids between users and groups and have resolved most of them, we're now working on making gidNumber = uidNumber with a python script calling user-mod via the FreeIPA API. It's looking good in our test

[Freeipa-users] Re: Guide to enabling CA?

On ke, 06 joulu 2017, Bret Wortman via FreeIPA-users wrote: Is there an online guide to turning on a CA? We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we

[Freeipa-users] Re: User's personal group not resolving

> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. > Is that what you mean by creating the groups? No, it's the gid of the user, so exists only as a private user group. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, 7

[Freeipa-users] Re: openvpn authenticating to freeipa

We use openvpn's "auth-user-pass-verify" option to call a perl script that queries PAM. I can't provide all of it since it has sensitive/corporate information but essentially OpenVPN will provide the password used during client negotiation as an environment variable, and the perl script sends

[Freeipa-users] Re: openvpn authenticating to freeipa

I already had the line in there for the plugin. On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer wrote: I think I did see that while searching, but did not click on it. I will now! Thank you! On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via

[Freeipa-users] Re: openvpn authenticating to freeipa

I think I did see that while searching, but did not click on it. I will now! Thank you! On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users wrote: Have you taken a look at this?

[Freeipa-users] Re: openvpn authenticating to freeipa

Have you taken a look at this? https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam That is a plugin we have on our OpenVPN server which is backed by FreeIPA. In our OpenVPN server conf file we have a line that looks like this. plugin

[Freeipa-users] openvpn authenticating to freeipa

Hello, I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Hi Rob, On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote: > Harald Dunkel via FreeIPA-users wrote: >> See attachment. >> >> Please note the "invalid certificate". Du you remember the thread >> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails >> after root certificate

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Harald Dunkel via FreeIPA-users wrote: > See attachment. > > Please note the "invalid certificate". Du you remember the thread > on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails > after root certificate change via ipa-cacert-manage" and the > output of "ipa-certupdate -v" I had

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

See attachment. Please note the "invalid certificate". Du you remember the thread on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage" and the output of "ipa-certupdate -v" I had posted? Regards Harri debug.txt.gz

[Freeipa-users] Guide to enabling CA?

Is there an online guide to turning on a CA? We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > Platform: Centos 7.4, ipa 4.5.0-21 > > The ipa service cannot be started anymore. Error message: > > # systemctl status ipa > * ipa.service - Identity, Policy, Audit >Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor

[Freeipa-users] Re: User's personal group not resolving

Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We imported all our users with uidnumbers from our old LDAP, but their > gidNumber was from 4 groups. This caused us issues with users wanting to > grant access to personal spaces to one user, but instead granting access > to all

[Freeipa-users] worst nightmare come true: ipa service doesn't start anymore

Hi folks, Platform: Centos 7.4, ipa 4.5.0-21 The ipa service cannot be started anymore. Error message: # systemctl status ipa * ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code)

[Freeipa-users] Change default ldap scheme

Hello everybody, I want to know, is there possibility to change default ldap scheme, where user and groups are storing. For instance, I have: cn=USER, cn=groups, cn=accounts, dc=domain,dc=net cn=GROUP-OF-USERS, cn=groups, cn=accounts, dc=domain,dc=net It seems to be too straightforward. Can I