[Freeipa-users] Approach to allowing users access to NFS with kerberos through containers

Our users on their local machines (which are enrolled into our domain/realm) access (mount read/write) our NFS shares as they need with their LDAP accounts. We are wanting to allow users to use docker containers to mount/access these same mount/NFS Servers. These containers are short lived so

[Freeipa-users] Re: Managing different Sub CAs in FreeIPA without their shared Root CA

On 3/11/20 5:01 PM, Alexander Petrenz via FreeIPA-users wrote: Hi, I'm new to FreeIPA and I have a conceptual question. I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs. Now I want to change the PKI-Management to FreeIPA without replacing the already existing

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

dmitriys via FreeIPA-users wrote: > Hi! > I rebuild my server now I use Centos 8 > I installed freeipa : > # ipa-server-install > and try to change self sign certificate on Comodo. > My steps: > - get root CA from gogetssl.com > - ipa-cacert-manage -p password -n ARAX -t C,, install

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

Hi! I rebuild my server now I use Centos 8 I installed freeipa : # ipa-server-install and try to change self sign certificate on Comodo. My steps: - get root CA from gogetssl.com - ipa-cacert-manage -p password -n ARAX -t C,, install /root/ca.crt - ipa-certupdate - ipa-server-certinstall -w -d

[Freeipa-users] Managing different Sub CAs in FreeIPA without their shared Root CA

Hi, I'm new to FreeIPA and I have a conceptual question. I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs. Now I want to change the PKI-Management to FreeIPA without replacing the already existing Sub-CAs. My first question is: Is it possible to have more

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

I have added freeipa users list as well to this thread On Wed, Mar 11, 2020 at 6:31 PM Rob Crittenden wrote: > Faraz Younus wrote: > > Thanks pasted the text instead of screenshots. > > This will work. Can you post this to the freeipa-users list? > > rob > > > > > First failed then successful

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

Alexander Bokovoy via FreeIPA-users wrote: > On ke, 11 maalis 2020, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: > Makes me look at this a different way. Perhaps change the certstore to > only return valid CA certs.

[Freeipa-users] Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

Sad. https://puppet.com/docs/pe/2019.2/rbac_ldap_intro.html#connect_to_an_external_directory_service It has Example Active Directory settings and Example OpenLDAP settings I tried using the OpenLDAP side, but the queries I see in the access logs are looking for objectClasses like

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On ke, 11 maalis 2020, Rob Crittenden wrote: Alexander Bokovoy wrote: On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: Makes me look at this a different way. Perhaps change the certstore to only return valid CA certs. That way they are stored if anyone ever wants them but they

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

Alexander Bokovoy wrote: > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: >>> Makes me look at this a different way. Perhaps change the certstore to >>> only return valid CA certs. That way they are stored if anyone ever >>> wants them but they won't get pulled down for

[Freeipa-users] Re: LDAP Server stop to response after a period of time

Ok, thanks. Alexander Bokovoy 於 2020年3月11日 週三 下午3:37 寫道： > On ke, 11 maalis 2020, Lays Dragon via FreeIPA-users wrote: > >Just as record: It looks like replica lost dnarange on my two servers > >somehow,not sure if it is caused by update or it is already happen > >before.since I notice that via

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On Wed, Mar 11, 2020 at 9:12 AM Fraser Tweedale via FreeIPA-users wrote: > > On Wed, Mar 11, 2020 at 09:26:54AM +0200, Alexander Bokovoy wrote: > > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: > > > > Makes me look at this a different way. Perhaps change the certstore to > > >

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On Wed, Mar 11, 2020 at 09:26:54AM +0200, Alexander Bokovoy wrote: > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: > > > Makes me look at this a different way. Perhaps change the certstore to > > > only return valid CA certs. That way they are stored if anyone ever > > > wants

[Freeipa-users] Re: LDAP Server stop to response after a period of time

On ke, 11 maalis 2020, Lays Dragon via FreeIPA-users wrote: Just as record: It looks like replica lost dnarange on my two servers somehow,not sure if it is caused by update or it is already happen before.since I notice that via trying to add a user after update and failed with: Allocation of a

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: Makes me look at this a different way. Perhaps change the certstore to only return valid CA certs. That way they are stored if anyone ever wants them but they won't get pulled down for ipa-certupdate or ipaclilent-install. Or to