One more thing: When exporting, I got these warnings:
WARNING: The SHA-1 algorithm used in
org.mozilla.jss.pkcs12.SafeBag::getLocalKeyIDFromCert:264 is deprecated. Use a
more secure algorithm.
I suppose the key was crated with SHA-1 back then (5 years ago). Is there
anything I can do about
What is the kracert.p12 used for?
I get this error when I try to export:
[root@aaa-01 ca]# pki-server subsystem-cert-export kra
--pkcs12-file=/root/kracertbackup.p12
ERROR: No kra subsystem in instance pki-tomcat.
___
FreeIPA-users mailing list --
Thank you. I used the procedure mentioned here
https://www.dogtagpki.org/wiki/PKCS12Export and was able to export the key.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 21/09/2023 20:30, Rob Crittenden via FreeIPA-users wrote:
I ask because my /root/cacert.p12 and /root/kracert.p12 files also
aren't encrypted with my directory manager password and I am pretty sure
I haven't changed this password since installing any of my current IPA
servers. And when I
Sam Morris via FreeIPA-users wrote:
> On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:
>> John Stokes via FreeIPA-users wrote:
>>> Today while creating a backup I realized I don't know the
>>> password for the file /root/cacert.p12 where the private key
>>> of the CA shoudl be stored.
On 21/09/2023 18:30, Ulf Volmer via FreeIPA-users wrote:
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better.
HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule
On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:
John Stokes via FreeIPA-users wrote:
Today while creating a backup I realized I don't know the
>> password for the file /root/cacert.p12 where the private key
>> of the CA shoudl be stored. The one I thought it should be
>> (same as
On 21.09.23 20:14, Rob Crittenden via FreeIPA-users wrote:
Ulf Volmer via FreeIPA-users wrote:
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent
him from escaping and start a shell?
That's great! I should try to look into it.
Not really. If you allow sudo to be executed
Ulf Volmer via FreeIPA-users wrote:
> On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
>
>> HBAC can do this better.
>> HBAC controls who is allowed to use PAM services. sudo-i is a PAM
>> service. It is allowed now, I'm assuming, because you have the HBAC
>> allow_all rule enabled.
>>
Sam Morris via FreeIPA-users
writes:
> On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote:
>> Thanks so much Sumit,
>> your suggestion works perfectly.
>> I'm still curious about the difference in behavior between
>> distributions, but it's not that important.
>> Greetings
>
> Probably
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better.
HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule enabled.
If you disable or delete it then nobody will do
Ulf Volmer via FreeIPA-users wrote:
> On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:
>
>> I don't want my users to become root with simply executing the 'sudo
>> -i' command so they can execute all root commands. Users should only
>> execute with sudo the allowed defined commands.
On 21/09/2023 18.21, Nathanaël Blanchet via FreeIPA-users wrote:
Hello,
I don't want my users to become root with simply executing the 'sudo
-i' command so they can execute all root commands. Users should only
execute with sudo the allowed defined commands.
I'm able to prevent them from
On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:
I don't want my users to become root with simply executing the 'sudo
-i' command so they can execute all root commands. Users should only
execute with sudo the allowed defined commands.
I'm able to prevent them from executing 'sudo
Hello,
I don't want my users to become root with simply executing the 'sudo
-i' command so they can execute all root commands. Users should only
execute with sudo the allowed defined commands.
I'm able to prevent them from executing 'sudo su -', but I didn't find
any informations about forbidding
I have tried my luck around with all the helpers: `pki-server cert-fix`,
`ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me for
multiple reasons.
- `ipa-cacert-manage` Cannot update the CA with `--external-cert-file` because
the root ca is not detected to be in the trust
Hi Jay,
For running FreeIPA in a container you may want to check
https://github.com/freeipa/freeipa-container
The setup for it to work is somewhat sensible and following their
recommendations will prevent a lot of headaches.
Rafael
P.S.: Sorry for the top post.
On Wed, Sep 20, 2023 at 10:10
John Stokes via FreeIPA-users wrote:
> I have an IPA CA that is running fine for several years now. I also have two
> replicas installed.
>
> Today while creating a backup I realized I don't know the password for the
> file /root/cacert.p12 where the private key of the CA should be stored. The
I have an IPA CA that is running fine for several years now. I also have two
replicas installed.
Today while creating a backup I realized I don't know the password for the file
/root/cacert.p12 where the private key of the CA should be stored. The one I
thought it should be (same as the pass
Tania Hagan via FreeIPA-users wrote:
> Hi Rob,
>
> As a company we turn off anonymous bind for security reasons, but have a
> number of sysaccounts that are used in scripts to bind as that bind user and
> complete an ldapsearch (e.g get list of users, get monitoring metrics). We
> also have
This language is completely unacceptable.
You have been put in permanent moderation.
You can receive messages, but anything you send will be held in
moderation and may or not be acted upon as time permits by the
moderators.
You can appeal this decision by writing to the list owners.
But I warn
On 20/09/2023 16.01, Chris Cowan via FreeIPA-users wrote:
Christian,
Rereading this, I'm wondering if besides the "admin" user and "admins" group if
there are any other special users or groups with FreeIPA? From my reading so far, I think the
answer is no, but want to be sure.
The
1. Wtf are you assuming the ldap server is writable? Why would you think that
changing this opposed to the older version is an improvement?
2. wtf do you want to download the whole ldap via sync? What is even the point
of having it in ldap? My old named is using < 500MB, your new version is
getting errors like this "serial () write back to LDAP failed"
Probably because it is trying to write to ldap? How to turn of this?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote:
Thanks so much Sumit,
your suggestion works perfectly.
I'm still curious about the difference in behavior between distributions, but
it's not that important.
Greetings
Probably on RHEL you have pam_sssd in your PAM stack, which is
Thanks so much Sumit,
your suggestion works perfectly.
I'm still curious about the difference in behavior between distributions, but
it's not that important.
Greetings
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe
26 matches
Mail list logo
