[Freeipa-users] Re: Correcting errors in the CA master certificate

Cool. We'll work on this some more and let you know how The Gathering goes. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mod_ldap apache

Hi ivars Many thanks that's just what I was looking for. Sorry about the iPad it should be ipa but it seems I am a victim of autocorrect 藍 Regards Per Sent from my Commodore 64 > On 8 Aug 2017, at 18:07, Ivars Strazdiņš via FreeIPA-users > wrote: >

[Freeipa-users] Re: expired certificates - pki-tomcat not running

On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote: > Michael Gusek via FreeIPA-users wrote: > > Hi Fraser, > > > > at the moment, i can't provide this logfile, i've moved that back to > > have only new log lines. But a new new logfile is not created ??? In my > > old logfile i have

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote: Hello Pavel On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka > wrote: Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could

[Freeipa-users] Re: ID view is not overriding user attributes

(Wed Aug 9 04:20:14 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=supratik.goswami))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=corp,dc=example,dc=com] What I could see here is that it is

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

Pavel, Thanks for the help, that solved the problem. Now I can access the web ui. The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates): ID | Command line | Date and time|

[Freeipa-users] FIPA OTP 2FA

Hello all, I have enabled password+OTP authentication for a user and able to sync tokens and SSH. While ssh to server using FIPA credentials it's asking authentication in two steps as First Factor and Second Factor . But i just want to give it in a single line password ,Can any one suggest how

[Freeipa-users] Re: howto replace an externally signed CA

Hi Flo, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: > Hi, > > You can follow the steps described here: >

[Freeipa-users] Re: Correcting errors in the CA master certificate

Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > It's the NSSDB cert. Here's some console output that might be helpful. > > PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 > Request ID '20150827000358': > status: MONITORING > ca-error: Server at >

[Freeipa-users] Re: mod_ldap apache

Hi Per, could you define “working configuration” requirements and what’s iPad specific? Anyway, below is my setup with Centos Apache to authenticate against IPA via LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just “pure” LDAP. Please note, IPA group “shareusers”

[Freeipa-users] expired certificates - pki-tomcat not running

Hello, we run in a problem with expired certificates: > getcert list (sample show only one expired certificate) ... Request ID '20170202144747': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate

[Freeipa-users] Re: Using AWS ELB with 2 FreeIPA servers

You may be over complicating things by using a load balancer, IPA does a fairly good job of balancing things itself, for example the default SSSD config is to have this: ipa_server = _srv_, meaning it will select which host to communicate with via the DNS service records, which are

[Freeipa-users] Re: FIPA OTP 2FA

saidireddy ranabothu via FreeIPA-users writes: > I have enabled password+OTP authentication for a user and able to sync > tokens and SSH. > > While ssh to server using FIPA credentials it's asking authentication in > two steps as First Factor and Second

[Freeipa-users] Re: Failed Upgrade?

On 8/7/17 1:44 AM, thierry bordaz wrote: On 08/07/2017 09:22 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 08/04/2017 11:02 PM, Ian Harding via FreeIPA-users wrote: On 8/4/17 2:16 AM, Florence Blanc-Renaud wrote: On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote: On

[Freeipa-users] Re: Correcting errors in the CA master certificate

Thanks, Rob. Unfortunately my test in staging resulted in an expired dogtag cert. The staging environment didn't have any certificates that were due to expire soon so I updated the xmlrpc_server variable on one of the four IPA hosts we have to another one in the same AWS region and restarted

[Freeipa-users] Re: Correcting errors in the CA master certificate

Scott Stevson via FreeIPA-users wrote: > Thanks, Rob. > > Unfortunately my test in staging resulted in an expired dogtag cert. The > staging environment didn't have any certificates that were due to expire soon > so I updated the xmlrpc_server variable on one of the four IPA hosts we have >

[Freeipa-users] reverse zone after install?

Hi All, If you setup DNS but did not enable the reverse zone during the initial install, is there a way to add/enable it after the fact? I can script adding in all the PTR records, but wanted to find out how to create/enable the reverse zone once you have already installed. Thanks K

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Michael Gusek via FreeIPA-users wrote: > Hi Fraser, > > at the moment, i can't provide this logfile, i've moved that back to > have only new log lines. But a new new logfile is not created ??? In my > old logfile i have some lines after switch to basic auth, but before > setting time to past: >

[Freeipa-users] remove ipa-dns-server ?

Hello, CentOS 7.3 what is the best way to remove a installed ipa-dns-server? I can't found any helpful Doc's for this only for installing the server I found Docs Thanks for the Help, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer

[Freeipa-users] Re: SUDO Rules not getting processed

Are you 100% sure that you have a line like "sudoers: files sss" in your /etc/nsswitch.conf? Am 7. August 2017 11:10:56 MESZ schrieb Alka Murali via FreeIPA-users : >Hello Team, > >Have checked all the logs, and the SSSD Logs are saying that it is

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

Hello Gustavo, On 08/07/2017 04:20 PM, Gustavo Berman via FreeIPA-users wrote: Hi there, Today we upgraded to the latest IPA 4.5, log says it upgraded just fine, ipa seems to authenticate allright, but web ui fails with: Operations Error Some operations failed.

[Freeipa-users] Re: Creating certificate for master domain

We have host which is registered and have http service with one domain e.g. xyz.intra.example.com. But we want to add another site with domain intra.example.com, and we need to enroll certificate for that domain, but we can't because the hostname of these host is xyz.intra.example.com. Is it

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

I think this has resolved itself on its own after the update to RHEL 7.4. So that was a pleasant surprise. On Wed, Aug 2, 2017 at 8:53 AM, Prasun Gera wrote: > I think the path that is triggered first is from the following code: > > if new_cert == old_cert: > >

[Freeipa-users] Re: Extended Schema attributes missing

Great, thanks! On Aug 4, 2017 11:58 PM, "Alexander Bokovoy" wrote: > On pe, 04 elo 2017, Kristian Petersen via FreeIPA-users wrote: > >> Alexander, >> >> That was it! I had seen this before at a previous place of employment, >> but >> couldn't recall enough of what we'd

[Freeipa-users] Re: Failed Upgrade?

On 08/07/2017 09:22 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 08/04/2017 11:02 PM, Ian Harding via FreeIPA-users wrote: On 8/4/17 2:16 AM, Florence Blanc-Renaud wrote: On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote: On 08/03/2017 12:28 AM, Florence Blanc-Renaud

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Hi Fraser, at the moment, i can't provide this logfile, i've moved that back to have only new log lines. But a new new logfile is not created ??? In my old logfile i have some lines after switch to basic auth, but before setting time to past: [07/Aug/2017:14:16:22][localhost-startStop-1]:

[Freeipa-users] Unable to login with AD users

Hello, I have created a FreeIPA solution using Red Hat’s IDM product. FreeIPA version: 4.5.0 OS version: RHEL 7.4 I have successfully installed the server portion and can authenticate to it using local IDM users, such as the ‘admin’ user. I have created a one-way trust between the IPA realm

[Freeipa-users] Re: Creating certificate for master domain

Rafał Wądołowski via FreeIPA-users wrote: > We have host which is registered and have http service with one domain > e.g. xyz.intra.example.com. > > But we want to add another site with domain intra.example.com, and we > need to enroll certificate for that domain, but we can't because the >

[Freeipa-users] HBAC vs Sudo

We are running FreeIPA 4.4. Even though sudo is listed as one of the services in the HBAC rule, it seems like only the Sudo rules are what really controls sudo. Sudo ignores what is in the HBAC rules. Is this expected behavior? It doesn't really which way it really works, we are more concerned

[Freeipa-users] Re: Correcting errors in the CA master certificate

Hey Rob, It's the NSSDB cert. Here's some console output that might be helpful. PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 Request ID '20150827000358': status: MONITORING ca-error: Server at

[Freeipa-users] Re: HBAC vs Sudo

On 08/08/2017 12:02 PM, Steve Weeks via FreeIPA-users wrote: We are running FreeIPA 4.4. Even though sudo is listed as one of the services in the HBAC rule, it seems like only the Sudo rules are what really controls sudo. Sudo ignores what is in the HBAC rules. Is this expected behavior?