Hello Dagan,
> The VPN is Cisco, we use openconnect to connect to it currently and it
> works without a problem.
I use ocserv on my VPN server and openconnect - normally with GSSAPI,
but I'll try with password/OTP.
> The Yubikeys in the existing configuration are in a static file, which
> does
On 13 June 2017 5:01:31 AM NZST, Jochen Hein via FreeIPA-users
wrote:
>
>Hallo,
>
>Dagan McGregor via FreeIPA-users
>writes:
>
>> I have been asked to configure FreeIPA 4.4 servers to handle VPN
>
>What kind of VPN do you use? What client do you use?
>
>> authentication using a FreeRADIUS serve
Ok, well i'm going to start getting this setup soon.
On Monday, June 12, 2017 3:30 PM, Joshua D Doll via FreeIPA-users
wrote:
I don't think PAM is needed at all, but I could be wrong.
Joshua D Doll
On June 12, 2017 4:28:14 PM EDT, Andrew Meyer via FreeIPA-users
wrote:
Correct. So I
I don't think PAM is needed at all, but I could be wrong.
Joshua D Doll
On June 12, 2017 4:28:14 PM EDT, Andrew Meyer via FreeIPA-users
wrote:
>Correct. So I would skip the adding of the pam module and just create
>a new pam config file, right?
>
>On Monday, June 12, 2017 2:54 PM, Joshua D Do
Correct. So I would skip the adding of the pam module and just create a new
pam config file, right?
On Monday, June 12, 2017 2:54 PM, Joshua D Doll via FreeIPA-users
wrote:
I think you only want the PAM module if you are trying to authenticate your
users via tacacs for Linux. It soun
I think you only want the PAM module if you are trying to authenticate your
users via tacacs for Linux. It sounds like you are trying to setup a tacacs
server and using FreeIPA as your user store. In which case you'll want to look
at configuring the tacacs service to talk to FreeIPA's LDAP
Josh
It is possible to set up a cron job to do this for you. However, it is
good practice for companies to do this process manually instead of
relying on a script that will run at some point on it's own. Either
way, someone will have to do something to initiate the process.
What I suggest is to k
On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
> I think I detected the problem. The error log in the replica writes:
>
> *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length
> exceeds maximum allowed limit (length=2483849, limit=2097152). Change
> the nsslapd-maxsasl
On 06/12/2017 07:32 AM, Nick Campion via FreeIPA-users wrote:
>
> Thanks Mark,
>
> So this example is a user password change using kinit, the password
> has been changed on freeipa02 but not then replicated to the others.
> This happens for other records, but I don't have examples of these at
> t
Hallo,
Dagan McGregor via FreeIPA-users
writes:
> I have been asked to configure FreeIPA 4.4 servers to handle VPN
What kind of VPN do you use? What client do you use?
> authentication using a FreeRADIUS server, with 2FA being generated by
> a Yubikey given to each user.
Is the Yubikey enro
Hi Givaldo, I tried to reinitialized the replica and I did not get results.
On Mon, Jun 12, 2017 at 12:28 PM, Givaldo Lins via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Hey Adrian,
>
> Not sure if it will resolve your problem, but have you tried to
> reinitialize the replica?
Hey Adrian,
Not sure if it will resolve your problem, but have you tried to reinitialize
the replica?
You can run this on the replica: # ipa-replica-manage re-initialize
--from=usuarios.ipa.server.com
I hope this help you.
Cheers,
Givaldo Lins
De: "Adrian HY via FreeIPA-users"
Para: f
On 11.06.2017 01:20, John Morris via FreeIPA-users wrote:
This works to find a single DNS record:
$ ipa dnsrecord-find example.com --name=ipa-ca --pkey-only
Record name: ipa-ca
Number of entries returned 1
But thi
So this post is having me compile the pam_tacacs. Do I still need to do that
if I am using shrubbery.net TACACS+?
On Monday, June 12, 2017 10:15 AM, Andrew Meyer via FreeIPA-users
wrote:
Haven't gotten that far yet. Want to set it up.
On Friday, June 9, 2017 6:08 PM, Jake via F
Hi everybody, any suggestions regarding this problem?
On Sun, Jun 11, 2017 at 1:49 PM, Adrian HY wrote:
> I think I detected the problem. The error log in the replica writes:
>
> *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length
> exceeds maximum allowed limit (length=2483849,
Jens Timmerman via FreeIPA-users wrote:
> Hi Greg,
>
>
> On 02/03/2017 03:29, Greg wrote:
>> I've been at this as well for a while now, and managed to make it work
>> for my NFS needs (automounting user homes with password-less logons).
>>
>>
>>
>> $ ipa servicedelegationrule-show ipa-nfs-delegat
Hi Greg,
On 02/03/2017 03:29, Greg wrote:
> I've been at this as well for a while now, and managed to make it work
> for my NFS needs (automounting user homes with password-less logons).
>
>
>
> $ ipa servicedelegationrule-show ipa-nfs-delegation
> Delegation name: ipa-nfs-delegation
> Allowe
Haven't gotten that far yet. Want to set it up.
On Friday, June 9, 2017 6:08 PM, Jake via FreeIPA-users
wrote:
it's a pam module and works the same as others, if you are using hbac you'll
need to create a service for the module
https://serverfault.com/questions/425020/authenticate-lin
Hi All
Is it possible to a schedule for when a user account is disabled/deleted? the
reason why I am asking is that we would like to be able to set an account to be
disabled or deleted when the user leaves the company, for the moment it can
take time until a sys admin disables or deletes the ac
On Mon, 2017-06-12 at 10:50 +0200, Florence Blanc-Renaud via
FreeIPA-users wrote:
> Hi,
> We are waiting for your feedback on all these topics: would you be
> likely to use Ansible to deploy an IPA client, which requirements,
> concerns, ideas do you have in this area?
>
> Thank you for your in
Thanks Mark,
So this example is a user password change using kinit, the password has
been changed on freeipa02 but not then replicated to the others. This
happens for other records, but I don't have examples of these at the
moment.
As far as I'm aware, there is no fractal replication set up.
Fre
Hello
I am sorry, I am not sure but if your client hostname is within
correct domain, I think you dont need to give domain & realm.
like your IPA domain & realm is dataservice.net & your client hostname
is system2.dataservice.net, I think it will take it automatically,
Someone else can confirm.
so we can safely ignore the --server option for the ipa-client-install? but
the --domain and --realm are mandatory?
Many thanks to Arpit.
On Mon, Jun 12, 2017 at 6:51 PM, Arpit Tolani wrote:
> Hello
>
> Try to run below commands on your IPA client & point resolv.conf to
> IPA server & IPA clien
Hi
Thank you for the reply, I will try what u described and see if this works.
I didn't now about this 'SRV records' thing and i don't know if it will work as
I am configuring my clients kinda manually without the client setup script.
Regards
From: Arpit Tolani
Hello
Try to run below commands on your IPA client & point resolv.conf to
IPA server & IPA client
# dig srv _ldap._tcp.dataservice.net
# dig srv _kerberos._tcp.dataservice.net
# dig srv _kpasswd._tcp.dataservice.net
If they return your IPA servers, It can automatically figure out your
IPA serve
BTW Now I think of it, why are you using Load balancert, Let SRV
records take care of your IPA load balancing, Configure your clients
to auto-discover IPA server using SRV records.
Regards
Arpit Tolani
On Mon, Jun 12, 2017 at 4:14 PM, Arpit Tolani wrote:
> Hello
>
> IPA can sign certificate req
I setup a IPA server: freeipa-server and a replica: freeipa-replica, both
with embedded DNS. I have 2 server addresses: freeipa-server.dataservice.net
and freeipa-replica.dataservice.net.
When I am configuring the IPA client using the ipa-client-install, how to
specify the "--server" option? or it
Hello
IPA can sign certificate requests with subjectAltName (SAN)
extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL
certificate request(s), adding the '-D' option to specify the DNSNAME
value for each of the VIPs:
First, on each IPA server, run 'ipa-getcert list' to find the
Hello
> Can you help to shed more lights on how to configure the SRV records for
> auto discovery?
>
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV
records are automatically added in IPA.
If its external DNS server, You need to add records something like
this in your DNS ser
On 2017-06-12 10:50, Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
>
> the team is starting investigations regarding the deployment of IPA
> using Ansible, and we would like to get community feedback. Ansible
> already provides a few community-maintained Identity Modules [1]
> allowing to m
On 06/12/2017 11:45 AM, wouter.hummelink--- via FreeIPA-users wrote:
> Hi,
>
> For our puppet profile we use ipa-client-install unless the file
> /etc/ipa/default.conf exists (which is created by ipa-client-install), this
> should work for ansible as well. The creates option in both puppet exec
Thanks to Rob.
Can you help to shed more lights on how to configure the SRV records for
auto discovery?
On Tue, Jun 6, 2017 at 3:47 AM, Rob Crittenden wrote:
> Standa Laznicka via FreeIPA-users wrote:
> > Hello,
> >
> > When you specify --help to a script, you usually get a brief description
>
On 2017-06-12 11:45, wouter.hummelink--- via FreeIPA-users wrote:
> Hi,
>
> For our puppet profile we use ipa-client-install unless the file
> /etc/ipa/default.conf exists (which is created by ipa-client-install), this
> should work for ansible as well. The creates option in both puppet exec and
Hi,
For our puppet profile we use ipa-client-install unless the file
/etc/ipa/default.conf exists (which is created by ipa-client-install), this
should work for ansible as well. The creates option in both puppet exec and
ansible shell modules seem to serve the same purpose in that regard.
---
I set up a FreeIPA master and replica behind an elastic load balancer in AWS
cloud. FreeIPA Clients will be contacting the replica and the master sever
through the load balancer so the dns name used when configurting the clients is
the ELB CNAME. The problem is when retreiving data and during th
Hi,
the team is starting investigations regarding the deployment of IPA
using Ansible, and we would like to get community feedback. Ansible
already provides a few community-maintained Identity Modules [1]
allowing to manage users, groups, hosts, hbac rules, roles, sudo rules,
but in a first p
36 matches
Mail list logo
