[Freeipa-users] Make custom attribute fail in UI and SAVE Button
Dear all: I follow the guide of freeipa 3.0 abt web plugin web ui. At command base I successfully made a custom attribute called Employee " Commencement Date" . I can add using script / command. BUT in web UI , it Display "Commencent date" Label only and cannot display edit field and allow me edit. After That I changed to Multivalue the field come out but still the save button is grey I cannot save again. Which part I made wrong ? please advise . thx define(['freeipa/phases','freeipa/user'], function(phases, user_mod) { // helper function function get_item(array, attr, value) { for (var i=0,l=array.length; i___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] master - replica relationship
Hola, I'm still trying to wrap my head around the master-replica concept. >From what I read in the documentation (Chapter 4 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/ ) the replica should be able to take over as master should master go offline. Our replica was set up with CA & without DNS - the same as master, and it seems to be working on the whole. The problem I'm having is in the replication. create user on master: ipa user-add master_test_user --first=MT --last=ML create user on replica: ipa user-add replica_test_user --first=RT --last=RL find user on master: [root@vmpr-linuxidm ~]# ipa user-find test_user --- 2 users matched --- User login: master_test_user First name: MT Last name: ML Home directory: /home/master_test_user Login shell: /bin/bash Principal name: master_test_u...@unix.domain.com Principal alias: master_test_u...@unix.domain.com Email address: master_test_u...@domain.com UID: 1718800021 GID: 1718800021 Account disabled: False User login: replica_test_user First name: RT Last name: RL Home directory: /home/replica_test_user Login shell: /bin/bash Principal name: replica_test_u...@unix.domain.com Principal alias: replica_test_u...@unix.domain.com Email address: replica_test_u...@domain.com UID: 1718850502 GID: 1718850502 Account disabled: False Number of entries returned 2 find user on replica: [root@vmdr-linuxidm ~]# ipa user-find test_user -- 1 user matched -- User login: replica_test_user First name: RT Last name: RL Home directory: /home/replica_test_user Login shell: /bin/bash Principal name: replica_test_u...@unix.domain.com Principal alias: replica_test_u...@unix.domain.com Email address: replica_test_u...@domain.com UID: 1718850502 GID: 1718850502 Account disabled: False Number of entries returned 1 If I run ipa user-add on the replica, I see it upstream on master, but if I run ipa add-user on the master, that's not replicated down to the replica. Also, ipa user-del (even with --no-preserve) works on master, but doesn't delete the user on the replica. What has gone wrong? Cheers L. -- "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Using user-mod to set a hashed password
On ke, 08 marras 2017, Aaron Hicks wrote: Thanks Alexander, This is what the source code said to me too. I'm going to have to fall back to directly interacting with LDAP to make this work, or set up PWM though we'd prefer an official and supported password manager plugin for FreeIPA. It will not work directly via LDAP either because ipa-pwd-extop plugin will refuse changing passwords to a hashed form even as cn=Directory Manager. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Using user-mod to set a hashed password
Thanks Alexander, This is what the source code said to me too. I'm going to have to fall back to directly interacting with LDAP to make this work, or set up PWM though we'd prefer an official and supported password manager plugin for FreeIPA. Regards, Aaron -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, 7 November 2017 7:17 PM To: FreeIPA users list Cc: Aaron Hicks Subject: Re: [Freeipa-users] Using user-mod to set a hashed password On ti, 07 marras 2017, Aaron Hicks via FreeIPA-users wrote: >Hello the list, > >The next terrible bad thing our customer service model says we'd like >to do with FreeIPA is set user passwords from our customer management >system. It's not AD and it's not LDAP. It does have a store of salted >hashed sha512 passwords. > >I have set the FreeIPA directory in migration mode as per >http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords > >We are able to add new users (with add-user) and set their password >with --setattr >userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong > >The previous bit is working. The next bit is not. > >We have a bunch of users in the directory who were created before we >enabled this feature in user creation, and another bunch who have not >yet generated a password hash. These users have no password set in >FreeIPA. Our script is capable of figuring out if an account >hasPassword attribute is True or False. > >We'd like to set these user's passwords if they are not already set, but: > >ipa user-mod username --setattr >userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong > >ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid > >We get the same response when we kinit as admin or a user with the System: >Change User password permission. > >Is there a specific configuration mode option or account attribute that >allows this to work? No, nothing would allow you to change pre-hashed passwords through IPA framework. What you could do is to set them a random non-hashed password as administrator and thus it would force to change the password on next login. That's all you could do. Of course, 'next login' can be simulated too, but you cannot do this with a hashed password. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5
On (07/11/17 10:34), Sigbjorn Lie via FreeIPA-users wrote: >Hi, > >I would also prefer to stop using an unsupported distribution. Unfortunately >not all application vendors have updated their software, which prevents the >upgrade of these machines to a newer and supported distribution. > For such setup I would recommend to run sssd on el7 and application in container with el5 + bind mount /var/lib/sss/pipes/ from host to container. Such setup should be a little bit more secure. LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Multiboot and FreeIPA
On ti, 07 marras 2017, Pascal Ernster via FreeIPA-users wrote: Hi, is it possible to use multiple operating systems (for example different versions of Fedora and CentOS) at the same time on one and the same computer, with the same IP address/hostname, with all of these OS installations being valid FreeIPA clients at the same time? Could this cause problems as every operating system gets its own Kerberos TGT, its own SSH host keys, LDAP entries, etc? In case it matters: I'm using the FreeIPA packages from the official distro repos, which means that different OS installations may have differing versions of the FreeIPA client and its dependency packages. The use case would be a (hopefully) seamless distro upgrade, with an easy fallback option for users if they experience problems with the new distro release. If they all have the same hostname, you are better to enroll and share keytab across all configurations. To do so, enroll first time and then specify /etc/krb5.keytab from that installation with ipa-client-install -k option. See ipa-client-install man page for more details. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Multiboot and FreeIPA
Hi, is it possible to use multiple operating systems (for example different versions of Fedora and CentOS) at the same time on one and the same computer, with the same IP address/hostname, with all of these OS installations being valid FreeIPA clients at the same time? Could this cause problems as every operating system gets its own Kerberos TGT, its own SSH host keys, LDAP entries, etc? In case it matters: I'm using the FreeIPA packages from the official distro repos, which means that different OS installations may have differing versions of the FreeIPA client and its dependency packages. The use case would be a (hopefully) seamless distro upgrade, with an easy fallback option for users if they experience problems with the new distro release. Regards Pascal ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5
On ma, 06 marras 2017, Sigbjorn Lie via FreeIPA-users wrote: Hi list, RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the existing HBAC rules to function. Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 using sssd-ipa? Thanks. Regards, Siggi [root@ipaclient sssd]# kinit -kt /etc/krb5.keytab kinit(v5): Preauthentication failed while getting initial credentials Uninstall pkinit-nss if you have it installed. Restart sssd. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5
Hi, I would also prefer to stop using an unsupported distribution. Unfortunately not all application vendors have updated their software, which prevents the upgrade of these machines to a newer and supported distribution. Regards, Siggi > On 7 Nov 2017, at 07:57, Lukas Slebodnik wrote: > > On (06/11/17 16:58), Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> >> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from >> sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow >> the existing HBAC rules to function. >> >> Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 >> using sssd-ipa? >> > > I would not recommend to use unsupported distribution. > https://lists.centos.org/pipermail/centos-announce/2017-April/022350.html > > You should consider to move from el5 to el6 or el7 > > LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5
Hi, The EL5 servers are already enrolled in an RHEL6/IPA3 domain, and has been for several years. The EL5 machines work just fine when connected to the RHEL6/IPA3 domain. The RHEL6/IPA3 domain will now be upgraded to RHEL7/IPA4, and while performing some testing before the upgrade, we noticed the mentioned issues with sssd-ipa in EL5. Regards, Siggi > On 6 Nov 2017, at 17:22, Mark Haney via FreeIPA-users > wrote: > > On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> >> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from >> sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow >> the existing HBAC rules to function. >> >> Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 >> using sssd-ipa? >> >> Thanks. >> >> >> Regards, >> Siggi >> >> > Not really an answer, but we have 5 CentOS 5 boxes and not one of them did I > migrate to IPA, it's just not worth the hassle. > > > -- > Mark Haney > Network Engineer at NeoNova > 919-460-3330 option 1 > mark.ha...@neonova.net > www.neonova.net > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org