Hi Striker,the output of error_log when trying to login is:[Wed May 22 22:43:50.791861 2019] [wsgi:error] [pid 21731:tid 2937889584] [remote 192.168.1.22:43548] ipa: DEBUG: Starting new HTTP connection (1): ipa3.roth.net:80[Wed May 22 22:43:50.807169 2019] [wsgi:error] [pid 21731:tid 2937889584]
Well, in that scenario site-to-site VPNs should not be too terrible (AWS
provides one, for instance).
I think that certainly having a default install which is "safe" to
expose to the Internet would be a very nice feature. However, I realize
that has its cost and maybe its drawbacks, so of
Well, in that scenario site-to-site VPNs should not be too terrible (AWS
provides one, for instance).
I think that certainly having a default install which is "safe" to
expose to the Internet would be a very nice feature. However, I realize
that has its cost and maybe its drawbacks, so of
Hi,
Create the file /etc/ipa/server.conf if it is not made:
# touch /etc/ipa/server.conf
Then, edit it so that it has debugging:
[global]
debug=True
Then, restart Apache:
# systemctl restart httpd
After, reproduce the login failure. Once that is done, check the output
of
Hello all,I installed a freeipa server (ipa1) and two replicas (ipa2, ipa3).When I login at the Web-UI on ipa3 I get the message "Your session has expired. Please log in again." I checked the time on ipa3 and the client. It is the same time. Login on the other ipa servers is possible.Has anybody
On 5/22/19 11:44 AM, Ian Pilcher wrote:
I am trying to create a certificate for an older network printer.
Unfortunately, I cannot just load a certificate and private key of my
own creation. The printer only supports certificates created from a
CSR of its own creation, which does not include
I am trying to create a certificate for an older network printer.
Unfortunately, I cannot just load a certificate and private key of my
own creation. The printer only supports certificates created from a
CSR of its own creation, which does not include the SAN.
Is it possible to make IPA copy
See this image to have basic understanding of our infrastructure -
https://imgur.com/a/R5c8BWW
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code
This even more complicate infrastructure and make ipa clients depend on VPN.
P.S. Wireguard is not prod ready) See here
https://www.wireguard.com/#work-in-progress
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe
I’d think that if you can remote-enrol hosts as IPA clients, it would be real
easy to also enrol them as VPN clients first. Heck, even Wireguard would be
good enough, even without a full audit.
You’d just add a single route to the route table for that VPN to the IPA server
and you’re good to
But Directory Server is just plain LDAP, without policies (hbac, sudo), isn't
it?
Policies are the reason why we moved from OpenLDAP.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 5/22/19 3:55 PM, Kristian Petersen via FreeIPA-users wrote:
When I say it won't resolve, I am getting NXDOMAIN as the result of the
query like this:
[root@ipa3 /]# nslookup ipa1 ipa3
Server: ipa3
Address: xxx.xxx.xxx.xxx#53
** server can't find ipa1: NXDOMAIN
Running
I talked to Dmitri Pat at Red Hat Summit and he says they have it on the
road map but have IdM act as the primary data store for credentials, but
they need people (manpower) who can help them develop it.
On Tue, May 21, 2019 at 4:14 AM Dirk Streubel via FreeIPA-users <
Dmitti Pal, the director at Red Hat who manages Red Hat IdM, says that IdM
is great for internal stuff but you should use Directory Server for outside
stuff or if you need a customized schema. Both can be integrated with Red
Hat SSO.
On Tue, May 21, 2019 at 1:19 PM Charles Hedrick via
When I say it won't resolve, I am getting NXDOMAIN as the result of the
query like this:
[root@ipa3 /]# nslookup ipa1 ipa3
Server: ipa3
Address:xxx.xxx.xxx.xxx#53
** server can't find ipa1: NXDOMAIN
Running journalctl -u named-pkcs11 shows a ton of lines like the following:
May
Hi,
My IPA shows every user as "disabled" when in UI I go to the user's page.
Also the password policy fields are empty and if I am filling in something
new like phone number it's not showing up in the IU after I save it. But in
cli everything is correct and shown. Users list also shows everyone
16 matches
Mail list logo