[Freeipa-users] Re: Error on updating FreeIPA (custodia No such file or directory: '/var/lib/ipa/ra-agent.key')

Hi, the issue really looks similar to - 1998016 RA key import failing during pki instance creation on RHEL9.0 replica from RHEL8.4 server - 2032806 - Error replacing a replica with CentOS

[Freeipa-users] Re: password-expiration

Hi, On Tue, Feb 7, 2023 at 5:23 PM wrote: > Hi Florence, > alas, same issue > > ipa: error: no such option: --password-expiration > > > Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to use directly ipa user-mod LOGIN

[Freeipa-users] Re: How to lock a user after password expired for some period

Hi, On Wed, Feb 8, 2023 at 2:04 AM Sarawut Lee via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > I'm using FreeIPA 4.9.8 on Centos Stream 8. One feature I'm going to > consider is to lock a user once password expires(except for some group). > Why I need, because some

[Freeipa-users] Re: Removal & clean up certificates from o=ipaca

Hi, On Tue, Feb 7, 2023 at 1:28 AM Jernej Jakob via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi David. I had the same issue here and found your writeup to be very > helpful. > > I used more or less the same ldap actions to delete the certificates > and requests (~3.6k) from

[Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP

Hi, On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > As mentioned in my previous response, here is the error upon executing > ipa-cacert-manage install > Please let me know if any other details required on this

[Freeipa-users] Re: pki-tomcatd service stopped

Hi, we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master? flo On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Team, > > > > As we checked

[Freeipa-users] Re: bad list of CAs on FreeIPA client?

Hi, On Tue, Jul 18, 2023 at 7:33 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > getcert list-cas returns on some FreeIPA clients > > root@nasl006a:~# getcert list-cas > CA 'SelfSign': > is-default: no >

[Freeipa-users] Re: PKINIT questions

Hi, On Sat, Jul 1, 2023 at 3:48 AM alexey safonov wrote: > Got it. thanks. Would it be possible to use for KDS self-signed > certificate, while for dirsrv/http normal certificate signed by public > CA? > > It is possible to have different certificates for dirsrv/httpd/kdc, and even different

[Freeipa-users] Re: migrating CA renewal server to RHEL 8 (using an external root CA)

Hi, On Thu, Jul 6, 2023 at 9:55 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > >

[Freeipa-users] Re: Can't add CA to replica - invalid 'cn': must be

name='cn', error=_("must be \"%s\"") % api.env.host) > > and we can see that in fact ipa008.ad.companyx.fm != ipa011.ad.companyx.fm > > So, that's about as far as i have gotten so far. > > Do we think the keys swapped around for some rea

[Freeipa-users] Re: repl conflict which is not there - ?

Hi, On Fri, May 26, 2023 at 10:26 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi guys. > > for what 'ipa-healthcheck' complains of: > > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "WARNING", >

[Freeipa-users] Re: Can't add CA to replica - invalid 'cn': must be

Hi, On Wed, May 24, 2023 at 3:29 PM Nicholas Cross wrote: > Hi Flo (and other helpful people on this list), > > After fixing the SID/PAC issue, i am back to looking as to why the > ipa-replica-conncheck fails when installing the CA to a (working) replica. > > I ran your suggested commands and

[Freeipa-users] Re: Problem with replica installation 4.10.1

Hi, replica installation failures are often related to either a wrong DNS configuration or firewall preventing the communication. Did you run ipa-replica-installation with or without the option --skip-conncheck? Without the option you may have some hints if the issue is related to the firewall.

[Freeipa-users] Re: ACME service is disabled

Hi, On Tue, May 23, 2023 at 1:40 PM Georgy Safronov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) > we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa > 4.10.1, ca role) there

[Freeipa-users] Re: Can't add CA to replica - invalid 'cn': must be

Hi, the replica-conncheck error means that a call to server_conncheck reached the wrong server. ipa-replica-conncheck performs multiple checks: - first from the replica to the existing master (here we seem to be good) - then from the existing master to the replica, by doing a call to the XMLRPC

[Freeipa-users] Re: Rocky 8: how to set security-policy to FUTURE without losing FreeIPA?

Hi, On Tue, Aug 1, 2023 at 7:50 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > our security scanner complains about weak ciphers in Rocky 8 > (httpd and ssh). security policy is set to "DEFAULT". If I set > it to "FUTURE", then httpd is not

[Freeipa-users] Re: Exporting certificates with keys associated in FreeIPA

Hi, if you used the WebUI to generate a cert, you had to type a few commands in a terminal, like: certutil -N -d certutil -R -d -a -g -s 'CN=employee,O= DEMO1.FREEIPA.ORG' This means that you generated a key in the NSS database. When you used the WebUI to issue the cert, the new cert was

[Freeipa-users] Re: Replace external CA and certificates to self-signed ones.

Hi, On Mon, Aug 7, 2023 at 4:17 AM luckydog xf via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I installed a new IPA with self-signed CA and certificates. I didn't find > anything related NSSDB under /etc/http/alias > > FreeIPA uses NSS for httpd up to version 4.6 (the server

[Freeipa-users] Re: how to set the RIDs during migration to Rocky 8?

Hi, On Fri, Jun 23, 2023 at 2:12 PM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > I am trying to migrate FreeIPA from CentOS7 to Rocky 8. No AD trust > relationship involved by now. Problem: ipa-replica-install on the > first Rocky 8 host to join

[Freeipa-users] Re: Removing dead servers with tombstone entries

Hi, On Thu, Jun 22, 2023 at 3:18 PM Joe Rhodes via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > On Jun 21, 2023, at 18:07, Rob Crittenden wrote: > > Joe Rhodes via FreeIPA-users wrote: > > Hello all! > > I have a CentOS 7 based FreeIPA system that I’m migrating to Rocky 9.

[Freeipa-users] Re: certmonger certificate renewal stuck in SUBMITTING loop

Hi, On Wed, Jun 28, 2023 at 4:45 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Jernej Jakob via FreeIPA-users wrote: > > I've been trying to debug this for the last couple of days. I can't > > find what's wrong. I found that another client whose cert also

[Freeipa-users] Re: PKINIT questions

Hi, On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm just surprised than, how other replicas has PKINIT? > in your first email you mentioned that the topology used to have a CA. If a replica was installed at that time then

[Freeipa-users] Re: pki-tomcat fails to start after upgrade

Hi, On Mon, Jun 26, 2023 at 4:36 PM Tania Hagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi FreeIPA, > > I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went > to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it > attempted to

[Freeipa-users] Re: 'ipa-ca-install' conncheck failure on freeIPA

Hi, another user recently had the same issue, see https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VCARE7OOXWBEB5UXF75AQVFQXNOA43XM/#VFPHENT3PPWTY6W5L42FKQJFQ5GBWKOR We are not sure how the situation got solved, but he cleaned the security domain from

[Freeipa-users] Re: ipa-pkinit-manage failure

Hi On Thu, Jun 22, 2023 at 5:27 PM Алексей Иванов via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Greetings, > > I'm trying to configure my replica IPA servers to support PKINIT. > > [root@office-ipa-1 ~]# ipa-pkinit-manage enable > Configuring Kerberos KDC (krb5kdc) >

[Freeipa-users] Re: FreeIPA PKI Certs wont renew "Adjustment limit exceeded"

Hi, can you provide more information on your deployment? Do you have a single IPA server that is providing the CA service or many servers? In the latter case, which one is the CA renewal master? Are there other expired certificates? # kinit admin # ipa config-show # getcert list flo On Mon,

[Freeipa-users] Re: Free-IPA to RHEL IPA: ipa-crlgen-manage not present, manual options

Hi, On Wed, May 10, 2023 at 12:03 AM John Burns via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Greetings! > > Can the actions within the two commands below can be done manually > (outside the RPM)? > > ipa-crlgen-manage status > ipa-crlgen-manage disable > You can refer to

[Freeipa-users] Re: Yum-based upgrade causes group lookup failures.

Hi, thanks for confirming, and glad you got it working! flo On Wed, May 10, 2023 at 4:46 PM Jeff Goddard wrote: > Flo, > > I must have made multiple edits before posting last about still > seeing issues. HAving parsed the rundeck config file again, and setting the > appropriate values as

[Freeipa-users] Re: IPA filters not working

Hi, On Wed, May 10, 2023 at 1:37 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > I have setup a bastion host with an IPA client in order to control access > to the bastion host by groups. I have users in different groups, but I > just got word that

[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9

Hi, On Wed, May 10, 2023 at 1:43 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > > > if you want to install a RHEL8 or RHEL9 server with the same domain name, > > the recommended procedure would be to install a RHEL8 replica from your > > RHEL7 server,

[Freeipa-users] Re: IDView problem

Hi, On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer wrote: > On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote: > > Hi, > > > > can you provide more details? Did you use the "Default Trust View" > > idview or did you create another o

[Freeipa-users] Re: IPA filters not working

Hi, On Mon, May 15, 2023 at 10:34 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [root @ ldap01] ~ > $ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com > --service ssh > The issue looks like a simple typo. Here the test is using *ssh*

[Freeipa-users] Re: IDView problem

Hi, can you provide more details? Did you use the "Default Trust View" idview or did you create another one? Which attributes did you override for your AD user? flo On Thu, May 11, 2023 at 11:02 AM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I tried to

[Freeipa-users] Re: SSL errors ... again

Hi Justin, The ra-agent.pem is the same certificate on all servers/replicas. When everything works properly, it gets renewed on the renewal master, then it is uploaded in LDAP and the other replicas can download it from LDAP. Do you have multiple servers? If yes and if the ra-agent.pem has been

[Freeipa-users] Re: Yum-based upgrade causes group lookup failures.

Hi, if you are comfortable with 389-ds access log, you can check which search rundeck is performing and try to reproduce manually. I would start with the working one: in /var/log/dirsrv/slapd-MY-DOMAIN-DOM/access, look for a line showing the operations done with the working user

[Freeipa-users] Re: SSL errors ... again

Hi, On Tue, May 9, 2023 at 1:24 PM Justin Sanderson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hey Flo - thanks so much for your willingness to help. > > > My setup is just a single VM server. I will give it a try tonight once > everyone has gone home for the day. > >

[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9

Hi, if you want to install a RHEL8 or RHEL9 server with the same domain name, the recommended procedure would be to install a RHEL8 replica from your RHEL7 server, then a RHEL9 replica from your RHEL8 server. You can check this documentation: - Migrating your IdM environment from RHEL 7

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi, On Thu, Feb 15, 2024 at 3:50 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > The replication step fails while installing a new ipa replica server. > > Some facts: > > * Both servers running version 4.9.12. > * Both servers running RHEL 8.9 > *

[Freeipa-users] Re: Error during enrolling

Hi, The logs show you're using a non-admin user for enrollment and you are probably hitting issue https://pagure.io/freeipa/issue/9496 It was fixed on multiple branches but not shipped in any official release yet. The pagure ticket provides a workaround, or you can enroll using the admin user.

[Freeipa-users] Re: Error during enrolling

Hi, what is the version of your server? I am asking because of the log: 2024-02-20T09:59:52Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'ipa.dom.loc', '-b', 'dc=dom,dc=loc', '-h', 'centos9.dom.loc', '-k', '/etc/krb5.keytab'] 2024-02-20T09:59:53Z DEBUG Process finished, return code=0

[Freeipa-users] Re: Certificate Revoking error in FreeIPA domain

Hi, On Tue, Dec 12, 2023 at 12:21 PM Albert Stoune via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello Florence! > > Thanks for the answer > > Yes, I have checked all the steps to reproduce the problem with > ipa-server-4.11.0-3.el9.x86_64. Everything is working well,

[Freeipa-users] Re: Certificate Revoking error in FreeIPA domain

Hi, ipa-server-4.11.0-1.el9.x86_64 is not the latest version, and has a known issue with cert revocation: RHEL-14842 / https://pagure.io/freeipa/issue/9345 The fix is available in ipa-server-4.11.0-2.el9.x86_64. flo On Mon, Dec 11, 2023 at 2:43 PM

[Freeipa-users] Re: FreeIPA web session timeout

Hi, if you use the format without space kinit_lifetime = 5minutes then it should work. Probably there was some change in one of the libraries parsing the duration string and it does not accept any more the space between the value and the unit. flo On Wed, Jan 10, 2024 at 3:18 AM Ales Rozmarin

[Freeipa-users] Re: SSSD LDAP provider fails to fetch nested groups (groups member of groups)

Hi, On Thu, Jan 18, 2024 at 12:03 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm experiencing problems on my RHEL 9 instance when looking up members of > group using getent group . I can only get users which has > direct access to a group, and no the "user

[Freeipa-users] Re: Implementation with AD trust/ssh key - questions

Hi, On Fri, Dec 1, 2023 at 4:22 PM slek kus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, have some questions regarding implementing FreeIPA. To start, I am new > to FreeIPA, read up on its featuires > and started using it in a test setup. The goal is to have sshkey >

[Freeipa-users] Re: Trust with POSIX-enabled AD

Hi Stefan, On Thu, Dec 7, 2023 at 8:00 AM Stefan Palm via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everyone. > > It looks like I have a problem understanding the way AD trusts work. > Maybe someone here can enlighten me. > > In our AD we have "normal" users and groups

[Freeipa-users] Re: idrange problem

Hi, On Thu, Feb 1, 2024 at 12:51 PM Steve Berg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Still not working. I do not have any trust set up with any active > directory currently, we have a AD running on the network but that and my > ipa domain don't trust each other in

[Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working

Hi, On Tue, Jan 23, 2024 at 1:05 AM Dungan, Scott A. via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Thanks to Paul for all the leg work on this issue. Based on that, I can > confirm that we have the same problem after updating to 4.9.12-11 from > 4.9.11-7. Running the oddjob

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi Markus, On Mon, Feb 19, 2024 at 9:07 AM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Florence, > > Thanks for looking into this I appreciate it very much! > > > ``` > master# ldapsearch -xLLL -o ldif-wrap=no -D "cn=directory manager" -W -s >

[Freeipa-users] Re: Error during enrolling

Hi, On Thu, Feb 22, 2024 at 10:42 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > probably it's because more high encrypt level in Centos. How to make it > lower? > Can you try with (on the client): update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY reboot

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi, On Fri, Feb 23, 2024 at 2:49 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > You are right, sorry for the confusion. I have performed a new > `ipa-replica-install` and you can find the logs for the master and replica > in these links: > >

[Freeipa-users] Re: FreeIPA - access restriction

Hi, On Mon, Feb 26, 2024 at 5:03 PM Zdravko Nikolaev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everyone, > > I've looked up old threads and tried to find some applicable solution but > I'm kind of stuck so any advice would be appreciated. > > I'm trying to deploy a

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi, On Fri, Feb 23, 2024 at 12:38 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Florence, > > From what I can see it is setup correctly on both the master(s) and > replica. > I now understand the confusion: the logs provided in master ds389

[Freeipa-users] Re: pki-tomcatd not starting

Hi, in your first email you pasted the output of getcert list, and it's reporting only 7 certificates. It's likely that your server is using certmonger for the pkinit cert, the 5 certs for PKI and the RA cert, meaning that the HTTP and LDAP server certificates are externally signed and not

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Mon, Mar 18, 2024 at 3:38 PM Ian Kumlien wrote: > On Thu, Mar 14, 2024 at 7:36 PM Florence Blanc-Renaud > wrote: > > > > Hi, > > > > On Thu, Mar 14, 2024 at 8:55 AM Ian Kumlien > wrote: > >> > >> On Wed, Mar 13, 2024 at 1:58 PM Ian Kumlien > wrote: > > [--8<--] > > >> As a side node,

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Wed, Mar 13, 2024 at 10:06 AM Ian Kumlien wrote: > On Tue, Mar 12, 2024 at 10:36 PM Florence Blanc-Renaud > wrote: > > > > Hi, > > > > On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> > >> Hi, > >> > >> So i have spent

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > So i have spent quite some time trying to get out of the swamp that is > centos stream 8 and back to something with a actual upgrade path, > fedora =) > > Everything works

[Freeipa-users] Re: ipa-setup-ca

Hi, On Thu, Mar 14, 2024 at 1:43 AM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hey guys, > I finished installing two replicas of my master. Both installations of > the replicas completed successfully, but when I try to run the ipa-setup-ca > it is having some

[Freeipa-users] Re: ipa-setup-ca

Hi, On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Found this in the logs: > > INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US > WARNING: UNTRUSTED ISSUER encountered

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Thu, Mar 14, 2024 at 8:55 AM Ian Kumlien wrote: > On Wed, Mar 13, 2024 at 1:58 PM Ian Kumlien wrote: > > > > On Wed, Mar 13, 2024 at 11:39 AM Florence Blanc-Renaud > wrote: > > > > > > Hi, > > > > > > On Wed, Mar 13, 2024 at 10:06 AM Ian Kumlien > wrote: > > >> > > >> On Tue, Mar 12,

[Freeipa-users] Re: ipa-setup-ca

Hi, you can download freeipa-healthcheck and run ipa-healthcheck command on the master/replica, it would help you identify any inconsistency in the configuration. Otherwise, we need more info to help you. It looks like the LDAP server certificate on the master *ldap01*.app.uaap.maxar.com has

[Freeipa-users] Re: Failed FreeIPA replica installation

Hi, On Thu, Mar 14, 2024 at 9:50 PM D S via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I added more log info below and also applied this solution to generate > SIDs https://access.redhat.com/solutions/7052703 > Still unable to login via web UI and every ipa command fails. >

[Freeipa-users] Re: pki-tomcatd not starting

Hi, On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [root @ ldap01] > $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not > Not Before: Jan 12 15:30:18 2024 GMT > Not After : Jan 11 15:30:18

[Freeipa-users] Re: CA Subsystem certificate

On Wed, Apr 3, 2024 at 5:24 AM Travis West via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > > > On Tue, Apr 2, 2024 at 8:50 PM Travis West via FreeIPA-users < > > freeipa-users(a)lists.fedorahosted.org wrote: > > > > As Rob wrote, it's not a problem that getcert list,

[Freeipa-users] Re: CA Subsystem certificate

Hi, On Tue, Apr 2, 2024 at 8:50 PM Travis West via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Okay, I've generated new certs that don't have the extra space. Once > those were imported to the NSS DB I also updated the CS.cfg with the new > cert and certreq vaules for OCSP,

[Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica

Hi, On Thu, Apr 11, 2024 at 12:34 AM Orion Poplawski via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I've just added an EL9 IPA replica into our domain. I seems to generally > be > working fine, but trying to download the MasterCRL.bin fails: > > ==> /var/log/httpd/access_log

[Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica

Hi, On Thu, Apr 11, 2024 at 6:02 PM Orion Poplawski wrote: > On 4/11/24 09:03, Florence Blanc-Renaud wrote: > > Hi, > > > > On Thu, Apr 11, 2024 at 12:34 AM Orion Poplawski via FreeIPA-users > > > > wrote: > > > > I've just added an EL9 IPA

[Freeipa-users] Re: IPA Replica can't authenticate users

Hi, On Mon, Apr 15, 2024 at 10:10 AM John Doe wrote: > > > Den mån 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud >: > >> Hi, >> >> On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> I'm playing around with IPA trying to

[Freeipa-users] Re: pki-tomcat won't start + expired certificates

Hi, On Mon, Apr 15, 2024 at 6:22 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour Florence, > Thanks for your help. > > I am using the docker image `freeipa/freeipa-server:fedora-34-4.9.6`, I > guess the dependencies are correct as this is all bundled

[Freeipa-users] Re: pki-tomcat won't start + expired certificates

Hi, On Fri, Apr 19, 2024 at 6:20 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi! > > Here is the output of ipa-cert-fix on the original instance: > > ``` > > The following certificates will be renewed: > > Dogtag sslserver certificate: > Subject:

[Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9

Hi, in your first message, the output of $ dsconf -D "cn=Directory Manager" ldap://$(hostname) repl-conflict list-glue "dc=noc,dc=net" mentions: dn: cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net *nsds5replconflict: deletedEntryHasChildren* It means that the replication tried to

[Freeipa-users] Re: IPA Replica can't authenticate users

Hi, On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm playing around with IPA trying to figure out how to set it up to be > redundant. The problem is that the IPA Replica isn't able to authenticate > AD users if IPA Master is down. >

[Freeipa-users] Re: pki-tomcat won't start + expired certificates

Hi, On Fri, Apr 12, 2024 at 10:52 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi freeipa experts. > > I have been using freeipa for the past 5 years running in a docker > container, no replicas. > currently on VERSION: 4.9.6, API_VERSION: 2.245 > > I

[Freeipa-users] Re: Not possible to delete ID views from Default Trust View if user is no longer present in AD

Hi, On Mon, Apr 22, 2024 at 12:58 PM LHEUREUX Bernard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > > > I’m trying to delete some anchors on Default Trust View on a FreeIPA with > trust to an AD and, I always get the message “…@... user not found » > > Effectively

[Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9

Hi, On Tue, Apr 23, 2024 at 9:53 AM Lee Csk via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > After performing a usual Yum update's on multiple IPA servers (not at the > same time, one server reportedly started hanging), we started observing > "LDAP Conflicts" in multiple IPA

<    3   4   5   6   7   8