Hi Rob,
Turns out this was a DNS issue, thank you for responding.
We had our /etc/resolv.conf pointing to local host and adding another ipa
server as the top nameserver solved the issue. This begs the question by
default installing with the ansible playbook it adds the localhost has the
Further troubleshooting.
If I run:
kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-unhealthly.ipa.server before the
re-initialise it complete successfully and a klist shows Default principal:
ldap/unhealthly.ipa.server
After the LDAP error shows and the re-initialise is cancelled I see kinit:
Hi Freeipa users,
I have a replica that has been failing replication for a while, so I have tried
the following command to re-initialize (a back up of the server did not work):
ipa-replica-manage -vd re-initialize --from healthly.ipa.server
On the replica that I run this command I just see
Hi FreeIPA Users,
Does anyone know if its possible to include inline images in the email template
for Expiring Password Notification? I've experimented with including base64
encoding but the message just shows a white box with a black outline. I think
this is a limited of our email client,
Hi Rob,
Cheers, I looked in those logs as well, but nothing in particular is standing
out as an error.
After a week trying to find a solution, I think we'll build new servers and
migrate the data from working servers as a way to move forward. It seems a
safer option upgrading from el9 to
Hi,
I tried looking at the pki debug log again and the main warning that stood out
was that /var/lib/ipa/pki-ca/publish did not exist. I recreated the folder with
chown root:pkiuser, chmod 775, and restarted the service, and the error
disappeared in the log, but the service still not start.
Hi Freeipa Users,
I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am
struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and
systemctl start pki-tomcatd.
My java/tomcat versions are
Java:
Idm-pki-java 11.4.2-1.el9
Java-11-openjdk-headless
Hi Freeipa Users,
I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am
struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and
systemctl start pki-tomcatd.
My java/tomcat versions are
Java:
Idm-pki-java 11.4.2-1.el9
Java-11-openjdk-headless
Hi Freeipa Users,
I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am
struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and
systemctl start pki-tomcatd.
My java/tomcat versions are
Java:
Idm-pki-java 11.4.2-1.el9
Java-11-openjdk-headless
Hi Freeipa-users,
We are currently running Freeipa version 4.9.11 on Rocky 8.8.
We have noticed over the last few months that external name resolution e.g.
google.com fails to resolve on multiple Freeipa replicas even though the
service named-pkcs11 remains up and running and journalctl or
Hi Rob,
As a company we turn off anonymous bind for security reasons, but have a number
of sysaccounts that are used in scripts to bind as that bind user and complete
an ldapsearch (e.g get list of users, get monitoring metrics). We also have
systems such as phabricator that require a
Hi Freeipa-users,
Is is possible to create a binddn account in cn=sysaccounts and attach certs to
the account so it can be used in scripts to bind using external bind with
certs?
I know how to create my sysaccount and I found
https://www.freeipa.org/page/V4/User_Certificates which provides
Hi flo,
Many thanks, that resolved my issue, I can safely upgrade my servers now.
Tania
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of
Hi FreeIPA,
I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went to
upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it
attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log I
see:
Unable to connect to LDAP server: Unable to
Hi,
Many thanks for the response, I have set up the ipa-healthcheck but it didn't
have the LDAP query check (the reason being we noticed a few months ago that
ldap query failed whilst the services appeared to stay up, so keen to monitor
so we can notice these problems before our users do)
I
Hi FreeIPA-Users,
I have a prometheus server and I am trying to setup an alert to test if an ldap
search succeeds. Searching there seems to be a few exporters (389ds exporter,
openldap exporter ) but all rather old and I'm struggling to get any useful
metrics out of them.
Could anyone
I managed this by overriding systemd:
/etc/systemd/system/ipa-healthcheck.service
[Unit]
Description=Execute IPA Healthcheck
[Service]
Type=simple
ExecStart=/usr/bin/ipa-healthcheck --output-file /var/log/ipa-healthcheck.log
[Install]
WantedBy=multi-user.target
Hi,
Using the ipa-healthcheck it will export logs to
/var/log/ipa/healthcheck/healthcheck.log
However I'm trying to use the ipahealthcheck_exporter using a created user and
group (ipahealthcheck_exporter) which requires permission to read the file
/var/log/healthcheck/healthcheck.log.
Hi,
Sorry the delay in getting back to you, I tried ipactl restart and that
resolved issue.
Many Thanks for helping me solving this issue.
Tania
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hi,
I've tried increasing the limit:
ldapsearch -H ldaps:// -b ou=people,o=ipaca uid=pkidbuser -x -D
"cn=Directory Manager" nssizelimit -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=pkidbuser
# requesting: nssizelimit
#
# pkidbuser, people,
Many thanks, I have raised https://pagure.io/freeipa/issue/9039 with the extra
lines from the debug log.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi FreeIPA-users,
I am running the following:
os: CentOs Linux 8.4.2105
ipa version: 4.9.2
pki-server: 10.10.5-3.module_el8.4.0+816+beb6e9a3
When searching for certificates in the command line (ipa cert-find) I see:
ipa ERROR: Certificate operation cannot be completed: Unable to communicate
Hi,
Is there a way to get the date and time a user was deleted and preserved (ipa
user-del --preserve) and if possible by who?
Many Thanks,
Tania
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hello,
I have recently removed and added a new freeipa replica server and have noticed
that the chrony.conf still has the old server listed and the new ones are not
listed. How do I ensure that the freeipa-client/chrony is pointing to the
correct time servers. e.g. server iburst. I have
24 matches
Mail list logo