I'm going to piggy back on this thread, because it is very relevant to a question I have.
What's the difference between the two options (ipa-ad-trust vs. ipa-ad-trust-posix), other than the uid & gid mapping?
Why would I choose 1 over the other?
I have always scratched my head a little bit why my
>I assume /usr/local/lib/python3.x isn't in your PYTHONPATH. This is a
> dead-end though as many of the checks aren't applicable to 4.6.x.
Ah, that makes sense.
> I did a backport a few releases ago and built it against EPEL but it's still
> rough.
>
Are any of you aware of any way to get these health checks working on a RHEL 7
system?
https://github.com/freeipa/freeipa-healthcheck
IIRC, these checks weren't really introduced until a newer version of FreeIPA,
so they are only included on RHEL 8 and above, but I'm wondering if there's a
way
this email thread over to our (new) technical account manager, and
we'll continue to work together towards a resolution.
On 8/4/20, 10:42 AM, "Alexander Bokovoy" wrote:
On ti, 04 elo 2020, White, David via FreeIPA-users wrote:
>We have a IPA environment that has an e
We have a IPA environment that has an existing trust with Active Directory.
I'm trying to troubleshoot some things, and am trying to run a `ldapsearch`
against our IPA environment.
It keeps asking for an LDAP Bind password.
1. I know the Directory Admin password
2. I know the local 'admin'
not. Felt like the longest 3 weeks of
my life, with requirements changing on me every other day. LOL.
Thank you!
On 6/24/20, 8:13 AM, "Alexander Bokovoy" wrote:
On ke, 24 kesä 2020, White, David via FreeIPA-users wrote:
>We have IdM / FreeIPA running on RHEL 7 boxes.
We have IdM / FreeIPA running on RHEL 7 boxes.
This is a 6-node cluster that has an existing 1-way trust back to Active
Directory.
IdM is still acting as the CA for its own clients, and when we setup the trust,
we used the following command:
ipa trust-add --type=ad example.com --admin
Is it possible to allow hosts in specific subnets to connect to a
FreeIPA-connected server over NFS anonymously?
e.g. I'm wondering if I could setup a HBAC rule by doing something like the
following:
ipa hbacsvc-add nfs-mount
ipahbacrule-add allow_nfs_mount
Then attach that to the NFS server
hen takes 15-20+ seconds to prompt for the
password.
Then it takes a few more seconds before logging me in.
From: "White, David via FreeIPA-users"
Reply-To: FreeIPA users list
Date: Tuesday, March 24, 2020 at 11:09 AM
To: "freeipa-users@lists.fedorahosted.org"
Cc: "W
We have a large AD environment, which our IdM / FreeIPA servers authenticate
users out of.
The issue I'm trying to address is that it takes a very long time (upwards of
15-20+ seconds) to get a shell on any IdM client server.
Our IdM servers are RHEL 7 boxes, using RHEL repositories:
Installed
for Active Directory
users
White, David via FreeIPA-users wrote: > We have a FreeIPA / IdM environment
that talks to Active Directory, where the user accounts live. > > In the IdM
GUI, I have navigated to: IPA Server -> Configuration > And I confi
We have a FreeIPA / IdM environment that talks to Active Directory, where the
user accounts live.
In the IdM GUI, I have navigated to: IPA Server -> Configuration
And I configured the "Default Shell" to: /bin/bash
However, whenever new users SSH to a server using their AD credentials, they
are
ut I'm also still troubleshooting, and
not giving up.
As I continue to troubleshoot, I wanted to respond to this and make sure I'm
clear on what you're suggesting.
Thanks again,
David
From: Sumit Bose via FreeIPA-users
Reply-To: FreeIPA users list
Date: Monday, January 6, 2020 at 12:10 PM
To: &qu
Is there a way to proxy client LDAP requests to the upstream Active Directory
that FreeIPA is configured to trust?
I have AD, where users live.
I have FreeIPA / RedHat IdM.
And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite
: FreeIPA users list
Cc: "White, David"
Subject: Re: [Freeipa-users] Re: Setup AD Trust without DNS resolution from AD
On to, 19 joulu 2019, White, David via FreeIPA-users wrote:
>> Are AD DCs using that DNS server to look up IPA zone records already?
>> Again, t
the AD
environment and did the following:
P:\>nslookup idm.example.com
Server: ad.example.com
Address: 10.1.1.2
*** ad.example.com can't find idm.example.com: Non-existent domain
On 12/19/19, 10:31 AM, "Alexander Bokovoy" wrote:
On to, 19 joulu 2019, White, David via FreeIPA-user
ut DNS resolution from AD
On ke, 18 joulu 2019, White, David via FreeIPA-users wrote:
>I am trying to spin up a new 2-node cluster in my lab environment.
>
>I have FreeIPA installed, and can login to the web UI.
>At this point, I’m trying to establish a trust with AD:
>
>ipa
I am trying to spin up a new 2-node cluster in my lab environment.
I have FreeIPA installed, and can login to the web UI.
At this point, I’m trying to establish a trust with AD:
ipa trust-add --type=ad example.net --admin administrator
Based on the errors I was getting with that command’s
Reviewing the FreeIPA documentation for deployment recommendations, I read:
“generally, it is recommended to have at least 2-3 replicas in each datacenter”.
A couple of months ago, when we initially designed and deployed FreeIPA / IdM,
we decided to deploy 3 nodes into each of our two
vice account or something. It would have
been helpful, though, to give those permissions to an AD user in our
environment.
Thanks again,
-
David White
Engineer II, Fiber Systems Engineering
On 11/27/19, 9:05 AM, "Alexander Bokovoy" wrote:
On ke, 27 marras 2019, Wh
I'm reviewing the documentation at
https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am
hoping to allow members of certain AD groups to login to FreeIPA from the web
GUI.
Does this documentation only apply to the FreeIPA CLI, or does it also affect
access to manage through
21 matches
Mail list logo