Hi,
ipa-client-install should take care of setting up sudo on the client to use
IPA, afaik.
Essential line in nsswitch.conf:
sudoers:files ldap
Please read
Here is the outuput of ldapsearch :-
dn: cn=Admins,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ctsadmin
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
cn: Admins
The rule still says that the group ctsadmin is allowed (Which should
not happen after I remove the ctsadmin group
IPA client on CentOS 5.6 was not able to take care of it.)
On Mon, Feb 4, 2013 at 1:54 PM, Fred van Zwieten
fvzwie...@vxcompany.com wrote:
Hi,
ipa-client-install should take care of setting up sudo on the client to use
IPA, afaik.
Essential line in nsswitch.conf:
sudoers:files ldap
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[hbac_get_category] (5): Category is set to 'all'.
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[ipa_hbac_evaluate_rules] (3): Access granted
I deleted the following entry from the IPA WebUI All Except Shell
(Sudo Role) but ldapsearch still fetches it (Effectively sudo works
after the deletion of the rule) :-
dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ctsadmin
sudoHost: ALL
sudoCommand: ALL
Hi,
Running the installer of the latest stable on a fresh Fedora 18, I get
the following error during install:
[30/36]: Upload CA cert to the directory
ipa : CRITICAL Failed to load upload-cacert.ldif: Command
'/usr/bin/ldapmodify -v -f /tmp/tmpLFZEuz -H ldap://..:389
Restarting IPA removed the rule that was deleted manually through GUI .
It looks like a bug the IPA Webui was not able to delete the sudo rule
cn: All Except Shell
On Mon, Feb 4, 2013 at 3:54 PM, Rajnesh Kumar Siwal
rajnesh.si...@gmail.com wrote:
I deleted the following entry from the IPA WebUI
On 02/04/2013 11:31 AM, Jorick Astrego wrote:
Hi,
Running the installer of the latest stable on a fresh Fedora 18, I get the
following error during install:
[30/36]: Upload CA cert to the directory
ipa : CRITICAL Failed to load upload-cacert.ldif: Command
'/usr/bin/ldapmodify
On Mon, Feb 4, 2013 at 9:33 AM, Rajnesh Kumar Siwal
rajnesh.si...@gmail.com wrote:
IPA client on CentOS 5.6 was not able to take care of it.)
that's why you should be using a config management tool like cfengine,
puppet, chef, ansible, ., (choose your poison).
Organizations usually have
Fred van Zwieten wrote:
Hi,
ipa-client-install should take care of setting up sudo on the client to
use IPA, afaik.
Not yet, https://fedorahosted.org/freeipa/ticket/3358
Essential line in nsswitch.conf:
sudoers:files ldap
Please read here
Rajnesh Kumar Siwal wrote:
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[hbac_get_category] (5): Category is set to 'all'.
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
Rajnesh Kumar Siwal wrote:
I deleted the following entry from the IPA WebUI All Except Shell
(Sudo Role) but ldapsearch still fetches it (Effectively sudo works
after the deletion of the rule) :-
dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ctsadmin
The details are as follows :-
[root@ipa1 ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)
[root@ipa1 ~]# rpm -qa|grep -i ipa
ipa-server-2.2.0-17.el6_3.1.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-17.el6_3.1.x86_64
Not sure but this is what resolved it.
On Mon, Feb 4, 2013 at 7:51 PM, Rob Crittenden rcrit...@redhat.com wrote:
Rajnesh Kumar Siwal wrote:
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
Hi Rob,
This is the way I configured it:-
1. Added the details in /etc/ldap.conf :-
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz
bindpw
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://ipa1.chargepoint.dmz
Rajnesh Kumar Siwal wrote:
Hi Rob,
This is the way I configured it:-
1. Added the details in /etc/ldap.conf :-
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz
bindpw
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri
Thanks Christian.
I am still looking for some workaround till then.
On Mon, Feb 4, 2013 at 10:16 PM, Christian Hernandez
christi...@4over.com wrote:
Looks like a backup/restore procedure is in the roadmap
http://www.freeipa.org/page/Roadmap
Thank you,
Christian Hernandez
1225 Los Angeles
Rajnesh Kumar Siwal wrote:
The details are as follows :-
[root@ipa1 ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)
[root@ipa1 ~]# rpm -qa|grep -i ipa
ipa-server-2.2.0-17.el6_3.1.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
Loris Santamaria wrote:
Hi
on a production IPA realm with 3 servers and about 2000 users we were
experimenting a very high load on the servers. Further investigation
showed that the high load was caused by a lot of writes done by the IPA
dirsrv instance. Activating the audit logging showed a
I use the following to dump my LDAP databases:
#!/bin/sh
/usr/lib64/dirsrv/slapd-PKI-IPA/db2ldif.pl -D cn=directory manager
-j /var/lib/dirsrv/scripts-YOUR-KERB-REALM/dmanager.credentials -n
ipaca -a /var/lib/dirsrv/slapd-PKI-IPA/bak/ipaca.`/bin/date
+%Y%m%d%H%M%S`.ldif
Thank you John for your helpful reply.
Near real time will be sufficient - within the 5 min range.
Will it be practical when managing a user's groups - these can happen when
a user moves within the organization or is terminated.
On Fri, Feb 1, 2013 at 8:59 PM, John Dennis jden...@redhat.com
On 02/04/2013 07:07 PM, It Meme wrote:
Thank you John for your helpful reply.
Near real time will be sufficient - within the 5 min range.
Will it be practical when managing a user's groups - these can happen
when a user moves within the organization or is terminated.
I'm not sure we've done
Thank you John - much appreciated.
Sent from my iPhone
On 2013-02-04, at 16:35, John Dennis jden...@redhat.com wrote:
On 02/04/2013 07:07 PM, It Meme wrote:
Thank you John for your helpful reply.
Near real time will be sufficient - within the 5 min range.
Will it be practical when
Hi.
Would be any online examples for calling the IPA JSON APIs from a java
application?
Thanks.
Sent from my iPhone
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
24 matches
Mail list logo