I have tried to setup synchronization between a FreeIPA domain and an AD
domain. The certificates are in the right place.
[root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync
user,cn=Users,dc=datacenter,dc=addomain,dc=net" --bindpw secretpassword
--passsync secretpassword --cac
On 05/13/2015 08:18 PM, William Graboyes wrote:
Hi Dmitri,
That is quite a bucket of stuff... On the CA-less install, basically I don't want to have
my users change their passwords again (they are complaining about the every 90 day
password rotation policy), we do not have an internal CA, most
Hi Dmitri,
That is quite a bucket of stuff... On the CA-less install, basically I don't
want to have my users change their passwords again (they are complaining about
the every 90 day password rotation policy), we do not have an internal CA, most
of our "desk top support" folks don't even have
On 05/13/2015 07:40 PM, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am trying to figure out a method of allowing users who do not have
shell access to change their own passwords. The GUI that comes with
FreeIPA is out of the question due to the untrusted
Hello everyone :)
We are seeing some strange behavior (created groups don't exist) and I
really hope someone can lend some advice...
We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was
aborted before completion, however I believe the schema was updated.
Recently we attempted
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am trying to figure out a method of allowing users who do not have
shell access to change their own passwords. The GUI that comes with
FreeIPA is out of the question due to the untrusted CA (yes I know we
are a strange shop, there is not
On Wed, 2015-05-13 at 14:44 +, Bahmer, Eric Vaughn wrote:
> Institutionally we have a hardware token set up, you use a pin to
> unlock the device and it spits out a passcode.
> The passcode allows access through kerberos, radius, or ldap binds
> to linux servers, or with a custom apache modul
Thank you. I had originally went with the RH documentation. I followed the
guide and was able to get my RHEL5 client working. AIX6 is closer to
working as well.
On 5/13/15, 9:31 AM, "Alexander Bokovoy" wrote:
>Have you actually read the definitive guide we have?
>https://urldefense.proofpoint.co
On 05/13/2015 10:44 AM, Bahmer, Eric Vaughn wrote:
Institutionally we have a hardware token set up, you use a pin to
unlock the device and it spits out a passcode.
The passcode allows access through kerberos, radius, or ldap binds to
linux servers, or with a custom apache module to websites.
I
On 05/13/2015 01:12 PM, Andrey Ptashnik wrote:
Thank you everyone for your help!
I found two ways to implement it in IPA server and tested it. So both
methods work in my current setup RHEL 7.1 and IPA server 4.1.0. First
method allows user to run default terminal as a target user (bash in
my
On 05/13/2015 10:34 AM, Janelle wrote:
On 5/13/15 9:13 AM, Rich Megginson wrote:
On 05/13/2015 10:04 AM, Janelle wrote:
On 5/13/15 8:49 AM, Rich Megginson wrote:
On 05/13/2015 09:40 AM, Janelle wrote:
Recently I started seeing these crop up across my servers:
slapi_ldap_bind - Error: could n
Thank you everyone for your help!
I found two ways to implement it in IPA server and tested it. So both methods
work in my current setup RHEL 7.1 and IPA server 4.1.0. First method allows
user to run default terminal as a target user (bash in my case). Second method
is using SU command, but run
On 5/13/15 9:13 AM, Rich Megginson wrote:
On 05/13/2015 10:04 AM, Janelle wrote:
On 5/13/15 8:49 AM, Rich Megginson wrote:
On 05/13/2015 09:40 AM, Janelle wrote:
Recently I started seeing these crop up across my servers:
slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
mast
On 05/13/2015 10:04 AM, Janelle wrote:
On 5/13/15 8:49 AM, Rich Megginson wrote:
On 05/13/2015 09:40 AM, Janelle wrote:
Recently I started seeing these crop up across my servers:
slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
masterAgreement1-ipa01.example.com-pki-tomcat,o
On 5/13/15 8:49 AM, Rich Megginson wrote:
On 05/13/2015 09:40 AM, Janelle wrote:
Recently I started seeing these crop up across my servers:
slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
authentication mec
On 05/13/2015 09:40 AM, Janelle wrote:
Recently I started seeing these crop up across my servers:
slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
Recently I started seeing these crop up across my servers:
slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0
(Success)
more and more and m
Hi Dimitri & Jakub,
Yes for us it is use case. Non-domain logins / NTLMSSP support in SSSD
is the final component we seem to need to allow Windows clients from a
non-trusted AD domain to access Samba shares using a username and
password combination, without having to use Kerberos.
IPA and SSSD is
Institutionally we have a hardware token set up, you use a pin to unlock the
device and it spits out a passcode.
The passcode allows access through kerberos, radius, or ldap binds to linux
servers, or with a custom apache module to websites.
I have an out-of-band private network set up that atta
On 05/13/2015 09:24 AM, Gould, Joshua wrote:
> I have default_domain_suffix = example.com in my [sssd] section of
> sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other
> command without the suffix. Is it safe to assume it works the same in
> RHEL5? I also tried with domain in all lo
On Wed, 13 May 2015, Gould, Joshua wrote:
I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it
works fine. I can also login directly as an AD user as well.
For my RHEL5 system, I can login as a IPA user but can not su - or login
as a AD user.
-sh-3.2$ su - ad_user
su: user
I have default_domain_suffix = example.com in my [sssd] section of
sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other
command without the suffix. Is it safe to assume it works the same in
RHEL5? I also tried with domain in all lower case and all upper case as
well.
On 5/13/15, 9:1
I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it
works fine. I can also login directly as an AD user as well.
For my RHEL5 system, I can login as a IPA user but can not su - or login
as a AD user.
-sh-3.2$ su - ad_user
su: user goul09 does not exist
As I mentioned bef
On 05/12/2015 10:48 PM, Gould, Joshua wrote:
> Hopefully I¹m missing something simple.
>
> For an IPA user:
> $ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b
> dc=ipa,dc=example,dc=com
>
> This returns a match.
>
> For an AD user:
> $ ldapsearch -x ³(&(uid=ad_user)(objectclass=p
Le 12/05/2015 20:11, Nalin Dahyabhai a écrit :
> On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote:
>> After doing what you recommended, the CSR have changed in the debug log :
>>
>> Certificate Request:
>> Data:
>> Version: 0 (0x0)
>> Subject: O=ipa_domain, CN=ipa_
OK. I understand.
Thank You for an answer.
2015-05-12 9:39 GMT+02:00 Jan Pazdziora :
> On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
> > OK. But the answer granted/declined comes from IPA. So why IPA doesn't
> > check its own HBAC rules at all?
> > Maybe the line 'account require
26 matches
Mail list logo