Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

The problem is that I'm not using ipa for dns. dns is handled externally, and I don't have admin access. I have 1 master and 1 replica, and all the clients are enrolled with --server=a,--server=b during installation, and I think it works perfectly fine. Is it possible to instruct ipa to use some

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

Prasun Gera wrote: I've identified the problem. The uris seem to be incorrect. This looks like some substitution gone wrong. Instead of using the actual ipa server's address, it points to a generic placeholder type text (ipa-ca.domain.com ). Relevant part of the

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

I've identified the problem. The uris seem to be incorrect. This looks like some substitution gone wrong. Instead of using the actual ipa server's address, it points to a generic placeholder type text (ipa-ca.domain.com). Relevant part of the certificate: Authority Information Access:

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

It looks like that issue was fixed and the OCSP and CRL uris in the certs are now http. So I'm not sure why java is complaining. On Fri, May 27, 2016 at 7:03 PM, Prasun Gera wrote: > I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've > also added

[Freeipa-users] OCSP and CRL in certs for java firefox plugin

I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've also added the ipa CA to java's trusted CAs. However, when you try to launch the idrac java console, it will still show an error that the site is untrusted. Upon clicking on "more information", the message says that

[Freeipa-users] Recovering from an IPA master server failure

Greetings community, I've run into an interesting problem which may be old hat to all of you. I was working to bring down my first IPA server and did it improperly. It was a rookie mistake, but I'm willing to view it as an exercise in recovering from a massive master server failure. The

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Kay Zhou Y wrote: Hi, This is Kay. I am not sure if the email address is correct, and I am really appreciate if there is any help for my issue. it’s baffling for few days, and the expire date is coming soon.. L There is a IPA 2.2 environment, and three “Server-Cert”(two 389-ds and the Apache

Re: [Freeipa-users] How to reset admin password in 4.2.0

Foo Bar wrote: Hello, How do I reset the admin password in FreeIPA 4.2.0 running on CentOS7? Some details: Some months ago I stood up FreeIPA as a POC in our lab. I was pulled into other projects, and in my infinite wisdom forgot to put the admin password in our password store. New we've

[Freeipa-users] IPA 2.2 Certificate Renewal issue

Hi, This is Kay. I am not sure if the email address is correct, and I am really appreciate if there is any help for my issue. it's baffling for few days, and the expire date is coming soon.. :( There is a IPA 2.2 environment, and three "Server-Cert"( two 389-ds and the Apache certs) will be

[Freeipa-users] How to reset admin password in 4.2.0

Hello, How do I reset the admin password in FreeIPA 4.2.0 running on CentOS7? Some details: Some months ago I stood up FreeIPA as a POC in our lab. I was pulled into other projects, and in my infinite wisdom forgot to put the admin password in our password store. New we've got users trying to

[Freeipa-users] dynamic dns working for forward zone but not reverse zone

I have a FreeIPA 4.2.0 on CentOS 7.2.  I have dynamic DNS updates working for a forward zone but they are failing (NOTAUTH) for a reverse zone.  Here are configuration of the two zones:   dn: idnsname=example.com.,cn=dns,dc=example,dc=com   Zone name: example.com.   Active zone: TRUE  

Re: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication

Hi Martin, On 27/05/2016 14:01, Martin Kosek wrote: > On 05/25/2016 09:51 PM, Bob Hinton wrote: >> Hello, >> >> We are trying to get Zenoss login authentication to use freeipa over >> LDAP. Group mappings don't currently work and we think this is because >> Zenoss requires the groupOfUniqueNames

[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Hi, In my home environment I'm using two-server FreeIPA configuration on Fedora. Initially installed on fedora 19 in November 2013, it have been upgraded every Fedora release. It generally works OK, but somewhat degrades during operation. Recently I've jumped to F24 in hope my problems will be

Re: [Freeipa-users] What id my AD domain user password not available

On Fri, 27 May 2016, Ben .T.George wrote: This is what i am getting [image: Inline image 1] [image: Inline image 3] [image: Inline image 4] And that wizand end with nothing. Please anyone share more info regarding this The wizard asks you to enter the name of the domain, forest, or realm for

Re: [Freeipa-users] Inconsistant results with HBAC and SSH?

On Fri, May 27, 2016 at 01:10:40AM +, Simpson Lachlan wrote: > > With the “allow all” HBAC rule enabled, we have no trouble logging in to any > > machine via ssh. When we disable the “allow all” rule and make specific per- > > machine rules (as per the idea of ‘host based’ in HBAC), we get >

Re: [Freeipa-users] What id my AD domain user password not available

HI Alex. I Am using windows 2008 R2. when i am giving IPA's DNS name and click next, the trust wizard is not going through. But if i am selecting realm trust , atleast the wizard completes. So which AD version is recommended ? Regards, Ben On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy