Re: [Freeipa-users] Samba integration documentation question

2017-01-31 Thread Alexander Bokovoy
On ti, 31 tammi 2017, Jeff Goddard wrote: I'm taking the next step in getting our freeipa environment set back up. This is a centos 7.2 freeipa 4.4 environment. I'm using this guide as a reference for setting up samba:

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Alexander Bokovoy
On ti, 31 tammi 2017, Rich Megginson wrote: On 01/31/2017 04:46 PM, Michaël Van de Borne wrote: That was the feared, but somehow expected, answer. Any entry point/documentation about how to start such a script? Do FreeIPA and OpenLDAP still support the syncrepl protocol? a standard syncrepl

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

2017-01-31 Thread Steve Huston
Seems like this is to blame: https://fedorahosted.org/freeipa/ticket/4291 The checkin says, "Installation in pure IPv6 environment failed because pki-tomcat tried to use IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes this issue." However it would seem that in a

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

2017-01-31 Thread Steve Huston
What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml? Doesn't work so well on a host without IPv6 turned on... Jan 31 14:26:59 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end

[Freeipa-users] Samba integration documentation question

2017-01-31 Thread Jeff Goddard
I'm taking the next step in getting our freeipa environment set back up. This is a centos 7.2 freeipa 4.4 environment. I'm using this guide as a reference for setting up samba: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP. Our environment does not include

Re: [Freeipa-users] caching of lookups / performance problem

2017-01-31 Thread Sullivan, Daniel [CRI]
Hi, I figured out what was going on with this issue. Basically cache timeouts were causing a large number of uid numbers in an arbitrarily-timed directory listing to have expired cache records, which causes those records to be looked up again by the data provider (and thus blocking ‘ls -l’).

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Rich Megginson
On 01/31/2017 04:46 PM, Michaël Van de Borne wrote: That was the feared, but somehow expected, answer. Any entry point/documentation about how to start such a script? Do FreeIPA and OpenLDAP still support the syncrepl protocol? cheers, m. -- *Michaël Van de Borne* Free Bird Computing

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

2017-01-31 Thread thierry bordaz
On 01/31/2017 03:37 PM, Harald Dunkel wrote: Hi Thierry, On 01/30/17 09:10, thierry bordaz wrote: I understand your concern and in fact it is difficult to anticipate a potential bad impact of this cleanup. However,I think it is safe to get rid of the following entry. Before doing so you

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Michaël Van de Borne
This would be the best option! But customer won't allow this :( Since the openLDAP is also used by other apps. So I need to sync them. Which means: - adding the new users (not so difficult) - removing old user (perhaps not too complicated) - replicating changes like a password update (for

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Alexander Bokovoy
On ti, 31 tammi 2017, Michaël Van de Borne wrote: h, ok, thank you. But indeed, I would need HBAC and sudo rules in the future. So I believe the only exit here is to keep openLDAP and FreeIPA in sync. Any clue on how to do this efficiently? Well, we have 'ipa migrate-ds' functionality but

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Martin Basti
Is there a possibility to migrate OpenLDAP to IPA DS and use only one source of Identity data? Martin^2 On 31.01.2017 16:30, Michaël Van de Borne wrote: h, ok, thank you. But indeed, I would need HBAC and sudo rules in the future. So I believe the only exit here is to keep openLDAP and

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Michaël Van de Borne
h, ok, thank you. But indeed, I would need HBAC and sudo rules in the future. So I believe the only exit here is to keep openLDAP and FreeIPA in sync. Any clue on how to do this efficiently? Thank you, Cheers, m. Le 31-01-17 à 16:23, Alexander Bokovoy a écrit : On ti, 31 tammi 2017,

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Alexander Bokovoy
On ti, 31 tammi 2017, Michaël Van de Borne wrote: Hello list, Here's my situation: I'm installing Hadoop for a customer, and the Hadoop cluster is secured with Kerberos. I used FreeIPA as a KDC. The customer uses openLDAP as a directory server. For now, our solution is to copy the whole

[Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Michaël Van de Borne
Hello list, Here's my situation: I'm installing Hadoop for a customer, and the Hadoop cluster is secured with Kerberos. I used FreeIPA as a KDC. The customer uses openLDAP as a directory server. For now, our solution is to copy the whole openLDAP user base to FreeIPA, and then use FreeIPA

[Freeipa-users] Identification with openLDAP and authorization with FreeIPA

2017-01-31 Thread Michaël Van de Borne
Hello list, Here's my situation: I'm installing Hadoop for a customer, and the Hadoop cluster is secured with Kerberos. I used FreeIPA as a KDC. The customer uses openLDAP as a directory server. For now, our solution is to copy the whole openLDAP user base to FreeIPA, and then use FreeIPA

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

2017-01-31 Thread Harald Dunkel
Hi Thierry, On 01/30/17 09:10, thierry bordaz wrote: > > I understand your concern and in fact it is difficult to anticipate a > potential bad impact of this cleanup. However,I think it is safe to get rid > of the following entry. > Before doing so you may check it exists > >

Re: [Freeipa-users] Cannot create replica

2017-01-31 Thread Jeff Goddard
Yep, That was it for me. Changing /var/lib/pki/pki-tomcat/conf/server.xml to listen on 127.0.0.1 instead of ::1 did it. Many thanks Carlos, Jeff On Tue, Jan 31, 2017 at 7:05 AM, Carlos Silva wrote: > Been there myself. > > Take a look at this bug report as it also have the

Re: [Freeipa-users] Cannot create replica

2017-01-31 Thread Carlos Silva
Been there myself. Take a look at this bug report as it also have the solution to your problem: https://fedorahosted.org/freeipa/ticket/6613 On Tue, Jan 31, 2017 at 9:21 AM, Rob Crittenden wrote: > Jeff Goddard wrote: > >> My previous install of freeipa became corrupted so

Re: [Freeipa-users] Cannot create replica

2017-01-31 Thread Rob Crittenden
Jeff Goddard wrote: My previous install of freeipa became corrupted so I'm starting fresh. I've got a new Centos 7.2 server set up and installed ipa version s 4.4. Now I'm trying to set up a replica on another newly created and patched centos server. The ipa-client-install command completes