Hi Martin,
> I'm not sure how your DNS data are structured, but usually (properly)
> DS record is located in parent zone, so AXFR for
> subdomain.exmale.com should not return DS record, but AXFR
> for example.com should return DS record of
> subdomain.example.com.
Herein lies the problem. The
Hello,
I'm not sure how your DNS data are structured, but usually (properly) DS record
is located in parent zone, so AXFR for subdomain.exmale.com should not return
DS record, but AXFR for example.com should return DS record of
subdomain.example.com.
Martin
- Original Message -
On to, 09 helmi 2017, Munoz, Ian A wrote:
Hello,
I can't seem to set up or find decent documentation on either
cross-domain or pass through authentication. I have tried kerberos
cross realm, and saslauthd.
I have two different scenarios I would like to potentially accomplish.
1. FreeIPA
As we're enforcing encryption, here is via ldaps:
$ ldapsearch -H ldaps://`hostname` -D "cn=Directory Manager" -W -s
sub -b ou=authorities,ou=ca,o=ipaca Enter LDAP
Password:
# extended LDIF
#
# LDAPv3
# base
On Thu, Feb 09, 2017 at 06:27:12PM -0500, Guillermo Fuentes wrote:
> Hi Fraser,
>
> The cluster was migrated from FreeIPA 3 (CentOS 6) to FreeIPA 4
> (CentOS 7) a year ago.
>
> - Output of 'ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca':
> SASL/EXTERNAL authentication started
>
Hi Fraser,
The cluster was migrated from FreeIPA 3 (CentOS 6) to FreeIPA 4
(CentOS 7) a year ago.
- Output of 'ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca':
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no
Joseph Vandermaas wrote:
> All
> I have been experiencing some issues with a FreeIPA instance that I
> maintain. More specifically pki-tomcat has not started since around the time
> it’s certificate renewed. I submitted this bug report
> https://fedorahosted.org/freeipa/ticket/6521,
Hello,
I can't seem to set up or find decent documentation on either cross-domain or
pass through authentication. I have tried kerberos cross realm, and saslauthd.
I have two different scenarios I would like to potentially accomplish.
1. FreeIPA domain of a.example.tld pass through
All
I have been experiencing some issues with a FreeIPA instance that I
maintain. More specifically pki-tomcat has not started since around the time
it’s certificate renewed. I submitted this bug report
https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be
On Thu, Feb 09, 2017 at 09:29:14AM -0500, Guillermo Fuentes wrote:
> Hi list,
>
> I'm trying to sign a service certificate but it's failing with "CA not found".
> The CA does exist but for some reason the ipa cert-request can't find it:
> $ ipa ca-show ipa
> Name: ipa
> Description: IPA CA
>
Alexander Bokovoy wrote:
>Unfortunately, we are still far away from making IPA-IPA trust a
>reality. We need to implement several features until we get to the point
>that practical IPA-IPA trust is possible.
Ok, thank you for clarifying - we'll consider how to work around - potentially
Hi list,
I'm trying to sign a service certificate but it's failing with "CA not found".
The CA does exist but for some reason the ipa cert-request can't find it:
$ ipa ca-show ipa
Name: ipa
Description: IPA CA
Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
Subject DN: CN=Certificate
On to, 09 helmi 2017, Piper, Nick wrote:
Hi Alexander,
Alexander Bokovoy wrote:
On to, 09 helmi 2017, Piper, Nick wrote:
We're currently using FreeIPA 4.2.0, and we have two unrelated
instances of IdM server. We'd like the user list which IPA maintains
in one, to be a superset of the other;
Hi Alexander,
Alexander Bokovoy wrote:
>On to, 09 helmi 2017, Piper, Nick wrote:
>>We're currently using FreeIPA 4.2.0, and we have two unrelated
>>instances of IdM server. We'd like the user list which IPA maintains
>>in one, to be a superset of the other; so we're looking for one way
On to, 09 helmi 2017, Piper, Nick wrote:
Hi FreeIPA-users,
We're currently using FreeIPA 4.2.0, and we have two unrelated
instances of IdM server. We'd like the user list which IPA maintains
in one, to be a superset of the other; so we're looking for one way
replication (of
Hi FreeIPA-users,
We're currently using FreeIPA 4.2.0, and we have two unrelated
instances of IdM server. We'd like the user list which IPA maintains
in one, to be a superset of the other; so we're looking for one way
replication (of cn=users,cn=accounts,dc=realm, not necessarily of host
entries
Hi Tomas,
> when I add a DS record to LDAP (without any DNSSEC configuration),
> it is included in my AXFR transfer. I'm using bind-dyndb-ldap-10.1.
>
> I suppose you have DNSSEC configured. Could you be affected by the
> limitations mentioned in [1]?
Yes, dnssec is otherwise fully configured
On 02/08/2017 04:03 PM, Nathanaël Blanchet wrote:
Le 08/02/2017 à 13:00, Pavel Březina a écrit :
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
Hello,
on latest IPA, when adding a command to a rule or a sudo option for
example, the change is not active on the user session.
For example,
On 02/08/2017 11:59 PM, Ben Roberts wrote:
> Hi all,
>
> This is a question more about bind-dyndb-ldap rather than freeipa, but
> I understand it's written/maintained by the freeipa project and so
> this might be the most appropriate place to ask. I have setup
> bind-dyndb-ldap to read some zones
19 matches
Mail list logo