Re: [Freeipa-users] another certmonger question

hi, On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden wrote: > > usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really > operates on the "first" value returned (I didn't look at more recent > versions). In this case it is the 267976717 cert. The other certs

Re: [Freeipa-users] another certmonger question

On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> >> >> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Natxo

Re: [Freeipa-users] another certmonger question

On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> >> >> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >&

Re: [Freeipa-users] Replica created with expired certs

hi, On Thu, Sep 29, 2016 at 2:11 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> hi Jim, >> >> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrich...@placeiq.com >> <mailto:jrich...@placeiq.com>> wrote: >> >>

Re: [Freeipa-users] another certmonger question

On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden wrote: > > It's hard to say, it may in fact not be a problem. > > It is really a matter of what service the certificate(s) are related to. > I'd look at the serial numbers and then correlate those to the issued > certificates.

Re: [Freeipa-users] Replica created with expired certs

hi Jim, On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard wrote: > Thanks Rob, that worked. > > Still on the subject of certs, any idea how to solve this error: > > Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key > database is in an old, unsupported

[Freeipa-users] another certmonger question

hi, after our upgrade from centos 6.8 to 7.2, when I renew a certificate using ipa-getcert resubmit -i xx the certificate is properly renewed, but the info on ipa host-show still shows the old certificate info. Is this normal? $ sudo getcert list | grep expires expires: 2018-09-27

Re: [Freeipa-users] replicas removed, but incorrectly

Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > > > On Mon, Sep 26, 2016 at 3:06 PM, Ludwig Krispenz <lkris...@redhat.com> > wrote: > >> >> On 09/26/2016 02:56 PM, Natxo Asenjo wrote: >> >> >> so the command has not been successful in th

Re: [Freeipa-users] replicas removed, but incorrectly

hi, On Mon, Sep 26, 2016 at 3:06 PM, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 09/26/2016 02:56 PM, Natxo Asenjo wrote: > > > so the command has not been successful in the kdc03. in the dirsrv errors > log I see: > > [26/Sep/2016:14:50:54 +0200] NSMMR

Re: [Freeipa-users] replicas removed, but incorrectly

On Mon, Sep 26, 2016 at 1:54 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > > On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz <lkris...@redhat.com> > wrote: > >> >> On 09/26/2016 01:36 PM, Natxo Asenjo wrote: >> >> And in my examp

Re: [Freeipa-users] replicas removed, but incorrectly

On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 09/26/2016 01:36 PM, Natxo Asenjo wrote: > > hi, > > I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went > correctly. > > Now I see some errors in /var/log

[Freeipa-users] replicas removed, but incorrectly

hi, I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went correctly. Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors 26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://kdc03.unix.iriszorg.nl:389/o%3Dipaca) failed and

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

On Fri, Sep 23, 2016 at 9:29 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 09/21/2016 05:06 PM, Natxo Asenjo wrote: > > > So, what should be the correct value for dns discovery for both > directives using > > dns discovery? > > I don't think the

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

On Wed, Sep 21, 2016 at 5:06 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > ok, done. > > In fact, change both the domain as the xmlrpc_uri directives in the global > section was necessary. Now It worked :-) > I meant the server, not the domain options obviousl

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

hi Petr, On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 09/21/2016 10:50 AM, Natxo Asenjo wrote: > > > When I try to resubmit certificates from certmonger they still hit the > kdc01 web > > server, so the requests hang on an status:

[Freeipa-users] replica added, but clients still try renewing certificates with old master

hi, I followed the instructions here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html and now after some issues I have a replica with both pki and dns data running centos 7. So now I have 3

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

ok, so all certs are renewed (dogldap and http). On Tue, Sep 20, 2016 at 11:49 AM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Natxo Asenjo wrote: >> >>>

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> hi, >> >> >> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcrit...@redhat.com >> > Ok, how about we work around the problem. > Gladly ;-)

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

hi, On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 16.09.2016 09:38, Natxo Asenjo wrote: > > hi, > > > On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo <natxo.asenjo@gmail.c > <natxo.ase...@gmail.com> >> >&g

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

hi, On Thu, Sep 15, 2016 at 2:25 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > attached error_log > Any clues? Thanks! -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeip

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

hi, On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo <natxo.asenjo@gmail.c <natxo.ase...@gmail.com> > > On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 15.09.2016 12:44, Natxo Asenjo wrote: >> >> hi, >

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton <blip...@redhat.com> wrote: > > On 09/15/2016 03:04 AM, Natxo Asenjo wrote: > > Hi Ben, > > On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blip...@redhat.com> wrote: > > One other note - this could be a per

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 15.09.2016 12:44, Natxo Asenjo wrote: > > hi, > > On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti <mba...@redhat.com> wrote: > >> >> Hello, >> >> usuall

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

hi, On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti wrote: > > Hello, > > usually the most information can be found here > /var/log/pki/pki-tomcat/ca/debug > mmm, in this centos 6.8 system that does not exist: # ls -l /var/log/pki/pki-tomcat/ca/debug ls: cannot access

[Freeipa-users] certificates not renewing CA_UNREACHEABLE

hi, one of our master servers has a problem with its certificates: # getcert list Number of certificates and requests being tracked: 8. Request ID '20121107212513': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

hi, the fact the the usercertificate attribute of uid=admin,ou=people,o=ipaca is expired could this be the cause of these problems as well? How can I renew this certificate? -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

Hi Ben, On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton wrote: One other note - this could be a permissions issue. NSS seems to produce > this confusing error message when it can't access the database, even if the > format of the database is actually fine. > > $ sudo chown

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

hi, On Tue, Sep 13, 2016 at 9:36 PM, Endi Sukma Dewata wrote: > On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote: > >> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote: >> >>> I've tried that but still the same result. >>> >>> [root@ipa-server /]# ldapsearch -D "cn=directory

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

On Tue, Sep 13, 2016 at 2:10 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > when trying to add a replica to the Idm environment of a host running > centos 7 (fully patched) to an existing centos 6.8 realm I get this error: > ok, some progress. I found this: htt

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

hi, On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> hi, >> >> I can reproduce this everytime. Restarting httpd fixes it for a while, >> but then ik stops working: >> >> $ ipa cert-show 1 &g

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

Hi Giorgios, On Thu, Sep 8, 2016 at 4:37 PM, Giorgos Kafa wrote: > Hello, I am trying to migrate and upgrade my main freeipa installation, > so I decided to replicate it and phase it out of our intranet. > I manage to get over some obstacles as I had to recreate my

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> I do see these errors: >> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS >> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO: : host_find(u'tftp-

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

: : host_find(u'tftp-1801', all=False, raw=False, version=u'2.49', no_members=False, pkey_only=False): CertificateFormatErro On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > alas, not woriking again. > > On the one kdc > > $ ipa host-fin

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

alas, not woriking again. On the one kdc $ ipa host-find tftp-1801 ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. On the other: $ ipa host-find tftp-1801 -- 1 host matched -- Host name:

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> hi, >> >> using centos 6.8 (server and client), when trying to view some hosts we >> get this error: >> >> >> $ ipa host-find host-1920.

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

On Wed, Sep 7, 2016 at 2:10 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > using centos 6.8 (server and client), when trying to view some hosts we > get this error: > > > $ ipa host-find host-1920.sub.domain.tld > ipa: ERROR: Certificate format err

[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

hi, using centos 6.8 (server and client), when trying to view some hosts we get this error: $ ipa host-find host-1920.sub.domain.tld ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. I saw a thread last year about

Re: [Freeipa-users] what is the best way to create a search account

hi Rob, On Thu, Jun 30, 2016 at 1:22 PM, Rob Verduijn wrote: > Hello, > > > What would be the most appropriate way to create a search account so that > a third party tool (wildfly) can use it to search the ipa domain for > credentials ? > I just create a normal account.

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

hi Ludwig, On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 06/28/2016 09:50 AM, Natxo Asenjo wrote: > > > I'd like to have internally all sort of ldap access, but externally onlly > certificate based, for example. > > If there i

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 28 Jun 2016, Natxo Asenjo wrote: > >> hi, >> >> according to the RHDS documentation ( >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Ser

[Freeipa-users] multiple ds instances (maybe off-topic)

hi, according to the RHDS documentation ( https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html) one can have multiple directory server instances on the same hosts Would it be interesting to offer this functionality in

Re: [Freeipa-users] Install best practice -

On Mon, May 30, 2016 at 7:14 AM, Ben .T.George wrote: > Hi > > thanks for the reply. > > "the easiest would be to create a zone and delegating that to the ipa > hosts. No other change necessary." > > can you explain little more. You mean need to create separate DNS zone ?

Re: [Freeipa-users] Install best practice -

On Sun, May 29, 2016 at 7:11 PM, Ben .T.George wrote: > Hi > > I would like to know how can i proceed with best practices > > My AD domain is : corp.examle.com.kw > My DNS (appliances ) : kw.test.com > > All my clients are pointed to kw.test.com including AD. > > How can i

Re: [Freeipa-users] Unexpiring user passwords

On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler wrote: > We have a situation where the passwords in FreeIPA need to be synchronized > with another system in the company (a database of users, which is the > authoritative source for users and passwords). But, from what I

Re: [Freeipa-users] ipa-client-install errors

hi Gady, On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote: > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > [root@prddb1

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

hi Harald, On Fri, Apr 15, 2016 at 1:31 PM, Harald Dunkel wrote: > Hi folks, > > I have no luck with the ipa cli, so I wonder if it is > possible to ldapsearch for disabled or enabled users? > A command line like > > ldapsearch -LLL -Y GSSAPI -b

Re: [Freeipa-users] IPA command to batch create users.

hi, On Thu, Mar 24, 2016 at 8:14 PM, Armstrong, Jeffrey < jeffrey.armstr...@gasoc.com> wrote: > Hello, > > > > I would like to find out if I can create a large number of users in IPA at > one time. If so, what is the command to do that. > > > you can use ipa user-add command in a bash loop, or

Re: [Freeipa-users] is it possible to add a value to the group 'mail' attrirbute?

hi, On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Thu, 17 Mar 2016, Natxo Asenjo wrote: > >> hi, >> >> see subject. For user accounts it's possible (even multivalued), >> >> Adding it using an ldap client give

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek <mko...@redhat.com> wrote: > On 03/05/2016 06:00 AM, Rob Crittenden wrote: > > Natxo Asenjo wrote: > >> > >> By the way, revoking the certificate does not block applications using > >> it from ldap. > >

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

By the way, revoking the certificate does not block applications using it from ldap. I can still access the ldap server using this cert/key pair *after* revoking the certificate using ipa cert-revoke . In order to block it I need to remove the seeAlso value of the user account, or the certificate

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce <s...@redhat.com> wrote: > On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote: > > Natxo Asenjo wrote: > > > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login > > > with the fedora acco

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Ah right. Because all the subjects are the same base the same map will >> be used for b

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden wrote: > Ah right. Because all the subjects are the same base the same map will > be used for both DS and the CA. > > Any chance you could write up a HOWTO on this? Gladly, but I seem unable to login using my recently created

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

hi, On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > > > Using EXTERNAL, no cookie: > > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn &g

[Freeipa-users] user certificate ldap EXTERNAL authentication

hi, I am testing certificate authentication to ipa ldap ( centos 7.2 ). I have generated a user certificate following the instructions on https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ After that I modified my $HOME/.ldaprc with these settings:

Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher wrote: > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a > traceback every time pki-cad starts: > > Traceback (most recent call last): > File "/usr/sbin/pki-server", line 89, in > cli.execute(sys.argv)

Re: [Freeipa-users] how to force switch to another kdc

On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > includedir /var/lib/sss/pubconf/krb5.include.d/ > #File modified by ipa-client-install > > [libdefaults] > default_realm = IPA.DOMAIN.TLD > dns_lookup_realm = true > dns_lookup_

Re: [Freeipa-users] how to force switch to another kdc

On Tue, Jan 5, 2016 at 7:22 PM, Karl Forner wrote: > update: > > modifying the /etc/krb5.conf, and replacing the name of my freeipa master > by the replica fixes the problem. > So that proves that the kdc is not picked up by discovery. > > The problem is that my ubuntu box

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

On Fri, Dec 11, 2015 at 11:32 PM, Ranbir <m3fr...@thesandhufamily.ca> wrote: > On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: > > what exactly do you want to achieve? 'Integrate' could mean a couple > > of things, so please specify. > > I would like

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

hi Ranbir, On Fri, Dec 11, 2015 at 9:29 PM, Ranbir wrote: > Hi All, > > I want to integrate my Postfix server with IPA. I've found a couple of > documents on how this can be done, but they don't accomplish the feat > the same way (they're also not discussing the

Re: [Freeipa-users] Squid authentication in FreeIPA

hi holo, On Fri, Nov 20, 2015 at 11:21 PM, holo wrote: > Thank you for your reply. > > I think i wasnt clear enough. Clients of proxy server are not kerberized. > I want to just authenticate them for proxy use in kerberos DB when they are > trying to use it (just by popup

Re: [Freeipa-users] LDAP creditentials for Squid

hi, On Fri, Nov 20, 2015 at 10:47 PM, holo wrote: > Hello > > How can i find FreeIPA ldap creditentials? I want to try to configure > Squid in similar way like it is described here for ejabberd: > > >

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

On Thu, Nov 19, 2015 at 11:03 PM, Ash Alam wrote: > Hello All > > I am looking for some advice on upgrading. Currently our FreeIPA servers > are 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This > upgrade path is not possible per IPA documentation. Minimum

[Freeipa-users] crl url redirecting to https

hi, I just noticed some stuff was not functioning properly and it's because the crl url is being redirected to https (centos 6.7). $ curl http://kdc01.unix.domain.tld/ipa/crl/ 301 Moved Permanently Moved Permanently The document has moved https://kdc01.unix.domain.tld/ipa/crl/ ">here.

Re: [Freeipa-users] crl url redirecting to https

hi, On Tue, Nov 10, 2015 at 5:02 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote:> Any ideas on how to fix this? > > You should have a sections like these in /etc/httpd/conf.d/ipa.conf: > > > SetHandler None > > ... > # For CRL publi

Re: [Freeipa-users] crl url redirecting to https

but going back to ipa-rewrite.conf, these 2 seem contradictory: # Redirect to the fully-qualified hostname. Not redirecting to secure # port so configuration files can be retrieved without requiring SSL. RewriteCond %{HTTP_HOST}!^kdc01.unix.iriszorg.nl$ [NC] RewriteRule ^/ipa/(.*)

[Freeipa-users] mastercrl files

hi, do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we purge them on a regular basis (say, keep 60 days dump the rest)? $ ls -l | wc -l 3621 this is in a server installed 3 years ago. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] First tests against the REST/JSON API

hi, On Mon, Nov 9, 2015 at 6:58 PM, Oliver Dörr wrote: > Hi, > > I'm completly new to this list and the product behind it. I'm trying to > use perl to get a list from my IPA installation of all users that are on > the server. > unfortunately I cannot help you right now,

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > since yesterday I have a strange situation in one of our joined hosts. > > i can login using a kerberos ticket, but not using name/password. > > In /var/log/secure I see thi

[Freeipa-users] gssapi ssh works, pam user/password does not work

hi, since yesterday I have a strange situation in one of our joined hosts. i can login using a kerberos ticket, but not using name/password. In /var/log/secure I see this: sshd[29607]: pam_sss(sshd:auth): received for user username: 4 (System error) -- -- Groeten, natxo -- Manage your

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi, this is in a centos host running 6.7, by the way. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi, Fixed, /tmp had the wrong permissions, was not owned by root:root. Thanks for the debugging tips! -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi Sumit, On Thu, Nov 5, 2015 at 10:14 AM, Sumit Bose wrote: > > how can I troubleshoot this issue? > > You should check the SSSD debug logs, see > https://fedorahosted.org/sssd/wiki/Troubleshooting for details about how > to enable debug logging and where to find the logs. >

Re: [Freeipa-users] substitute local system groups by ipa groups

hi, On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > > hi, > > > > can you do something like this? > > > > ipa group-add wheel --gid=10 > > > > to substitute the local group wheel? Of course

Re: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > In a test network I followed the procedure especified in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_G

[Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

hi, In a test network I followed the procedure especified in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.

[Freeipa-users] ipa-client-install --request-cert fails

hi, on a a centos 7.1 host when enrolling it with (among other) the switch --request-cert it does not create a host certificate for it. The host is properly joined but not certificate is present. In the ipaclient-install.log file I see this: 2015-09-12T09:34:02Z ERROR certmonger request for

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > on a a centos 7.1 host when enrolling it with (among other) the switch > --request-cert it does not create a host certificate for it. The host is > properly joined but not c

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been

Re: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

Hi, Maybe just one more redirect if people come directly to https://freeipa.org? $ curl -LIv https://freeipa.org * Rebuilt URL to: https://freeipa.org/ * Hostname was NOT found in DNS cache * Trying 209.132.183.105... * Connected to freeipa.org (209.132.183.105) port 443 (#0) * Initializing

[Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

hi, earlier today I was reading a post about the new freeipa version on my mobile device and got plenty of warnings about an invalid certificate. On a fedora laptop no warnings, but this is the problem: $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname

Re: [Freeipa-users] FreeIPA and Rsyslog

On Fri, Jul 3, 2015 at 7:54 PM, Esdras La-Roque esdras.laro...@gmail.com wrote: Hi guys, is it possible utilize freeipa certificate, issued for a machine, integrated in Rsyslog for redirection remotely logs? not with rsyslog, but with logstash and the logstash forwarder. I tried with

Re: [Freeipa-users] hesitate to deploy freeipa

hi, On Wed, Jun 24, 2015 at 9:06 AM, Harald Dunkel harald.dun...@aixigo.de wrote: Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools

Re: [Freeipa-users] host usercertificate attribute

hi rob, On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com mailto:natxo.ase...@gmail.com wrote: hi, If I retrieve the usercertificate attribute for host objects I get

Re: [Freeipa-users] host usercertificate attribute

hi Rob, On Wed, May 20, 2015 at 2:08 PM, Rob Crittenden rcrit...@redhat.com wrote: Nat You could try adding -inform DER cool, that works ;-) Thanks. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] host usercertificate attribute

On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, If I retrieve the usercertificate attribute for host objects I get some gibberish. How can I decode the info I get from ldapsearch? maybe there is a way to feed that to openssl. What I ended up doing

[Freeipa-users] host usercertificate attribute

hi, If I retrieve the usercertificate attribute for host objects I get some gibberish. How can I decode the info I get from ldapsearch? The command I used was: ldapsearch -b cn=computers,cn=accounts,dc=sub,dc=domain,dc=tldl -t -Y gssapi -Z -h kdc01.sub.dmain.tld usercertificate which creates

Re: [Freeipa-users] Common Name for the ipa-cacert-manage command

hi, On Fri, May 1, 2015 at 12:52 AM, William Graboyes wgrabo...@cenic.org wrote: I guess it is time to get deep into API documentation. This is a hell of a lot of hoops to jump through just so that users who don't have shell access can easily change their passwords without having to see a

Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth mar...@die5roths.de wrote: Yersterday I did the installation of freeipa on my banana Pi with modifying the source file ipalib/constants.py:('startup_timeout', 300). I changed it to 900 s. And the setup process was successful! The start of the

Re: [Freeipa-users] upgrade 3.0 - 4.1

hi, On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal d...@redhat.com wrote: On 04/03/2015 09:46 AM, Brian Topping wrote: On Apr 3, 2015, at 6:48 AM, Tamas Papp tom...@martos.bme.hu tom...@martos.bme.hu wrote: hi All, I have CentOS 6.6 server and want to upgrade to 7.1. What is the upgrade

Re: [Freeipa-users] IPA Client using Source Code

On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it.

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Fri, Mar 27, 2015 at 5:58 AM, Yogesh Sharma yks0...@gmail.com wrote: (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [sss_krb5_cc_verify_ccache] (0x0020): 1078: [-1765328190][Credentials cache permissions incorrect] (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [check_old_ccache] (0x0040):

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625

Re: [Freeipa-users] Unknown Client?

On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler tevfik.ceydeli...@astron.yasar.com.tr wrote: Hi, Altough I have this configuration in client .conf: ## client 172.30.47.241 { secret = 877909 shortname = VodafonePinarsuAPNYeni1

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com wrote: Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 11:02 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention

Re: [Freeipa-users] User certificates with FreeIPA and another question.

On Fri, Feb 6, 2015 at 3:30 PM, Martin Kosek mko...@redhat.com wrote: On 02/06/2015 12:53 AM, Christopher Young wrote: Obvious next question: Any plans to implement that functionality or advice on how one might get some level of functionality for this? Would it be possible to create

Re: [Freeipa-users] certmonger question

hi, On Tue, Nov 11, 2014 at 7:14 PM, Nalin Dahyabhai na...@redhat.com wrote: On Tue, Nov 11, 2014 at 11:13:12AM -0500, Nalin Dahyabhai wrote: Since you mention that this seems to be specific to 32-bit boxes, I think I need to switch to that one to try to sort out what's happening here, since

Re: [Freeipa-users] certmonger question

hi Nali, On Tue, Nov 11, 2014 at 12:57 PM, Martin Kosek mko...@redhat.com wrote: So if the lurking double encoded certificate is in LDAP, and thus Apache DS shows is invalid (it shows as OK in my RHEL-7.0 server), maybe the easiest way to fix it would be to: - Open your Apache DS - Back up

Re: [Freeipa-users] certmonger question

hi, On Tue, Nov 11, 2014 at 2:13 PM, Martin Kosek mko...@redhat.com wrote: I meant IPA server running on RHEL/CentOS 6.5 or older... This is the one that can regenerate CAcert entry without double encoding. ok. So I removed the cacert object and ran ipa-ldap-updater --upgrade --ldapi (it

  1   2   3   >