Re: [Freeipa-users] ipa replica install fails
On 6.2.2013 07:17, Rajnesh Kumar Siwal wrote: I am missing these two entries in ipa1 (The Master that was installed first):- HTTP/ipa2.xyz@xyz.dmz DNS/ipa2.xyz@xyz.dmz The above entries are present only in ipa2. It seems like replication problems to me. Did you already solved problems causing connection check failure? IPA will definitely not work if you do not solve these problems. Did you try to check what went wrong (with tcpdump)? Feel free to send the capture file to me privately. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Java JSON Example - IPA API
It Meme wrote: Hi. Would be any online examples for calling the IPA JSON APIs from a java application? I gather from the lack of response that there aren't a lot of java users. Here is a sample of what a batch command would look like in json: {method:batch,params:[[ {method:user_show,params:[[admin],{all:true}]} ],{}],id:1} You can see it in action with: $ curl -H Content-Type:application/json -H Accept:application/json -H Referer: https://ipa.example.com/ipa/json; -H Accept-Language:en --negotiate -u : --cacert /etc/ipa/ca.crt -d @req.json https://ipa.example.com/ipa/json A simple user-show admin looks like: {method:user_show,params:[[admin],{all:true}]} How you do this in Java I have no idea. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Howto use IPA for internal websites
Hi, We have installed IPA in our internal network (let's call it example.com). We have all kinds of internal websites running for various administrative tasks. These websites are in all kind of subdomains of example.com. We would like to have them using a certificate signed by our CA. Some internal websites run on IPA-clients, some not. So, what is the exact workflow to make this happen? Also, our internal users must trust the IPA server as a Certificate Signing Authority. Users use both linux and windows clients and use various browsers on them. What is the procedure to have them trusting the IPA server as the CSA? Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Testing out FreeIPA
Is their any centos5/centos6 packages available? -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Testing out FreeIPA
IPA is in the default CentOS repos last I recall Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Wed, Feb 6, 2013 at 12:13 PM, Shawn taaj.sh...@gmail.com wrote: Is their any centos5/centos6 packages available? -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Testing out FreeIPA
On 02/06/2013 09:47 PM, KodaK wrote: On Wed, Feb 6, 2013 at 2:13 PM, Shawn taaj.sh...@gmail.com wrote: Is their any centos5/centos6 packages available? Yup. yum search ipa should show you them. I don't run Centos here, so I don't know if the packages are called ipa or freeipa. They are called ipa-* Just do yum install ipa-server and you'll get all the required packages. ipa-admintools-2.2.0-17.el6_3.1.x86_64 ipa-client-2.2.0-17.el6_3.1.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-17.el6_3.1.x86_64 ipa-server-2.2.0-17.el6_3.1.x86_64 ipa-server-selinux-2.2.0-17.el6_3.1.x86_64 Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Testing out FreeIPA
Shawn wrote: Is their any centos5/centos6 packages available? Should be in the CentOS repositories. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Account Expiration
Can somebody gives me some help to set krbPrincipalExpiration from the freeipa ui ? Many thanks 2013/1/28 James James jre...@gmail.com Hi Martin, thanks a lot for your answer. The krbPrincipalExpiration should do the job. Regards. 2013/1/28 Martin Kosek mko...@redhat.com On 01/28/2013 12:14 PM, James James wrote: Hi, in 389-ds there is a nice plugin I love, it's account policy. You can set account expiration date and the account will be inactive at this day. http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration Is there a way to have this feature with freeipa ? Regards. James Hello James, FreeIPA user plugin does not support this feature, you would need to hack it in the plugin yourselves (patches welcome :-). Generally, you should be able to set account expiration to krbPrincipalExpiration attribute of the user account and it should just work. You can also check few tickets we have already few tickets filed for better handling of this attribute: https://fedorahosted.org/freeipa/ticket/3062 [RFE] Allow admins to change expiration attribute for the accounts https://fedorahosted.org/freeipa/ticket/3305 KrbPrincipalExpiration should be checked in pre-bind op https://fedorahosted.org/freeipa/ticket/3306 [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI Anyway, if you want a support for this particular plugin, you can file an RFE to Trac/Bugzilla which we will further process. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Account Expiration
James James wrote: Can somebody gives me some help to set krbPrincipalExpiration from the freeipa ui ? You can't set this in the web UI. You can do it from the command line using ldapmodify with: $ ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20200508032114Z ^D rob Many thanks 2013/1/28 James James jre...@gmail.com mailto:jre...@gmail.com Hi Martin, thanks a lot for your answer. The krbPrincipalExpiration should do the job. Regards. 2013/1/28 Martin Kosek mko...@redhat.com mailto:mko...@redhat.com On 01/28/2013 12:14 PM, James James wrote: Hi, in 389-ds there is a nice plugin I love, it's account policy. You can set account expiration date and the account will be inactive at this day. http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration Is there a way to have this feature with freeipa ? Regards. James Hello James, FreeIPA user plugin does not support this feature, you would need to hack it in the plugin yourselves (patches welcome :-). Generally, you should be able to set account expiration to krbPrincipalExpiration attribute of the user account and it should just work. You can also check few tickets we have already few tickets filed for better handling of this attribute: https://fedorahosted.org/freeipa/ticket/3062 [RFE] Allow admins to change expiration attribute for the accounts https://fedorahosted.org/freeipa/ticket/3305 KrbPrincipalExpiration should be checked in pre-bind op https://fedorahosted.org/freeipa/ticket/3306 [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI Anyway, if you want a support for this particular plugin, you can file an RFE to Trac/Bugzilla which we will further process. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Account Expiration
On 02/07/2013 08:31 AM, James James wrote: Thanks Rob. I have one more question. Is it possible to add a field in the ui, and get the field's value in a custom add user hook script ? James I know that Petr Vobornik is already working in better extensibility of the UI, but that would be available in future releases. Petr, do you have any advice for James for current release? 2013/2/7 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Can somebody gives me some help to set krbPrincipalExpiration from the freeipa ui ? You can't set this in the web UI. Note: You will be able to set it in the CLI/UI when ticket https://fedorahosted.org/freeipa/ticket/3306 is fixed. You can do it from the command line using ldapmodify with: $ ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20200508032114Z ^D This would change password expiration attribute. So for account expiration, you would just need to replace krbPasswordExpiration modification above with krbPrincipalExpiration. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users