Re: [Freeipa-users] ipa replica install fails

[Petr Spacek]

On 6.2.2013 07:17, Rajnesh Kumar Siwal wrote:

I am missing these two entries in ipa1 (The Master that was installed first):-
HTTP/ipa2.xyz@xyz.dmz
DNS/ipa2.xyz@xyz.dmz

The above entries are present only in ipa2.


It seems like replication problems to me. Did you already solved problems 
causing connection check failure?

IPA will definitely not work if you do not solve these problems.

Did you try to check what went wrong (with tcpdump)? Feel free to send the 
capture file to me privately.


--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Java JSON Example -> IPA API

[Rob Crittenden]

It Meme wrote:

Hi.

Would be any online examples for calling the IPA JSON APIs from a java 
application?


I gather from the lack of response that there aren't a lot of java users.

Here is a sample of what a batch command would look like in json:

{"method":"batch","params":[[
{"method":"user_show","params":[["admin"],{"all":true}]}
],{}],"id":1}

You can see it in action with:

$ curl  -H "Content-Type:application/json" -H "Accept:application/json" 
-H "Referer: https://ipa.example.com/ipa/json"; -H "Accept-Language:en" 
--negotiate -u :  --cacert /etc/ipa/ca.crt -d @req.json 
https://ipa.example.com/ipa/json


A simple user-show admin looks like:

{"method":"user_show","params":[["admin"],{"all":true}]}

How you do this in Java I have no idea.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Howto use IPA for internal websites

[Fred van Zwieten]

Hi,

We have installed IPA in our internal network (let's call it example.com).

We have all kinds of internal websites running for various administrative
tasks. These websites are in all kind of subdomains of example.com. We
would like to have them using a certificate signed by our CA.

Some internal websites run on IPA-clients, some not.

So, what is the exact workflow to make this happen?

Also, our internal users must trust the IPA server as a Certificate Signing
Authority. Users use both linux and windows clients and use various
browsers on them. What is the procedure to have them trusting the IPA
server as the CSA?

Fred
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Testing out FreeIPA

[Shawn]

Is their any centos5/centos6 packages available?

-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Testing out FreeIPA

[Christian Hernandez]

IPA is in the default CentOS repos last I recall


Thank you,

Christian Hernandez
1225 Los Angeles Street
Glendale, CA 91204
Phone: 877-782-2737 ext. 4566
Fax: 818-265-3152
christi...@4over.com 
www.4over.com 


On Wed, Feb 6, 2013 at 12:13 PM, Shawn  wrote:

> Is their any centos5/centos6 packages available?
>
> --
> *- Shawn Taaj*
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Testing out FreeIPA

[KodaK]

On Wed, Feb 6, 2013 at 2:13 PM, Shawn  wrote:
> Is their any centos5/centos6 packages available?

Yup.  yum search ipa should show you them.  I don't run Centos here,
so I don't know if the packages are called ipa or freeipa.

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Testing out FreeIPA

[Sigbjorn Lie]

On 02/06/2013 09:47 PM, KodaK wrote:

On Wed, Feb 6, 2013 at 2:13 PM, Shawn  wrote:

Is their any centos5/centos6 packages available?


Yup.  yum search ipa should show you them.  I don't run Centos here,
so I don't know if the packages are called ipa or freeipa.



They are called ipa-*

Just do "yum install ipa-server" and you'll get all the required packages.


ipa-admintools-2.2.0-17.el6_3.1.x86_64
ipa-client-2.2.0-17.el6_3.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-17.el6_3.1.x86_64
ipa-server-2.2.0-17.el6_3.1.x86_64
ipa-server-selinux-2.2.0-17.el6_3.1.x86_64



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Testing out FreeIPA

[Rob Crittenden]

Shawn wrote:

Is their any centos5/centos6 packages available?


Should be in the CentOS repositories.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Howto use IPA for internal websites

[Rob Crittenden]

Fred van Zwieten wrote:

Hi,

We have installed IPA in our internal network (let's call it example.com
).

We have all kinds of internal websites running for various
administrative tasks. These websites are in all kind of subdomains of
example.com . We would like to have them using a
certificate signed by our CA.

Some internal websites run on IPA-clients, some not.

So, what is the exact workflow to make this happen?


A host doesn't need to be enrolled to get a certificate. You can just 
use host-add (or the UI) to create the host and potentiall whatever 
services you want certificates for (HTTP, ldap, whatever).


Then generate a CSR on the host you want the cert for using your 
favorite crypto tools and pass that to ipa cert-request. The output of 
that is a signed public cert.


You'll need the CA cert chain as well. It can be retrieved via the web 
from http://ipa.example.com/ipa/config/ca.crt. In 3.1 you can also get 
it over LDAP in cn=CAcert,cn=ipa,cn=etc,$SUFFIX in the cACertificate 
attribute.



Also, our internal users must trust the IPA server as a Certificate
Signing Authority. Users use both linux and windows clients and use
various browsers on them. What is the procedure to have them trusting
the IPA server as the CSA?


You can visit the URI for the CA cert directly and you should be 
prompted to import and trust it in most browsers.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Can somebody gives me some help to set krbPrincipalExpiration from the
freeipa ui ?

Many thanks


2013/1/28 James James 

> Hi Martin,
> thanks a lot for your answer. The krbPrincipalExpiration should do the job.
>
> Regards.
>
>
> 2013/1/28 Martin Kosek 
>
>> On 01/28/2013 12:14 PM, James James wrote:
>> > Hi, in 389-ds there is a nice plugin I love,  it's account policy. You
>> can set
>> > account expiration date and the account will be inactive at this day.
>> >
>> >
>> http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
>> >
>> > Is there a way to have this feature with freeipa ?
>> >
>> > Regards.
>> >
>> >
>> > James
>> >
>>
>> Hello James,
>>
>> FreeIPA user plugin does not support this feature, you would need to hack
>> it in
>> the plugin yourselves (patches welcome :-).
>>
>> Generally, you should be able to set account expiration to
>> krbPrincipalExpiration attribute of the user account and it should just
>> work.
>> You can also check few tickets we have already few tickets filed for
>> better
>> handling of this attribute:
>>
>> https://fedorahosted.org/freeipa/ticket/3062
>> [RFE] Allow admins to change expiration attribute for the accounts
>>
>> https://fedorahosted.org/freeipa/ticket/3305
>> KrbPrincipalExpiration should be checked in pre-bind op
>>
>> https://fedorahosted.org/freeipa/ticket/3306
>> [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA
>> CLI /
>> WEBUI
>>
>>
>> Anyway, if you want a support for this particular plugin, you can file an
>> RFE
>> to Trac/Bugzilla  which we will further process.
>>
>> HTH,
>> Martin
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[Rob Crittenden]

James James wrote:

Can somebody gives me some help to set krbPrincipalExpiration from the
freeipa ui ?


You can't set this in the web UI.

You can do it from the command line using ldapmodify with:

$ ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20200508032114Z

^D

rob


Many thanks


2013/1/28 James James mailto:jre...@gmail.com>>

Hi Martin,
thanks a lot for your answer. The krbPrincipalExpiration should do
the job.

Regards.


2013/1/28 Martin Kosek mailto:mko...@redhat.com>>

On 01/28/2013 12:14 PM, James James wrote:
 > Hi, in 389-ds there is a nice plugin I love,  it's account
policy. You can set
 > account expiration date and the account will be inactive at
this day.
 >
 >

http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
 >
 > Is there a way to have this feature with freeipa ?
 >
 > Regards.
 >
 >
 > James
 >

Hello James,

FreeIPA user plugin does not support this feature, you would
need to hack it in
the plugin yourselves (patches welcome :-).

Generally, you should be able to set account expiration to
krbPrincipalExpiration attribute of the user account and it
should just work.
You can also check few tickets we have already few tickets filed
for better
handling of this attribute:

https://fedorahosted.org/freeipa/ticket/3062
[RFE] Allow admins to change expiration attribute for the accounts

https://fedorahosted.org/freeipa/ticket/3305
KrbPrincipalExpiration should be checked in pre-bind op

https://fedorahosted.org/freeipa/ticket/3306
[RFE] Expose the krbPrincipalExpiration attribute for editing in
the IPA CLI /
WEBUI


Anyway, if you want a support for this particular plugin, you
can file an RFE
to Trac/Bugzilla  which we will further process.

HTH,
Martin





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Thanks Rob. I have one more question. Is it possible to add a field in the
ui, and get the field's value in a custom add user hook script  ?

James


2013/2/7 Rob Crittenden 

> James James wrote:
>
>> Can somebody gives me some help to set krbPrincipalExpiration from the
>> freeipa ui ?
>>
>
> You can't set this in the web UI.
>
> You can do it from the command line using ldapmodify with:
>
> $ ldapmodify -x -D 'cn=Directory Manager' -W
> Enter LDAP Password:
> dn: uid=tuser1,cn=users,cn=**accounts,dc=example,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20200508032114Z
>
> ^D
>
> rob
>
>>
>> Many thanks
>>
>>
>> 2013/1/28 James James mailto:jre...@gmail.com>>
>>
>>
>> Hi Martin,
>> thanks a lot for your answer. The krbPrincipalExpiration should do
>> the job.
>>
>> Regards.
>>
>>
>> 2013/1/28 Martin Kosek mailto:mko...@redhat.com>>
>>
>>
>> On 01/28/2013 12:14 PM, James James wrote:
>>  > Hi, in 389-ds there is a nice plugin I love,  it's account
>> policy. You can set
>>  > account expiration date and the account will be inactive at
>> this day.
>>  >
>>  >
>> http://directory.**fedoraproject.org/wiki/**
>> Account_Policy_Design#**Detailed_Design_of_Account_**Expiration
>>  >
>>  > Is there a way to have this feature with freeipa ?
>>  >
>>  > Regards.
>>  >
>>  >
>>  > James
>>  >
>>
>> Hello James,
>>
>> FreeIPA user plugin does not support this feature, you would
>> need to hack it in
>> the plugin yourselves (patches welcome :-).
>>
>> Generally, you should be able to set account expiration to
>> krbPrincipalExpiration attribute of the user account and it
>> should just work.
>> You can also check few tickets we have already few tickets filed
>> for better
>> handling of this attribute:
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3062
>> [RFE] Allow admins to change expiration attribute for the accounts
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3305
>> KrbPrincipalExpiration should be checked in pre-bind op
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3306
>> [RFE] Expose the krbPrincipalExpiration attribute for editing in
>> the IPA CLI /
>> WEBUI
>>
>>
>> Anyway, if you want a support for this particular plugin, you
>> can file an RFE
>> to Trac/Bugzilla  which we will further process.
>>
>> HTH,
>> Martin
>>
>>
>>
>>
>>
>> __**_
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[Martin Kosek]

On 02/07/2013 08:31 AM, James James wrote:
> Thanks Rob. I have one more question. Is it possible to add a field in the ui,
> and get the field's value in a custom add user hook script  ?
> 
> James

I know that Petr Vobornik is already working in better extensibility of the UI,
but that would be available in future releases. Petr, do you have any advice
for James for current release?

> 
> 
> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com>>
> 
> James James wrote:
> 
> Can somebody gives me some help to set krbPrincipalExpiration from the
> freeipa ui ?
> 
> 
> You can't set this in the web UI.

Note: You will be able to set it in the CLI/UI when ticket
https://fedorahosted.org/freeipa/ticket/3306
is fixed.

> 
> You can do it from the command line using ldapmodify with:
> 
> $ ldapmodify -x -D 'cn=Directory Manager' -W
> Enter LDAP Password:
> dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20200508032114Z
> 
> ^D

This would change password expiration attribute. So for account expiration, you
would just need to replace krbPasswordExpiration modification above with
krbPrincipalExpiration.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users