[Freeipa-users] thousands DSRetroclPlugin mesages
Hallo after a reboot I get almost thousand of the following messages: DSRetroclPlugin - delete_changerecord: could not delete change record 128755 (rc: 32) The record number changes from 127600 up to 148400. What does this mean? I have searched the web but did not find any hint on this. I use Fedora 21 Server with current IPA packages (Version 4.1.4). Kindly Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
- Original Message - Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. We really need to remove this version 1.x documentation, it is giving too much confusion. Use documentation at the Red Hat Customer Portal: - versions 3.3 and onwards: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html - version 3.0: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html We have all proper links gathered at http://www.freeipa.org/page/Documentation, it has these links and even more, including HOWTOs for integration with other software. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Web UI behind proxy
On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: Hi, Does anybody have any experience putting the IPA web UI behind a reverse proxy? In an attempt to allow our users to access the UI without browser warnings and without having to add the root CA certificate to their trusted store (there was some resistance to that idea), I set up an nginx server as a simple reverse proxy. Every request returns an Unable to verify your Kerberos credentials error page. The headers returned: $ http -h GET https://proxy/ipa HTTP/1.1 401 Unauthorized Accept-Ranges: bytes Connection: keep-alive Content-Length: 1474 Content-Type: text/html; charset=UTF-8 Date: Fri, 24 Apr 2015 18:43:06 GMT Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT Server: nginx/1.4.6 (Ubuntu) WWW-Authenticate: Negotiate I saw this thread from 2013: https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 I'm sending the proper Host and Referer headers by the proxy as specified, and I modified the Apache rewriting rules to not redirect to the hostname of the backend IPA server. Any ideas how this can be done? Hi Benjamen, You could use a 3rd-party certificate (signed by trusted, public CA) for the Web UI; see the guide: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP If you decide to continue with the Web UI behind a reverse proxy, Simo recent blogged about Kerberos authentication issues with this sort of setup; you may find inspiration here: https://ssimo.org/blog/id_019.html Cheers, Fraser Thanks, -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project