Re: [Freeipa-users] AD trust with POSIX attributes

As Alexander mentioned, the LDAP schema still exists to add POSIX attributes to users and groups in AD but IDMU simply provides a convenient Graphical interface to manage this. You should still be able to use powershell or other windows tools to modify POSIX attributes going forward, but in

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

Prashant Bapat wrote: In our FreeIPA deployment the clients use pam_nss_ldapd with the "compat" schema. No ipa-client. I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the replicas (out of 8) where the external app authenticates against IPA's LDAP. These 2 replicas are more

Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder

On Tue, Jul 26, 2016 at 05:16:34AM -0500, Anthony Joseph Messina wrote: > On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote: > > On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > > > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > > > After

Re: [Freeipa-users] AD Sync and groups

On Tue, 26 Jul 2016, malo wrote: Hello, I am currently setting up an architecture involving FreeIPA to provide SSO for SSH to the servers. I have several servers (~1500) in a few datacenters all over the world (North America, South America, Europe, Asia). The idea here was to have 4

[Freeipa-users] AD Sync and groups

Hello, I am currently setting up an architecture involving FreeIPA to provide SSO for SSH to the servers. I have several servers (~1500) in a few datacenters all over the world (North America, South America, Europe, Asia). The idea here was to have 4 masters/replicas per datacenter, with one

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: Removed the duplicate certificates and and tried to renew the certificates, we were able to renew the certificates and "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true"*.; gone this time.

Re: [Freeipa-users] Replica install fails when using --setup-ca

Linov Suresh wrote: I tried to create master replica using the option --setup-ca, it failed, because of "Your system may be partly configured." Please note we use different ipa package for master and replica. master: [root@caer ~]# rpm -q ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 replica:

Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder

On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote: > On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > > responder"

[Freeipa-users] who did what on IPAv3 - auditing

Hi all, Still around the auditing problem with IPA, it seems the part related to auditing is completely missing in IPA and that is not really good. For instance, to find out who did what, who added or modified the permissions or users or sudo rules, etc, all this need auditing and it needs to

Re: [Freeipa-users] who did what on IPAv3 - auditing

This is the case I am after just to be more precise: https://access.redhat.com/solutions/441893 It was requested 3yrs ago but no follow up so far. From: Stefan Uygur Sent: 26 July 2016 11:18 To: freeipa-users@redhat.com Subject: who did what on IPAv3 - auditing Hi all, Still around the auditing

Re: [Freeipa-users] who did what on IPAv3 - auditing

What we have done this as follows. 1. For all the changes, happening thru IPA APIs (either cmd line of WebUI) you can capture these in the httpd error logs. We trigger alert emails on important events such as new user addition etc. 2. For everything including the above, you can always enable the

Re: [Freeipa-users] who did what on IPAv3 - auditing

Hi Stefan, have you seen this: https://access.redhat.com/solutions/772563 regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Tue, Jul 26, 2016 at 12:45 PM, Stefan Uygur wrote: > This is the case I am after just to be more

[Freeipa-users] ipa-adtrust-install failing at samba restart

I've been following the doc here: https://www.freeipa.org/page/Active_Directory_trust_setup To get AD Trust setup for auth of our windows users and vice-versae. I'm getting to the point of running ipa-adtrust-install and getting the following: [root@awse-util1 ~]# ipa-adtrust-install

Re: [Freeipa-users] IPA certificates expired, please help!

Removed the duplicate certificates and and tried to renew the certificates, we were able to renew the certificates and "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true

[Freeipa-users] Replica install fails when using --setup-ca

I tried to create master replica using the option --setup-ca, it failed, because of "Your system may be partly configured." Please note we use different ipa package for master and replica. master: [root@caer ~]# rpm -q ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 replica: [root@neit-lab01 ~]#

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

I was following the same documentation as IPA master for the replica for the certificate renewal. But was unsuccessful. Should we use "How do I manually renew Identity Management (IPA) certificates after they have expired? (Replica IPA Server)" - https://access.redhat.com/solutions/962373 ? On

[Freeipa-users] ipa-adtrust-install failing at samba restart

I've been following the doc here: https://www.freeipa.org/page/Active_Directory_trust_setup To get AD Trust setup for auth of our windows users and vice-versae. I'm getting to the point of running ipa-adtrust-install and getting the following: [root@awse-util1 ~]# ipa-adtrust-install