Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Simo Sorce
On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote: > > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not found > a concrete answer. I know the redhat docs indicate port 80 is required > bidirectional however I need to investigate if it is truly needed. > >

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-08-31 Thread Timo Aaltonen
On 31.08.2016 11:18, Petr Spacek wrote: > On 31.8.2016 00:23, Timo Aaltonen wrote: >> On 29.08.2016 10:34, Timo Aaltonen wrote: >>> On 21.04.2016 22:01, Timo Aaltonen wrote: ps. Debian unstable will have 4.3.1 once the package has gone through the NEW queue because the packaging got

[Freeipa-users] IPA port 80

2016-08-31 Thread Sean Hogan
Hi all, Been reading a lot about Port 80 for IPA and firewalls but have not found a concrete answer. I know the redhat docs indicate port 80 is required bidirectional however I need to investigate if it is truly needed. GUI only responds to 443 so not sure what else would be utilizing port

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky
Hi, Alexander! Thank for fast reply. I have replication manager object: filter: (objectclass=organizationalPerson) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Sean Hogan
Thank you Simo, Is there a better source for the IPA ports required you can direct me to other than this https://access.redhat.com/solutions/357673 which shows the below: Resolution IdM Server <-> Clients

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Alexander Bokovoy
On Thu, 01 Sep 2016, Andrey Rogovsky wrote: Hi! Thanks for your advices! I'm try start replica and get this errors in log: [01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno

[Freeipa-users] pfSense/FreeIPA LDAP Extended Query Fails

2016-08-31 Thread Mike Jacobacci
Hi, I have just got authentication against my FreeIPA system working by following this: https://ask.fedoraproject.org/en/que...uthentication/ The only change I had to make was to set

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Peter Fern
You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host serving the CRL/OCSP when the cert on that host needs to be verified at itself. I'm not sure why you'd particularly care though - reading the Apache configs and you should see that other than a couple

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Peter Fern
On 01/09/16 08:35, Simo Sorce wrote: > Port 80 is not required, the only thing you'll find there is a redirect > to the HTTPS port. What about CRL/OCSP (and possibly others)? The Apache configs explicitly do not redirect to HTTPS except for the /ipa path for this reason. -- Manage your

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Sean Hogan
Thanks Peter, So the set up is each vlan has an IPA replica within the firewall boundary acting as its primary auth/policy server. If it goes down.. then the clients can reach back thru the firewall to our backup IPAs. So I am trying to pinpoint the actual ports required to be open on the

Re: [Freeipa-users] pfSense/FreeIPA LDAP Extended Query Fails

2016-08-31 Thread Alexander Bokovoy
On Wed, 31 Aug 2016, Mike Jacobacci wrote: Hi, I have just got authentication against my FreeIPA system working by following this: https://ask.fedoraproject.org/en/que...uthentication/

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky
Hi! Thanks for your advices! I'm try start replica and get this errors in log: [01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [01/Sep/2016:03:24:23 +]

Re: [Freeipa-users] Migrate users with password from one IPA to another

2016-08-31 Thread Rene Trippen
On 25.08.2016 19:44, Rob Crittenden wrote: Rene Trippen wrote: Hi, I`ve got an IPA with a broken CA infrastructure (don`t know what happened, but new clients cannot be registered) It is even not possible to setup a new replica. It may be fairly straightforward to getting the CA back up. How

[Freeipa-users] Site functionality between clients and server

2016-08-31 Thread Michael
Our environment has multiple FreeIPA servers and associated SRV records. During client install, I can’t determine how each installation chooses the value to be placed in the ipa_server property of sssd.conf. Can Free IPA clients be configured to prefer an ldap server on its own subnet? On a

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-08-31 Thread Petr Spacek
On 31.8.2016 00:23, Timo Aaltonen wrote: > On 29.08.2016 10:34, Timo Aaltonen wrote: >> On 21.04.2016 22:01, Timo Aaltonen wrote: >>> >>> ps. Debian unstable will have 4.3.1 once the package has gone through >>> the NEW queue because the packaging got split in certain ways >> >> No it did not,

Re: [Freeipa-users] Migrate users with password from one IPA to another

2016-08-31 Thread Rene Trippen
On 25.08.2016 19:44, Rob Crittenden wrote: Rene Trippen wrote: Hi, I`ve got an IPA with a broken CA infrastructure (don`t know what happened, but new clients cannot be registered) It is even not possible to setup a new replica. It may be fairly straightforward to getting the CA back up. How

Re: [Freeipa-users] Site functionality between clients and server

2016-08-31 Thread Jakub Hrozek
On Tue, Aug 30, 2016 at 03:29:46PM -0700, Michael wrote: > Our environment has multiple FreeIPA servers and associated SRV records. > During client install, I can’t determine how each installation chooses the > value to be placed in the ipa_server property of sssd.conf. > > Can Free IPA

Re: [Freeipa-users] Help with sudo permission for a command

2016-08-31 Thread Pavel Březina
On 08/30/2016 05:08 PM, Ryan Whalen wrote: Hi All, Im having an issue getting a command to run properly, and the issue seems to be with Freeipa sudo permissions. Specifically 'sudo su - app_user -c ""' prompts for a password when run. However if I 'sudo su - app_user' and then run the '' as

[Freeipa-users] Getting ACL Syntax Error(-5)

2016-08-31 Thread Deepak Dimri
Hi All,I am getting ACL Syntax Error(-5) when trying to add ACI to my freeIPA server. Any idea why i am getting this error? This is the error i am getting: ldap_modify: Invalid syntax (21) additional info: ACL Syntax

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

2016-08-31 Thread Martin Basti
On 31.08.2016 11:49, Deepak Dimri wrote: Hi All, I am getting *ACL Syntax Error(-5) *when trying to add ACI to my freeIPA server. Any idea why i am getting this error? Maybe your ACI is incorrect? This is the error i am getting: ldap_modify: Invalid syntax (21) *additional info:

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

2016-08-31 Thread Deepak Dimri
Thanks Martin, That worked. Though this ACI did not help me achieve what i was looking for. Let me ask this to you if you can advice me something:- i want to create a permission which should allow an admin to 'add'/'delete' hosts from "foo-hostgroup" list only if the "member attribute"value is

[Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky
Hi! I try configure manual replica from FreeIPA DS to 389 DS. I have two VM: ldap1.example.com and ldap2.example.com I was used this manual https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html for configure relica There was replica agreement before

Re: [Freeipa-users] Help with sudo permission for a command

2016-08-31 Thread Ryan Whalen
Hey Pavel, Thanks for the reply! It's not exactly that I want to allow any command to be run as app_user. The command I actually want to run is very long, and complicated and wouldn't mean much in this context, so I simplified my example. The problem is that *any command *I run will fail, wether

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky
Hi! Thank you for fast reply. Yes, I want use standalone 389DS to replica from FreeIPA. There is my replica: filter: (objectclass=nsds5replica) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Mark Reynolds
On 08/31/2016 09:50 AM, Andrey Rogovsky wrote: > Hi! > > I try configure manual replica from FreeIPA DS to 389 DS. > I have two VM: ldap1.example.com and > ldap2.example.com > I was used this > manual >

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Mark Reynolds
Hi Andrey, It looks like you still did not create the replication manager entry. You must create that manager entry on the standalone server. Please read the link I sent you:

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky
Hi, Mark! Thanks for explain. Now I create replication manager: (I hope) [root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication manager" Enter LDAP Password: dn: cn=replication manager,cn=config objectClass: inetorgperson