Re: [Freeipa-users] 3rd Party http certs breaking Apache

[Joshua Ruybal]

Can confirm nss.conf has NSSNickname set to Signing-Cert.

I set the nickname of the Root CA issuing the 3rd party Certs to
"LetsEncrypt_X1"

On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden 
wrote:

> Joshua Ruybal wrote:
>
>> Hi,
>>
>> I'm trying to add 3rd party certs for the webgui and ldap as documented
>> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for
>> _HTTP/LDAP
>>
>> I'm able to add the CA cert.
>>
>> Then add the chained cert and key via ipa-server-certinstall tool.
>> However when I try to restart httpd, it fails and I get the following
>> error in the logs.
>>
>>
>> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
>> (ipa-test.example.com:443 ) You
>> configured HTTP(80) on the standard HTTPS(443) port!
>> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
>> -8102 Certificate key usage inadequate for attempted operation.
>> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
>> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
>> so the server can start until the problem can be resolved.
>>
>>
>> I've looked into the key, but everything seems to work as expected.
>>
>> Has anyone seen this before?
>>
>> Environment:
>> IPA VERSION: 4.2.0, API_VERSION: 2.156
>> CentOS 7.2
>>
>
> You set NSSNickname to Signing-Cert? What is the nickname of the cert you
> imported?
>
> # certutil -L -d /etc/httpd/alias
>
> rob
>
>


-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

[John Popowitch]

I ran the following on each of my three servers:
kinit admin
ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "nsds5ReplConflict=*" \* 
nsds5ReplConflict
There are 49, 57, 49 entries returned by that query on the respective server.
Here is the one related to 'System: Modify Certificate Profile' from  the first 
server:

# CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws
 .cappex.com
dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv
 ileges,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47
 ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294
 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49
 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294
 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b
 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b
 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b
 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
objectClass: groupofnames
objectClass: top
objectClass: nestedgroup
cn: CA Administrator
description: CA Administrator
nsds5ReplConflict: namingConflict cn=CA Administrator,cn=privileges,cn=pbac,dc
 =aws,dc=cappex,dc=com


Here are the related entries from the second server:

# CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws
 .cappex.com
dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv
 ileges,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47
 ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294
 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49
 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294
 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b
 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b
 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b
 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
objectClass: groupofnames
objectClass: top
objectClass: nestedgroup
cn: CA Administrator
description: CA Administrator
nsds5ReplConflict: namingConflict cn=ca administrator,cn=privileges,cn=pbac,dc
 =aws,dc=cappex,dc=com

# System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
 missions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
 privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per
 missions,cn=pbac,dc=aws,dc=cappex,dc=com


And from the third server:

# CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws
 .cappex.com
dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv
 ileges,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47
 ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294
 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49
 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294
 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
memberOf: cn=System: Delete Certificate 

[Freeipa-users] Server unwilling to perform error

[Rakesh Rajasekharan]

Hi There,

I am running Freeipa version 4.2.0

I have been noticing that frequently I get this error "ipa: ERROR: Server
is unwilling to perform: Entry permanently locked."
 when I try to run any ipa commands like ipa user-find or user-status

Finally i see that my admin account has been locked and I need to unlock it
manually

I dont see anything in the krb5kdc.log. Are there any other specific logs
that can give me pointers as to what could be going wrong as I see this
almost daily

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap issues

[Petr Spacek]

Hello,

these are debug messages and are harmless. Apparently you have verbose/debug
messages enabled in named.conf:

arg "verbose_checks yes";

If you want to get rid of these messages, just remove the line.

What version of bind-dyndb-ldap are you using?

Sufficiently new versions should use SyncRepl to pull all data from LDAP to
memory (on start) so the read performance should be nearly identical as with
plain BIND.

Of course, writes/DNS updates will generate load on your LDAP server so the
server needs to handle the load.

Petr^2 Spacek

On 11.10.2016 20:41, Brendan Kearney wrote:
> i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have
> my logs swamped with errors about "check failed" from settings.c and fwd.c.  i
> am completely up to date with every package, so the latest versions of
> everything are installed.
> 
> [settings.c : 420: setting_update_from_ldap_entry] check failed: ignore
> [settings.c : 436: setting_update_from_ldap_entry] check failed: ignore
> [fwd.c : 378: fwd_setting_isexplicit] check failed: not found
> 
> i have two boxes running a named instance each, in a "master/master" config. 
> each has the zone data configured per below.  the uri refers to the local ip
> of each server.
> 
> dynamic-db "bpk2.com" {
> library "ldap.so";
> arg "uri ldap://192.168.88.1/;;
> arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com";
> arg "auth_method simple";
> arg "bind_dn cn=dnsUser,dc=bpk2,dc=com";
> arg "password dnsPass";
> 
> arg "fake_mname server1.bpk2.com.";
> arg "dyn_update yes";
> arg "connections 2";
> arg "verbose_checks yes";
> };
> 
> zone "." IN {
> type hint;
> file "named.ca";
> };
> 
> include "/etc/named.rfc1912.zones";
> 
> my dns container is defined in openldap as such:
> 
> dn: cn=dns,ou=Daemons,dc=bpk2,dc=com
> cn: dns
> idnspersistentsearch: FALSE
> idnszonerefresh: 30
> objectclass: top
> objectclass: nsContainer
> objectclass: idnsConfigObject
> 
> where and how can i find the source of my issue?  these issues are causing
> performance issues on the rest of my network.  because of these errors, ldap
> throws errors about deferred operations for binding, too many executing, and
> pending operations.  additionally, recursion also seems to be impacted.  this
> is noticed most when streaming content.  buffering, stuttering and pixelation
> are seen in the video streams.  it could be the swamping of logs killing I/O
> or the actual recurision, but 100% the video issues are related.  the log
> events match up exactly with the buffering.
> 
> i had this issue with bind-dyndb-ldap and fedora 20 up until i recently
> upgraded.  i went from F20 to F24, and put things on nice new SSDs, instead of
> spinning disks.  the problem followed the upgrade.  are there configuration
> items i am missing?  are there tweaks i can do to improve something?  how do i
> get rid of these errors, so dns performance (or the log swamping) is not
> affecting the rest of my network?
> 
> thank you,
> 
> brendan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

[Martin Basti]

On 11.10.2016 22:01, John Popowitch wrote:

Ah, yes, thank you, Alexander.
I agree it would help if I followed the example better.
It would also help if I understood the example so a little description of what 
each command does would be very helpful.
Sorry, we don't have time to explain everything here. `man ldapsearch` 
is your friend




It looks like that ACI record does exist.
Now how would I remove these LDAP records?
I dig deeper into code, and actually this error is not caused by ACIs, 
because it even does not get there. I think that this may be caused by 
replication conflict on permission entry that caused the IPA doesn't see 
it but DS refuses to add it there.


Can you please check as Directory Manager if there are any replication 
conflicts using this command?
ldapsearch -D 'cn=directory manager' -W -b 'dc=aws,dc=cappex,dc=com' 
"nsds5ReplConflict=*" \* nsds5ReplConflict


Please check if there is replication conflict on entry 'System: Modify 
Certificate Profile'


More info about replication conflicts: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html



-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, October 11, 2016 2:44 PM
To: John Popowitch
Cc: Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run 
ipa-server-upgrade, but has errors

On ti, 11 loka 2016, John Popowitch wrote:

It doesn't look like there are any entries.

# ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s
base aci

'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that 
you didn't specify any identity for simple authentication, you are running an 
anonymous search. Martin asked you to 'kinit' as administrator and then use 
SASL GSSAPI.

ACIs only available for retrieval to administrators. It is not a surprise that 
anonymous access does not see them.

It would be good if you would have followed the example:

Here you have example

kinit admin

ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc='
-s base aci

On 11.10.2016 17:48, John Popowitch wrote:
Thanks, Martin.
But I'm afraid you've gone beyond my level of LDAP knowledge.
How would I check for that ACI?
-John

From: Martin Basti [mailto:mba...@redhat.com]
Sent: Tuesday, October 11, 2016 10:38 AM
To: John Popowitch;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to
run ipa-server-upgrade, but has errors




On 11.10.2016 17:21, John Popowitch wrote:
I agree that is weird.
Several of the other managed permissions are updated successfully and they are 
very similar.
Yes, I can try to remove the permission manually.
Is there any risk in corrupting or breaking the system?
This is, I believe, one of three IPA servers in a multi-master replication.
And we run our production website (basically our company) off of these servers.
Assuming it's safe enough to do, could I delete that permission via the UI or 
does it need to be directly via LDAP?

Upgrade will re-create permission.

You have to directly using LDAP as Directory Manager

Also please check in: cn=certprofiles,cn=ca,$SUFFIX

if you have this ACI there

aci: (targetattr = "cn || description ||
ipacertprofilestoreissued")(targetfil
ter = "(objectclass=ipacertprofile)")(version 3.0;acl
"permission:System: Mod  ify Certificate Profile";allow (write) groupdn
= "ldap:///cn=System: Modify C  ertificate
Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab
,dc=eng,dc=brq,dc=redhat,dc=com";)

This may also cause an issue, so if removing of permission itself did
not help (or permission does not exist) you may need to remove this ACI

Martin




From: Martin Basti [mailto:mba...@redhat.com]
Sent: Tuesday, October 11, 2016 9:47 AM
To: John Popowitch;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to
run ipa-server-upgrade, but has errors


That's weird because the code is checking if a permission exists before
it tries to add a new one

Can you try to remove 'System: Modify Certificate Profile' manually from LDAP 
and re-run ipa-server-upgrade?



On 11.10.2016 15:53, John Popowitch wrote:
2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify
Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection
context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with
This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent 
call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 306, in __upgrade
self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 
905, in update
self._run_updates(all_updates)
  

Re: [Freeipa-users] FreeIPA and Samba

[Aleksey Stepanenko]

My Samba server and IPA server are different machines too. I made LDAP 
replication IPA-SAMBA ( 
https://www.server-world.info/en/note?os=CentOS_7=ipa=6 ). 
Unfortunately, it makes full replication (not only ldap-server), but it 
works. My Windows machine are not joined to a domain.



12.10.2016 03:43, Alan Latteri пишет:
I am trying to get this to work, but our Samba server is not the same 
machine as out IPA server, and these instructions seem to assume that. 
 Any ideas?  All I need is the 1 windows machine in our network to be 
able to access our linux based server, using the same user/pass as 
that of our IPA authenticated linux machines.



On Oct 10, 2016, at 1:35 PM, Степаненко Алексей 
> wrote:


I read again the topic 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP

It works exactly as I wanted

 ipa-adtrust-install created next configuration:

$ net conf list
[global]
workgroup = WORKGROUP
netbios name = SMB
realm = GW.SPB.RU
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 10
log file = /var/log/samba/log.%m
passdb backend = 
ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket

disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=gw,dc=spb,dc=ru
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork

But I don't understand why it wasn't put to smb.conf directly.

The second problem is 'passdb backend'. I didn't find any 
documentation about this module. An attempt to replace a file socket 
on net connection was failed. And I had to make LDAP replication. It 
was easy, but " ipa-replica-prepare" installed whole IPA server 
(tomcat, java, ldap), not only ldap-server. I need to continue to 
read documentation. However the problem was solved.


06.10.2016 23:51, Степаненко Алексей пишет:

Thank you for your reply.

I've got Samba server for a company, accounts are created by hand. 
Clients are different windows or linux desktops.


I want to install FreeIPA and have one area for managing accounts 
(SMB, SSH-access for others servers). Now, I prepare clean samba 
installation for testing. It would be great to use FreeIPA as 
authorization server for samba.


I was looking for information about samba + freeIPA, but I found 
only this document. Maybe, I miss obvious things.



06.10.2016 20:31, Loris Santamaria пишет:

The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can 
configure

and use a samba server.

What do you want to achieve with samba, and what is your current 
setup?



El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió:

Hello.

I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA

If I understand clearly, samba's client must be present in
FreeIPA  AD.
Unfortunately, it does not work for me. I can't join some work
desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support

  ldap admin dn
  ldap group suffix
  ldap idmap suffix
  ldap machine suffix
  ldap passwd sync
  ldap suffix
  ldap user suffix

Does it work with IPA ?

Thanks.







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
С уважением,
Степаненко Алексей,
Руководитель группы информационных технологий,
ООО "Глобал Веб Групп"
Сайт: http//gw.spb.ru
Тел.: +7 (812) 409-00-90



smime.p7s
Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica has no RUV

[Fil Di Noto]

What do you do if a replica has no RUV, it may have been deleted.

I've tried disconnecting/connecting it to the other replicas to see if
it would re-build it but it doesn't

Re-initializing it doesn't seem to fix it either.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Different Database Generation ID

[Ludwig Krispenz]

Hi,

you get the "different database generation" if one side is built from 
scratch or reimported from a plain ldif without repl stat e information. 
replication will only work if both sides have the same data origin.


About initlializing back and forth it depends on your topology if it can 
become a problem. If a replica is reinitialized it's changelog is 
recreated (the old one will no longer match) and if you do it again in 
the other direction you remove the changelog there as well - and then 
can msis changes not yet replicated to other replicas and you can run 
into the "csn not found problems".


I looked up one of your previous posts about which version of 389-ds you 
are using, and it looks like you have one we know has some issues, as 
stated several times on this list :-(


About your observation that replication is stopping and working again 
after restarting, this can be a problem of the replication agreement 
going into fatal state instead of retrying. Restarting the server 
overcomes this, but you could achieve it by disabling the agreement.


Ludwig

On 10/11/2016 06:13 PM, Ian Harding wrote:

I have this error in the log of my FreeIPA server freeipa-sea.bpt.rocks:

[11/Oct/2016:09:04:39 -0700] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-seattlenfs.bpt.rocks-pki-tomcat"
(seattlenfs:389): The remote replica has a different database generation
ID than the local database.  You may have to reinitialize the remote
replica, or the local replica.

So I did this:

ipa-replica-manage re-initialize --from freeipa-sea.bpt.rocks

on seattlenfs

But the error continues.

I think I know why.  freeipa-sea had a meltdown and I had to rebuild it,
and established it as a replica of seattlenfs.  Unfortunately, I think
seattlenfs was a replica of the original freeipa-sea.

It seems like a bad idea to reinitialize themselves from each other, and
in fact it's warned against here:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Troubleshooting_Replication_Related_Problems.html

"... Also, M2 should not initialize M1 back."

But in looking at my bash history I have indeed done that as well.

Is there any way out of this mess?  These two servers actually DO
replicate, most of the time.  They stop for no reason and restarting the
ipa services on freeipa-sea does get them started again.



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

[Florence Blanc-Renaud]

On 10/11/2016 07:36 PM, Bennett, Chip wrote:

I just joined this list, so if this question has been asked before (and
I’ll bet it has), I apologize in advance.



A google search was unrevealing, so I’m asking here: we’re running
FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
complexity requirements are limited to setting the number of character
classes to require, i.e. setting it to “2” would require your new
password to be any two of the character classes.



What if you wanted new passwords to meet specific class requirements,
i.e. a mix of UL, LC, and numbers.  It looks like you would use a value
of “3” to accomplish this, but that would also allow UC, LC, and
special, or LC, numbers, and special, but you don’t want to allow the
those:  how would you specify that?


Hi,

as far as I know, it is only possible to specify the number of different 
character classes. The doc chapter "Creating Password Policies in the 
Web UI" [1] describes the following:

---
Character classes sets the number of different categories of character 
that must be used in the password. This does not set which classes must 
be used; it sets the number of different (unspecified) classes which 
must be used in a password. For example, a character class can be a 
number, special character, or capital; the complete list of categories 
is in Table 22.1, “Password Policy Settings”. This is part of setting 
the complexity requirements.

---

hope this clarifies,
Flo

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui






Also, what if you had a requirement for more than one of the character
classes, i.e. you want to require two UC characters or two special
characters?



Thanks in advance for the help,

Chip Bennett




This message is solely for the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited.  ­­




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

[Bennett, Chip]

Flo,

Thanks for getting back to me.  I had seen this in the documentation.   I was 
just hoping that I was missing something.   I guess I'm just surprised that a 
product designed to manage authentication wouldn't have a way to be more 
specific in the complexity requirements.

Thanks again!
Chip

-Original Message-
From: Florence Blanc-Renaud [mailto:f...@redhat.com] 
Sent: Wednesday, October 12, 2016 3:18 PM
To: Bennett, Chip ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> I just joined this list, so if this question has been asked before 
> (and I'll bet it has), I apologize in advance.
>
>
>
> A google search was unrevealing, so I'm asking here: we're running
> FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> complexity requirements are limited to setting the number of character 
> classes to require, i.e. setting it to "2" would require your new 
> password to be any two of the character classes.
>
>
>
> What if you wanted new passwords to meet specific class requirements, 
> i.e. a mix of UL, LC, and numbers.  It looks like you would use a 
> value of "3" to accomplish this, but that would also allow UC, LC, and 
> special, or LC, numbers, and special, but you don't want to allow the
> those:  how would you specify that?
>
Hi,

as far as I know, it is only possible to specify the number of different 
character classes. The doc chapter "Creating Password Policies in the Web UI" 
[1] describes the following:
---
Character classes sets the number of different categories of character that 
must be used in the password. This does not set which classes must be used; it 
sets the number of different (unspecified) classes which must be used in a 
password. For example, a character class can be a number, special character, or 
capital; the complete list of categories is in Table 22.1, "Password Policy 
Settings". This is part of setting the complexity requirements.
---

hope this clarifies,
Flo

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui


>
>
> Also, what if you had a requirement for more than one of the character
> classes, i.e. you want to require two UC characters or two special
> characters?
>
>
>
> Thanks in advance for the help,
>
> Chip Bennett
>
>
>
>
> This message is solely for the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited.  
>
>


This message is solely for the intended recipient(s) and may contain 
confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap issues

[Brendan Kearney]

On 10/12/2016 02:35 AM, Petr Spacek wrote:

Hello,

these are debug messages and are harmless. Apparently you have verbose/debug
messages enabled in named.conf:

 arg "verbose_checks yes";

If you want to get rid of these messages, just remove the line.

What version of bind-dyndb-ldap are you using?

Sufficiently new versions should use SyncRepl to pull all data from LDAP to
memory (on start) so the read performance should be nearly identical as with
plain BIND.

Of course, writes/DNS updates will generate load on your LDAP server so the
server needs to handle the load.

Petr^2 Spacek

On 11.10.2016 20:41, Brendan Kearney wrote:

i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have
my logs swamped with errors about "check failed" from settings.c and fwd.c.  i
am completely up to date with every package, so the latest versions of
everything are installed.

[settings.c : 420: setting_update_from_ldap_entry] check failed: ignore
[settings.c : 436: setting_update_from_ldap_entry] check failed: ignore
[fwd.c : 378: fwd_setting_isexplicit] check failed: not found

i have two boxes running a named instance each, in a "master/master" config.
each has the zone data configured per below.  the uri refers to the local ip
of each server.

 dynamic-db "bpk2.com" {
 library "ldap.so";
 arg "uri ldap://192.168.88.1/;;
 arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com";
 arg "auth_method simple";
 arg "bind_dn cn=dnsUser,dc=bpk2,dc=com";
 arg "password dnsPass";

 arg "fake_mname server1.bpk2.com.";
 arg "dyn_update yes";
 arg "connections 2";
 arg "verbose_checks yes";
 };

 zone "." IN {
 type hint;
 file "named.ca";
 };

 include "/etc/named.rfc1912.zones";

my dns container is defined in openldap as such:

dn: cn=dns,ou=Daemons,dc=bpk2,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject

where and how can i find the source of my issue?  these issues are causing
performance issues on the rest of my network.  because of these errors, ldap
throws errors about deferred operations for binding, too many executing, and
pending operations.  additionally, recursion also seems to be impacted.  this
is noticed most when streaming content.  buffering, stuttering and pixelation
are seen in the video streams.  it could be the swamping of logs killing I/O
or the actual recurision, but 100% the video issues are related.  the log
events match up exactly with the buffering.

i had this issue with bind-dyndb-ldap and fedora 20 up until i recently
upgraded.  i went from F20 to F24, and put things on nice new SSDs, instead of
spinning disks.  the problem followed the upgrade.  are there configuration
items i am missing?  are there tweaks i can do to improve something?  how do i
get rid of these errors, so dns performance (or the log swamping) is not
affecting the rest of my network?

thank you,

brendan


i am running 10.1.1 on F24.

why or how would those error logs be related to LDAP seeing an influx of 
updates, that wind up causing LDAP operations to queue up and require 
pended transactions, etc?are there tweaks and tuning options i 
should have in my LDAP to manage this?


thanks,

brendan

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

[Simpson Lachlan]

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Bennett, Chip
> Sent: Thursday, 13 October 2016 7:21 AM
> To: Florence Blanc-Renaud; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> Insufficient
> 
> Flo,
> 
> Thanks for getting back to me.  I had seen this in the documentation.   I was 
> just
> hoping that I was missing something.   I guess I'm just surprised that a 
> product
> designed to manage authentication wouldn't have a way to be more specific in 
> the
> complexity requirements.


I don't know. Those type of complexity requirements are multifaceted, complex 
and somewhat arbitrary. Given that each then requires regex, I'm quite happy 
that the devs focus on getting other aspects of FreeIPA to work over password 
complexity. 

As xkcd noted a couple of years ago, password length is better for security 
than anything else. 

Complex arrangements of different character classes is neither human or UX 
friendly nor where contemporary security theory is focused - try 2FA, 
public/private keys, etc. While I understand that large organisations have 
policy that often drags well behind contemporary theory, I don't think it's 
fair to expect software to also allow for that.

Cheers
L.






> 
> Thanks again!
> Chip
> 
> -Original Message-
> From: Florence Blanc-Renaud [mailto:f...@redhat.com]
> Sent: Wednesday, October 12, 2016 3:18 PM
> To: Bennett, Chip ; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> Insufficient
> 
> On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> > I just joined this list, so if this question has been asked before
> > (and I'll bet it has), I apologize in advance.
> >
> >
> >
> > A google search was unrevealing, so I'm asking here: we're running
> > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> > complexity requirements are limited to setting the number of character
> > classes to require, i.e. setting it to "2" would require your new
> > password to be any two of the character classes.
> >
> >
> >
> > What if you wanted new passwords to meet specific class requirements,
> > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
> > value of "3" to accomplish this, but that would also allow UC, LC, and
> > special, or LC, numbers, and special, but you don't want to allow the
> > those:  how would you specify that?
> >
> Hi,
> 
> as far as I know, it is only possible to specify the number of different 
> character
> classes. The doc chapter "Creating Password Policies in the Web UI" [1] 
> describes
> the following:
> ---
> Character classes sets the number of different categories of character that 
> must be
> used in the password. This does not set which classes must be used; it sets 
> the
> number of different (unspecified) classes which must be used in a password. 
> For
> example, a character class can be a number, special character, or capital; the
> complete list of categories is in Table 22.1, "Password Policy Settings". 
> This is part
> of setting the complexity requirements.
> ---
> 
> hope this clarifies,
> Flo
> 
> [1]
> https://access.redhat.com/documentation/en-
> US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
> ml#creating-group-policy-ui
> 
> 
> >
> >
> > Also, what if you had a requirement for more than one of the character
> > classes, i.e. you want to require two UC characters or two special
> > characters?
> >
> >
> >
> > Thanks in advance for the help,
> >
> > Chip Bennett
> >
> >
> >
> >
> > This message is solely for the intended recipient(s) and may contain
> > confidential and privileged information. Any unauthorized review, use,
> > disclosure or distribution is prohibited.
> >
> >
> 
> 
> This message is solely for the intended recipient(s) and may contain 
> confidential
> and privileged information.
> Any unauthorized review, use, disclosure or distribution is prohibited.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has 

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

[Anon Lister]

Unfortunately, policy and regulation often lag behind current theory by
several decades. For what it's worth, I'd second being able to set more
complicated policies as a useful feature.

On Oct 12, 2016 6:38 PM, "Simpson Lachlan" 
wrote:

> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Bennett, Chip
> > Sent: Thursday, 13 October 2016 7:21 AM
> > To: Florence Blanc-Renaud; freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> > Insufficient
> >
> > Flo,
> >
> > Thanks for getting back to me.  I had seen this in the documentation.
>  I was just
> > hoping that I was missing something.   I guess I'm just surprised that a
> product
> > designed to manage authentication wouldn't have a way to be more
> specific in the
> > complexity requirements.
>
>
> I don't know. Those type of complexity requirements are multifaceted,
> complex and somewhat arbitrary. Given that each then requires regex, I'm
> quite happy that the devs focus on getting other aspects of FreeIPA to work
> over password complexity.
>
> As xkcd noted a couple of years ago, password length is better for
> security than anything else.
>
> Complex arrangements of different character classes is neither human or UX
> friendly nor where contemporary security theory is focused - try 2FA,
> public/private keys, etc. While I understand that large organisations have
> policy that often drags well behind contemporary theory, I don't think it's
> fair to expect software to also allow for that.
>
> Cheers
> L.
>
>
>
>
>
>
> >
> > Thanks again!
> > Chip
> >
> > -Original Message-
> > From: Florence Blanc-Renaud [mailto:f...@redhat.com]
> > Sent: Wednesday, October 12, 2016 3:18 PM
> > To: Bennett, Chip ; freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> > Insufficient
> >
> > On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> > > I just joined this list, so if this question has been asked before
> > > (and I'll bet it has), I apologize in advance.
> > >
> > >
> > >
> > > A google search was unrevealing, so I'm asking here: we're running
> > > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> > > complexity requirements are limited to setting the number of character
> > > classes to require, i.e. setting it to "2" would require your new
> > > password to be any two of the character classes.
> > >
> > >
> > >
> > > What if you wanted new passwords to meet specific class requirements,
> > > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
> > > value of "3" to accomplish this, but that would also allow UC, LC, and
> > > special, or LC, numbers, and special, but you don't want to allow the
> > > those:  how would you specify that?
> > >
> > Hi,
> >
> > as far as I know, it is only possible to specify the number of different
> character
> > classes. The doc chapter "Creating Password Policies in the Web UI" [1]
> describes
> > the following:
> > ---
> > Character classes sets the number of different categories of character
> that must be
> > used in the password. This does not set which classes must be used; it
> sets the
> > number of different (unspecified) classes which must be used in a
> password. For
> > example, a character class can be a number, special character, or
> capital; the
> > complete list of categories is in Table 22.1, "Password Policy
> Settings". This is part
> > of setting the complexity requirements.
> > ---
> >
> > hope this clarifies,
> > Flo
> >
> > [1]
> > https://access.redhat.com/documentation/en-
> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_
> Authentication_and_
> > Policy_Guide/Setting_Different_Password_Policies_
> for_Different_User_Groups.ht
> > ml#creating-group-policy-ui
> >
> >
> > >
> > >
> > > Also, what if you had a requirement for more than one of the character
> > > classes, i.e. you want to require two UC characters or two special
> > > characters?
> > >
> > >
> > >
> > > Thanks in advance for the help,
> > >
> > > Chip Bennett
> > >
> > >
> > >
> > >
> > > This message is solely for the intended recipient(s) and may contain
> > > confidential and privileged information. Any unauthorized review, use,
> > > disclosure or distribution is prohibited.
> > >
> > >
> >
> >
> > This message is solely for the intended recipient(s) and may contain
> confidential
> > and privileged information.
> > Any unauthorized review, use, disclosure or distribution is prohibited.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain
> confidential and/or legally privileged information and is
> intended only to be read or used by the addressee.  If you
> are not 

[Freeipa-users] network ports requirements for a replica

[Karl Forner]

Hello,

A very simple question, but I could not find the answer. I'd like to setup
a replica on another network than my master. Is it possible to setup the
replication using only https, or other ports must be available ?

Thanks,
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

[Alexander Bokovoy]

On ke, 12 loka 2016, Karl Forner wrote:

Hello,

A very simple question, but I could not find the answer. I'd like to setup
a replica on another network than my master. Is it possible to setup the
replication using only https, or other ports must be available ?

This is all documented, did you read the guide?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html


The replica requires additional ports to be open
   In addition to the standard IdM server port requirements described
in Section 2.1.4, “Port Requirements”, make sure the following port
requirements are complied as well:

   During the replica setup process, keep the TCP port 22 open.
This port is required in order to use SSH to connect to the master
server.
   If one of the servers is running Red Hat Enterprise Linux 6 and
has a CA installed, keep also TCP port 7389 open during and after the
replica configuration. In a purely Red Hat Enterprise Linux 7
environment, port 7389 is not required. 



Section 2.1.4:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 3rd Party http certs breaking Apache

[Joshua Ruybal]

Hi,

I'm trying to add 3rd party certs for the webgui and ldap as documented
here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

I'm able to add the CA cert.

Then add the chained cert and key via ipa-server-certinstall tool. However
when I try to restart httpd, it fails and I get the following error in the
logs.


[Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: (
ipa-test.example.com:443) You configured HTTP(80) on the standard
HTTPS(443) port!
[Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] NSSSessionCacheTimeout
is deprecated. Ignoring.
[Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.


I've looked into the key, but everything seems to work as expected.

Has anyone seen this before?

Environment:
IPA VERSION: 4.2.0, API_VERSION: 2.156
CentOS 7.2

Thanks,

--Josh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 3rd Party http certs breaking Apache

[Rob Crittenden]

Joshua Ruybal wrote:

Hi,

I'm trying to add 3rd party certs for the webgui and ldap as documented
here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

I'm able to add the CA cert.

Then add the chained cert and key via ipa-server-certinstall tool.
However when I try to restart httpd, it fails and I get the following
error in the logs.


[Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
(ipa-test.example.com:443 ) You
configured HTTP(80) on the standard HTTPS(443) port!
[Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so the server can start until the problem can be resolved.


I've looked into the key, but everything seems to work as expected.

Has anyone seen this before?

Environment:
IPA VERSION: 4.2.0, API_VERSION: 2.156
CentOS 7.2


You set NSSNickname to Signing-Cert? What is the nickname of the cert 
you imported?


# certutil -L -d /etc/httpd/alias

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA Server installation on unbuntu 14.0

[Deepak Dimri]

Hi All,


I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error 
"Unable to locate package freeipa-server" below is what  i am trying:


apt-get install freeipa-server -y

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package freeipa-server


apt-get install freeipa-client -y works just fine..


i have tried enabling universe repository in /etc/apt/sources.list and ran 
apt-get update but no luck either still getting Unable to locate package 
freeipa-server.


How can i install ipa server on ubuntu?



Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Server installation on unbuntu 14.0

[Alexander Bokovoy]

On ke, 12 loka 2016, Deepak Dimri wrote:

Hi All,


I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable 
to locate package freeipa-server" below is what  i am trying:


apt-get install freeipa-server -y

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package freeipa-server


apt-get install freeipa-client -y works just fine..


i have tried enabling universe repository in /etc/apt/sources.list and ran 
apt-get update but no luck either still getting Unable to locate package 
freeipa-server.


How can i install ipa server on ubuntu?

Use newer Ubuntu.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

[Ernedin Zajko]

Hi Anton,

maybe you can "talk" directly to ds:
http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html
regards,

--- Ernedin ZAJKO
 eza...@root.ba

> 340282366920938463463374607431768211456



On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister  wrote:
> Unfortunately, policy and regulation often lag behind current theory by
> several decades. For what it's worth, I'd second being able to set more
> complicated policies as a useful feature.
>
>
> On Oct 12, 2016 6:38 PM, "Simpson Lachlan" 
> wrote:
>>
>> > -Original Message-
>> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>> > boun...@redhat.com] On Behalf Of Bennett, Chip
>> > Sent: Thursday, 13 October 2016 7:21 AM
>> > To: Florence Blanc-Renaud; freeipa-users@redhat.com
>> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
>> > Insufficient
>> >
>> > Flo,
>> >
>> > Thanks for getting back to me.  I had seen this in the documentation.
>> > I was just
>> > hoping that I was missing something.   I guess I'm just surprised that a
>> > product
>> > designed to manage authentication wouldn't have a way to be more
>> > specific in the
>> > complexity requirements.
>>
>>
>> I don't know. Those type of complexity requirements are multifaceted,
>> complex and somewhat arbitrary. Given that each then requires regex, I'm
>> quite happy that the devs focus on getting other aspects of FreeIPA to work
>> over password complexity.
>>
>> As xkcd noted a couple of years ago, password length is better for
>> security than anything else.
>>
>> Complex arrangements of different character classes is neither human or UX
>> friendly nor where contemporary security theory is focused - try 2FA,
>> public/private keys, etc. While I understand that large organisations have
>> policy that often drags well behind contemporary theory, I don't think it's
>> fair to expect software to also allow for that.
>>
>> Cheers
>> L.
>>
>>
>>
>>
>>
>>
>> >
>> > Thanks again!
>> > Chip
>> >
>> > -Original Message-
>> > From: Florence Blanc-Renaud [mailto:f...@redhat.com]
>> > Sent: Wednesday, October 12, 2016 3:18 PM
>> > To: Bennett, Chip ; freeipa-users@redhat.com
>> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
>> > Insufficient
>> >
>> > On 10/11/2016 07:36 PM, Bennett, Chip wrote:
>> > > I just joined this list, so if this question has been asked before
>> > > (and I'll bet it has), I apologize in advance.
>> > >
>> > >
>> > >
>> > > A google search was unrevealing, so I'm asking here: we're running
>> > > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
>> > > complexity requirements are limited to setting the number of character
>> > > classes to require, i.e. setting it to "2" would require your new
>> > > password to be any two of the character classes.
>> > >
>> > >
>> > >
>> > > What if you wanted new passwords to meet specific class requirements,
>> > > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
>> > > value of "3" to accomplish this, but that would also allow UC, LC, and
>> > > special, or LC, numbers, and special, but you don't want to allow the
>> > > those:  how would you specify that?
>> > >
>> > Hi,
>> >
>> > as far as I know, it is only possible to specify the number of different
>> > character
>> > classes. The doc chapter "Creating Password Policies in the Web UI" [1]
>> > describes
>> > the following:
>> > ---
>> > Character classes sets the number of different categories of character
>> > that must be
>> > used in the password. This does not set which classes must be used; it
>> > sets the
>> > number of different (unspecified) classes which must be used in a
>> > password. For
>> > example, a character class can be a number, special character, or
>> > capital; the
>> > complete list of categories is in Table 22.1, "Password Policy
>> > Settings". This is part
>> > of setting the complexity requirements.
>> > ---
>> >
>> > hope this clarifies,
>> > Flo
>> >
>> > [1]
>> > https://access.redhat.com/documentation/en-
>> >
>> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> >
>> > Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
>> > ml#creating-group-policy-ui
>> >
>> >
>> > >
>> > >
>> > > Also, what if you had a requirement for more than one of the character
>> > > classes, i.e. you want to require two UC characters or two special
>> > > characters?
>> > >
>> > >
>> > >
>> > > Thanks in advance for the help,
>> > >
>> > > Chip Bennett
>> > >
>> > >
>> > >
>> > >
>> > > This message is solely for the intended recipient(s) and may contain
>> > > confidential and privileged information. Any unauthorized review, use,
>> > > disclosure or distribution is prohibited.
>> > >
>> > >
>> >
>> >
>> > This message is solely for the intended recipient(s) and may contain
>> > confidential
>> > and privileged information.
>> > Any