Re: [Freeipa-users] question about generating certificates
Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? And I think that there mast be note at documentation about such situations with Selinux. В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет: Hi, everyone! I feel myself very uncomfortable asking this question, since usually I found documentation easy to understandread. (Thanks for that!) But there is the point, that I could not understand. That point is generating certificates using IPA CA. I have read about this: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt but I did not get the point! :( So, I have build test environment as shown in attached document, if you need details, you may look at it. for short I have 2 servers: 1. IPA-server:ipaserver.example.com 2. PostgreSQL-server: postgresql.example.com PostgreSQL was chosen as an example (nor bad, nor good) and I try to generate keycertificate: $ sudo ipa-getcert request -f /home/tuser/server.crt -k /home/tuser/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com I get this answer: New signing request 20131106075356 added. But what to do with this answer? I can get list of requests, but that does not make it more clear: $ ipa-getcert list Error connecting to DBus. Please verify that the message bus (D-Bus) service is running. [tuser@postgresql ~]$ sudo ipa-getcert list Number of certificates and requests being tracked: 2. Request ID '20131101115647': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - postgresql.example.com',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - postgresql.example.com',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-02 11:56:48 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20131106075356': status: NEED_KEY_PAIR stuck: no key pair storage: type=FILE,location='/home/tuser/server.key' certificate: type=FILE,location='/home/tuser/server.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes __ Best regards, Arthur Fayzullin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
On 11/05/2013 02:05 PM, EP wrote: Thanks for your answers so far. A question about cross realm trusts though: This requires the AD servers to be available when doing a login via FreeIPA, right? Or is FreeIPA caching information from AD? We don't want Linux logins to be dependent on a windows server being available, that won't end well :) Yes it is because the authentication actually happens against the domain the user belongs to. If user is in AD then AD will authenticate the user and then the tickets will be exchanged between domains to allow user to access services in other domains. If you want users to be in IPA then you would have to sync. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Revisiting ILO
On 11/05/2013 02:51 PM, KodaK wrote: If I use the whole connection string: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com I can authenticate. Does this count as SOLVED? If so can you please reply with the SOLVED in the subject? On Tue, Nov 5, 2013 at 1:40 PM, KodaK sako...@gmail.com mailto:sako...@gmail.com wrote: I'm attempting to get HP ILO authenticating against IPA again. I've configured the user context in ILO as: cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com When ILO tries to connect, it sends the string: CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com Which, of course, doesn't exist. IPA uses uid=username, but as far as I can tell I can't tell ILO to use a different username attribute. It doesn't even look like it's trying to use a username attribute. I've tried to force it to look for uid=jebalicki by using uid=jebalicki in the login field, but that fails too. The errors in the errors log look like this: [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry
[Freeipa-users] New login procedure for FreeIPA wiki - need advice!
Hello, We are trying to make access to the FreeIPA wiki easier and allow contributions without addition overhead. In the past to make any change to wiki one had to have a special wiki account. The procedure of creating such account was cumbersome. We added support for OpenID. Among available providers we selected to support Fedora accounting system at least for now. OpenID configuration allows other providers like Google or Yahoo but we were concerned that trusting them might allow spam bots to connect and pollute the wiki. May be we are over cautious and we should open up to those providers? We are seeking advice from you on what is better. Right now it does not allow logins with old accounts any more, only with OpenID. Unfortunately it is all of nothing. But we do not want people that had accounts and were able to contribute in the past but do not have Fedora account to loose ability to contribute. Any ideas and suggestions welcome! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about generating certificates
On Wed, 06 Nov 2013, Arthur Faizullin wrote: Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? certmonger does run under certmonger_t SELinux type and system_r role. It can already write to file contexts named certmonger_*_t and cert_t. For storing certificates you would need to use cert_t file context. mkdir -p /var/lib/pgsql/9.3/data/certs semanage fcontext -a -t cert_t '/var/lib/pgsql/9.3/data/certs(/.*)?' restorecon -R -v /var/lib/pgsql/9.3/data/certs I would advise you against placing the files directly in /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to specify path to the certificate in pgsql configuration. And I think that there mast be note at documentation about such situations with Selinux. Yes. You can also install selinux-policy-devel package and read certmonger_selinux (8) manpage. Can you open a ticket against FreeIPA documentation. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about generating certificates
On 11/06/2013 07:01 AM, Arthur Faizullin wrote: Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? I think yes. And I recall this is not the first time this comes up. My memory might be failing me but I vaguely remember that we discussed this. However I could not find any bug or ticket on the matter so I created this https://bugzilla.redhat.com/show_bug.cgi?id=1027265 And I think that there mast be note at documentation about such situations with Selinux. В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет: Hi, everyone! I feel myself very uncomfortable asking this question, since usually I found documentation easy to understandread. (Thanks for that!) But there is the point, that I could not understand. That point is generating certificates using IPA CA. I have read about this: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt but I did not get the point! :( So, I have build test environment as shown in attached document, if you need details, you may look at it. for short I have 2 servers: 1. IPA-server:ipaserver.example.com 2. PostgreSQL-server: postgresql.example.com PostgreSQL was chosen as an example (nor bad, nor good) and I try to generate keycertificate: $ sudo ipa-getcert request -f /home/tuser/server.crt -k /home/tuser/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com I get this answer: New signing request 20131106075356 added. But what to do with this answer? I can get list of requests, but that does not make it more clear: $ ipa-getcert list Error connecting to DBus. Please verify that the message bus (D-Bus) service is running. [tuser@postgresql ~]$ sudo ipa-getcert list Number of certificates and requests being tracked: 2. Request ID '20131101115647': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - postgresql.example.com',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - postgresql.example.com',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-02 11:56:48 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20131106075356': status: NEED_KEY_PAIR stuck: no key pair storage: type=FILE,location='/home/tuser/server.key' certificate: type=FILE,location='/home/tuser/server.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes __ Best regards, Arthur Fayzullin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 10:16 PM, Rob Crittenden wrote: If you have deployed original IPA server with integrated CA, then your other replicas better to have at least one with CA configured to allow proper recovery in case primary one is destroyed. Is there any caveats to not deploy CA on all replicas as a simples solution? You don't need a CA on every single replica, but you probably want at least two. It is important to understand that CA is crucial to IPA so if for some reason you loose all the replicas that have CA you are facing a redeployment. This is why we suggest having enough replicas with CA and also to do periodically snapshot one of the replicas with CA so that everything is lost you can recover from the snapshot. We are working on a more comprehensive disaster recovery document but it is worth mentioning it here. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/06/2013 02:08 AM, Rich Megginson wrote: On 11/05/2013 04:23 PM, Tamas Papp wrote: On 11/05/2013 09:25 PM, Rich Megginson wrote: On 11/05/2013 01:03 PM, Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. I tried this, but no joy. Still not good:/ Can you describe the exact steps you took, on all replicas? I created ldif files: # cat replication_ignore-time-skew.ldif dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on Then: $ ldapmodify -x -D cn=directory manager -W -f replication_ignore-time-skew.ldif But I don't see the changes: # ldapsearch -x|grep -i ignore ldapsearch -x -D cn=directory manager -W -s base -b cn=config 'objectclass=*' nsslapd-ignore-time-skew You're right, I tried it with wrong base dn. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/06/2013 02:07 AM, Rich Megginson wrote: On 11/05/2013 04:34 PM, Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. Eventually you were right, it looks, that the problem is related to the virtualization, thanks for the tip. Although I wouldn't say, it's because of messy VMs. It definitely must be a software bug or misconfiguration, otherwise a VM should always looks the same as a bare metal machine. Actually in my specific case I don't see the reason, why it is working with clock offset='utc'/ and not with clock offset='localtime'/ if the time in the VM synchronized after bootup. You can file a ticket. I'm not absolutely sure, that this was the root cause of the problem. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel 5 client in a rhel 6 domain?
Armstrong, Kenneth Lawrence klarmstrong2@... writes: hi.. has the problem fixed??? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/06/2013 04:16 AM, Rob Crittenden wrote: 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? I assume from the above that B1 does not know about B2 (and vice versa)? Well, that is actually one of the questions. B1 and B2 are on the same sites and failover nodes from point of view of clients. You can manage the replication topology with ipa-replica-manage connect and disconnect. So if you want B1 and B2 connected you can do that. Once connectivity between sites A and B restored, all unreplicated data will be replicated. There could be conflicts if there were changes on both sides during the split but majority of them are solved automatically by 389-ds. The main question is that B1 and B2 are not replicated to each other automatically? What about the case if A1 -- replication -- A2 --- replication --- B1 -- replication -- B2 If B1 gets destroyed, how B2 and A2 (and A1) gets synchronized? Especially automatically...? Is there such a failover configuration? No, the masters only replicate to the ones you tell them to, so if B1 went away forever then B2 would never get any other updates unless you explicitly made a connection to A1 or A2. Can the replication agreement be circular? *A2*-A1-B1-B2-*A**2*? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
On 11/06/2013 06:32 AM, William Leese wrote: Hi, Trying to install freeIPA and have it a sub-ca of an existing one. Sadly I'm not getting anywhere. The version I have installed: ipa-server-3.0.0-26.el6_4.4.x86_64 This is what I run: ipa-server-install -U -a testtest -p testtest --external_cert_file=/root/server.pem --external_ca_file=/root/cacert.pem -p testtest -P testtest -r MELTWATER.COM http://MELTWATER.COM Which runs this as part of the process: /usr/bin/pkisilent ConfigureCA -cs_hostname vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com -cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password testtest -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM http://MELTWATER.COM -ldap_host vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password testtest -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MELTWATER.COM http://MELTWATER.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MELTWATER.COM http://MELTWATER.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MELTWATER.COM http://MELTWATER.COM -ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com,O=MELTWATER.COM http://MELTWATER.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MELTWATER.COM http://MELTWATER.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MELTWATER.COM http://MELTWATER.COM -external true -ext_ca_cert_file /root/server.pem -ext_ca_cert_chain_file /root/cacert.pem All this results in this in the log: errorStringFailed to create pkcs12 file./errorString [snip] Error in BackupPanel(): updateStatus value is null ERROR: ConfigureCA: BackupPanel() failure ERROR: unable to create CA Can you attach the full error from the log? Interestingly adding the option -save_p12 false to the pkisilent command above results in: importCert string: importing with nickname: ipa-ca-agent Already logged into to DB ERROR:exception importing cert Security library failed to decode certificate package: (-8183) security library: improperly formatted DER-encoded message. ERROR: AdminCertImportPanel() during cert import ERROR: ConfigureCA: AdminCertImportPanel() failure ERROR: unable to create CA While the option change seemed innocent, I honestly don't know if its crucial to the install or not. Anyhow, things don't really progress anyway. I followed the documentation by signing the /root/ipa.csr with a test, internal CA but somehow I can't get the install to proceed. [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/emailAddress=t...@t.com mailto:t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM http://MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ [snip] Try removing everything before the -BEGIN CERTIFICATE- line from the PEM. [root@vagrant-centos-6 CA]# cat /root/cacert.pem -BEGIN CERTIFICATE- MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM MAoGA1UECwwDb3BzMRwwGgYD [snip] Any help would be welcome. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about generating certificates
Dmitri Pal wrote: On 11/06/2013 07:01 AM, Arthur Faizullin wrote: Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? I think yes. And I recall this is not the first time this comes up. My memory might be failing me but I vaguely remember that we discussed this. However I could not find any bug or ticket on the matter so I created this https://bugzilla.redhat.com/show_bug.cgi?id=1027265 Typically in Fedora and RHEL certs are expected to go into /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories have the correct SELinux contexts. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/06/2013 06:41 AM, Tamas Papp wrote: On 11/06/2013 04:16 AM, Rob Crittenden wrote: 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? I assume from the above that B1 does not know about B2 (and vice versa)? Well, that is actually one of the questions. B1 and B2 are on the same sites and failover nodes from point of view of clients. You can manage the replication topology with ipa-replica-manage connect and disconnect. So if you want B1 and B2 connected you can do that. Once connectivity between sites A and B restored, all unreplicated data will be replicated. There could be conflicts if there were changes on both sides during the split but majority of them are solved automatically by 389-ds. The main question is that B1 and B2 are not replicated to each other automatically? What about the case if A1 -- replication -- A2 --- replication --- B1 -- replication -- B2 If B1 gets destroyed, how B2 and A2 (and A1) gets synchronized? Especially automatically...? Is there such a failover configuration? No, the masters only replicate to the ones you tell them to, so if B1 went away forever then B2 would never get any other updates unless you explicitly made a connection to A1 or A2. Can the replication agreement be circular? *A2*-A1-B1-B2-*A**2*? Yes. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New login procedure for FreeIPA wiki - need advice!
Have you guys/gals considered using Sphinx http://sphinx-doc.org/, instead (perhaps, in conjunction with ReadTheDocs.orghttps://readthedocs.org/ )? The documentation source can then be hosted on GitHub. For live examples, check out: - Salt Cloud's Documentationhttps://salt-cloud.readthedocs.org/en/latest/; or - Gate One Documentationhttp://liftoff.github.io/GateOne/About/index.html -Pablo vDevices.com http://vdevices.com/ | Providing Hosted IT Solutions for Lawyers Other Mobile Professionals On Wed, Nov 6, 2013 at 6:38 AM, Dmitri Pal d...@redhat.com wrote: Hello, We are trying to make access to the FreeIPA wiki easier and allow contributions without addition overhead. In the past to make any change to wiki one had to have a special wiki account. The procedure of creating such account was cumbersome. We added support for OpenID. Among available providers we selected to support Fedora accounting system at least for now. OpenID configuration allows other providers like Google or Yahoo but we were concerned that trusting them might allow spam bots to connect and pollute the wiki. May be we are over cautious and we should open up to those providers? We are seeking advice from you on what is better. Right now it does not allow logins with old accounts any more, only with OpenID. Unfortunately it is all of nothing. But we do not want people that had accounts and were able to contribute in the past but do not have Fedora account to loose ability to contribute. Any ideas and suggestions welcome! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New login procedure for FreeIPA wiki - need advice!
On Wed, 06 Nov 2013, Pablo Carranza wrote: Have you guys/gals considered using Sphinx http://sphinx-doc.org/, instead (perhaps, in conjunction with ReadTheDocs.orghttps://readthedocs.org/ )? I'm not sure how it helps -- we need a wiki working on FreeIPA org, it is part of our development routine to work jointly on feature development and we use wiki for that purpose -- see http://www.freeipa.org/page/V3_Designs We also have no need to use alternative hosting, current one is fine, so github is not really a solution. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] OpenLDAP migration issues
I'm attempting to migrate our OpenLDAP+Kerberos authentication scheme to FreeIPA. Running the following migration command: ipa migrate-ds --bind-dn=cn=admin,dc=foo,dc=com --base-dn=dc=foo,dc=com --user-container=ou=users --group-container=ou=group --user-objectclass=posixAccount --group-objectclass=posixGroup ldap://ldap.foo.com results in this error in/var/log/httpd/error_log: ValueError: unable to convert the attribute krbPrincipalKey value I've tried to exclude the attribute using -user-attribute-ignore=krbPrincipalKey, but am still receiving the same error message. Our server is running Fedora 19 with the latest version of FreeIPA available. Anyone have any ideas on how I can resolve this? -Ryan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New login procedure for FreeIPA wiki - need advice!
On 11/06/2013 03:33 PM, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Pablo Carranza wrote: Have you guys/gals considered using Sphinx http://sphinx-doc.org/, instead (perhaps, in conjunction with ReadTheDocs.orghttps://readthedocs.org/ )? Yes, we considered it. Sphinx and ReadTheDocs are great for a library, but we're not really making a library. The tools we have now work well for us. That said, if we wanted to document ipapython or ipaldap and make them available for projects other than IPA, I think Sphinx would be the tool to use. I'm not sure how it helps -- we need a wiki working on FreeIPA org, it is part of our development routine to work jointly on feature development and we use wiki for that purpose -- see http://www.freeipa.org/page/V3_Designs We also have no need to use alternative hosting, current one is fine, so github is not really a solution. The developer docs, HOWTOs, release info, etc. are fine on the wiki. IPA's end-user documentation is in Docbook/Publican, hosted at https://git.fedorahosted.org/git/docs/freeipa-guide.git -- once we make it presentable we'll host the built docs on freeipa.org as well. (Of course it's a Git repo, anyone is free to make a mirror on Github. I'm sure you can find one :P) -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] trying to setup cert with an internal CA
Hi, We have our own in house CA. I ran ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca It generated ipa.csr as expected.. I used opsenssl to sign it on our internal CA. I got the .crt file.. I assume I need the private KEY that the IPA server generated when it did the install.. and I assume I need ipa-getcert command to find it? I cant seem to find it.. I am doing this because I assume I have to combine the CA files into a chain file and convert them to .p12 format? This is on Linux rdsdev01.com 3.4.61-9.el6.centos.alt.x86_64 #1 SMP Wed Sep 11 15:34:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux cat /etc/redhat-release CentOS release 6.4 (Final) rpm -qav|grep -i ipa ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-82.10.el6_4.x86_64 libipa_hbac-python-1.9.2-82.10.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-26.el6_4.4.x86_64___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel 5 client in a rhel 6 domain?
On 11/06/2013 12:15 AM, indira wrote: Armstrong, Kenneth Lawrence klarmstrong2@... writes: hi.. has the problem fixed??? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Was a ticket filed? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] OpenLDAP migration issues
Ryan M. Casey wrote: I’m attempting to migrate our OpenLDAP+Kerberos authentication scheme to FreeIPA. Running the following migration command: ipa migrate-ds --bind-dn=cn=admin,dc=foo,dc=com --base-dn=dc=foo,dc=com --user-container=ou=users --group-container=ou=group --user-objectclass=posixAccount --group-objectclass=posixGroup ldap://ldap.foo.com results in this error in/var/log/httpd/error_log: ValueError: unable to convert the attribute krbPrincipalKey value I’ve tried to exclude the attribute using –user-attribute-ignore=krbPrincipalKey, but am still receiving the same error message. Our server is running Fedora 19 with the latest version of FreeIPA available. Anyone have any ideas on how I can resolve this? I think that IPA is having an issue with the data in your LDAP server, at least for one record. I think in this case the syntax of the entry doesn't match what we expect it to be. The ignore is applied after reading in the remote entry, so if we can't understand it then it never gets far enough to ignore it. This is being looked at in development versions. So I think the first step would be to find the offending entry. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] reboot required after ipa-client-install?
After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about generating certificates
В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет: On Wed, 06 Nov 2013, Arthur Faizullin wrote: Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? certmonger does run under certmonger_t SELinux type and system_r role. It can already write to file contexts named certmonger_*_t and cert_t. For storing certificates you would need to use cert_t file context. mkdir -p /var/lib/pgsql/9.3/data/certs semanage fcontext -a -t cert_t '/var/lib/pgsql/9.3/data/certs(/.*)?' restorecon -R -v /var/lib/pgsql/9.3/data/certs I would advise you against placing the files directly in /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to specify path to the certificate in pgsql configuration. I have tried it, but I still get this answer: # ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt -k /var/lib/pgsql/9.3/data/certs/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com The parent of location /var/lib/pgsql/9.3/data/certs/server.crt must be a valid directory. What does valid directory mean? And I think that there mast be note at documentation about such situations with Selinux. Yes. You can also install selinux-policy-devel package and read certmonger_selinux (8) manpage. Can you open a ticket against FreeIPA documentation. Is bug opened by Dmitri Pal enough? https://bugzilla.redhat.com/show_bug.cgi?id=1027265 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about generating certificates
В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет: Dmitri Pal wrote: On 11/06/2013 07:01 AM, Arthur Faizullin wrote: Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? I think yes. And I recall this is not the first time this comes up. My memory might be failing me but I vaguely remember that we discussed this. However I could not find any bug or ticket on the matter so I created this https://bugzilla.redhat.com/show_bug.cgi?id=1027265 Typically in Fedora and RHEL certs are expected to go into /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories have the correct SELinux contexts. rob as with krb5 keytab, which recomended to keep in specified directory https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html I thought that ssl keys also should be keeped in specified directory. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about generating certificates
I have done as You said! # ipa-getcert request -f /etc/pki/tls/certs/postgresql.crt -k /etc/pki/tls/private/postgresql.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com # ipa-getcert list Request ID '20131107050729': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/postgresql.key' certificate: type=FILE,location='/etc/pki/tls/certs/postgresql.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-08 05:07:29 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes at startup a get such errors: 2013-11-07 12:06:58.997 YEKT FATAL: could not load server certificate file /etc/pki/tls/certs/postgresql.crt: Permission denied 2013-11-07 12:10:23.550 YEKT FATAL: could not load server certificate file /etc/pki/tls/certs/postgresql.crt: Permission denied but after I've changed owner: # chown postgres /etc/pki/tls/certs/postgresql.crt # chown postgres /etc/pki/tls/private/postgresql.key # ll /etc/pki/tls/certs/postgresql.crt -rw---. 1 postgres root 1318 Ноя 7 11:07 /etc/pki/tls/certs/postgresql.crt # ll /etc/pki/tls/private/postgresql.key -rw---. 1 postgres root 1704 Ноя 7 11:07 /etc/pki/tls/private/postgresql.key it seems to be starting well! But since I've changed the owner of key-file and certificate-file will certmonger still be monitoring these files? В Чт, 07/11/2013 в 10:53 +0600, Arthur Faizullin пишет: В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет: Dmitri Pal wrote: On 11/06/2013 07:01 AM, Arthur Faizullin wrote: Исаев Виталий Анатольевич is...@fintech.ru has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com that made desired files to appear at /var/lib/certmonger/requests/ that is okay! :) but! I want them in /var/lib/pgsql/9.3/data/ so what is the problem? why not just copy them at that directory? the problem is that when I list cert requests, I see this: Request ID '20131106113520': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/certmonger/requests/server.key' certificate: type=FILE,location='/var/lib/certmonger/requests/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-07 11:35:20 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes we can see that file location in that list is defined at request time. Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is there any other solution? I think yes. And I recall this is not the first time this comes up. My memory might be failing me but I vaguely remember that we discussed this. However I could not find any bug or ticket on the matter so I created this https://bugzilla.redhat.com/show_bug.cgi?id=1027265 Typically in Fedora and RHEL certs are expected to go into /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories have the correct SELinux contexts. rob as with krb5 keytab, which recomended to keep in specified directory https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html I thought that ssl keys also should be keeped in specified directory. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
I have not rebooted whale machine. everything worked fine. May be just try to restart gdm? # systemctl restart gdm.service В Ср, 06/11/2013 в 22:13 -0600, Dean Hunter пишет: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users