Re: [Freeipa-users] Biasing which master clients talk to first

2014-05-01 Thread Rob Crittenden
Steven Jones wrote: Hi, We have a master at our DR site which is further way than our 2 local masters, is there a way (in DNS say) that we could encourage clients to use the closer IPA masters? eg host -t SRV _ldap._tcp.ods.vuw.ac.nz _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389

[Freeipa-users] migrating from OpenLDAP to freeIPA

2014-05-01 Thread cbul...@gmail.com
Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat

Re: [Freeipa-users] Automembership not working

2014-05-01 Thread JR Aquino
I don't believe that the attribute is an OU. try performing a: ipa group-show engineering --all --raw I believe that your automember rule wants to be cn=^Engineering You cannot hope to secure that which you do not first understand ~~~ Jr Aquino

Re: [Freeipa-users] migrating from OpenLDAP to freeIPA

2014-05-01 Thread Rob Crittenden
cbul...@gmail.com wrote: Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds

[Freeipa-users] sudo and NIS domain name

2014-05-01 Thread Dean Hunter
I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from FreeIPA. Is sudo still using NIS-style netgroups? Is there still a requirement to set the NIS domain name?

Re: [Freeipa-users] About OTP

2014-05-01 Thread Dmitri Pal
On 04/30/2014 07:58 PM, Steven Jones wrote: Hi, We want to use 2FA tokens and cant because of a Kerberos issue. I assume if this hasnt been upgraded yet that you cant get the passthrough? What is the issue you are facing? For OTP to work you need latest Kerberos. It is not RHEL yet. RHEL7

Re: [Freeipa-users] Integrating with Smart Cards

2014-05-01 Thread Dmitri Pal
On 04/30/2014 06:45 PM, Leigh Moulder wrote: Hi all, I'm very new to FreeIPA, so I hope this isn't answered in documentation somewhere already. I'm working to get my infrastructure DIACAP approved, and part of this process includes unique user accounts with smart card integration. I was

Re: [Freeipa-users] sudo and NIS domain name

2014-05-01 Thread Dmitri Pal
On 05/01/2014 04:07 PM, Dean Hunter wrote: I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from FreeIPA. Is sudo still using NIS-style netgroups? Is there

Re: [Freeipa-users] migrating from OpenLDAP to freeIPA

2014-05-01 Thread cbul...@gmail.com
Hi Rob, Thanks so much for your help!. Our openLDAP uses memberuid attribute because we migrated the original database from NIS server. Your tip worked great. Just let me correct a typo error: --group-objectclass=posixgroup Thanks again, cbu On 05/01/2014 11:58 AM, Rob Crittenden wrote:

Re: [Freeipa-users] sudo and NIS domain name

2014-05-01 Thread Dean Hunter
On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: On 05/01/2014 04:07 PM, Dean Hunter wrote: I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from