Re: [Freeipa-users] Standard Logging
On 17.6.2014 19:24, Rob Crittenden wrote: Innes, Duncan wrote: Fair call Rob, I should have put standard in quotes. I think I meant to. I know applications doing their own logging is pretty wide spread too. It's just that moving to a more unified tool that performed the logging, remote shipping, rotation, compression etc (where required) would be great. Whilst I like journald a lot, it still misses native log shipping. I think it's being worked on though. As an IdM user, I figure I'll have to wait around quite a while to get any such features. Yeah, sorry about that. Audit is one of those things where the word just comes up a lot which usually means trouble :-) I'll have a poke around with using rsyslog for some IPA logs just now. That would be great. Please share the things you learn. Feel free to create wiki page, e.g. http://www.freeipa.org/page/Howto/Logging_to_syslog Your ordinary Fedora account will allow you to log-in and create the page. Thank you for your time! Petr^2 Spacek regards rob Cheers Duncan -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 17 June 2014 17:07 To: Innes, Duncan; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Standard Logging Innes, Duncan wrote: Hi folks, Is there any movement towards getting FreeIPA to use more standard logging tools? Journald or rsyslog. I wouldn't exactly call servers logging to their own files as non-standard. You can theoretically configure most services to use at least rsyslogd now. I says theoretically because we haven't tried in the context of IPA but I doubt you'd be plowing any new ground by configuring it. Wondering because at the moment, the rotation of logs is non standard compared to most of the rest of our estate. It would be a boost for us to know that rsyslog/journald are handling the logging (enabling us to get the log files sent over the network) and logrotate is rotating the logs and can compress logs if we want (which we do). There is a long-term ticket to use journald, https://fedorahosted.org/freeipa/ticket/4296 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Links in mailing-list footer
Hello list, I wonder if we could improve mailing list footer for freeipa-users. It can be configured in mailig list administration in section Non-digest options. Currently the footer looks like: ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users; What about something more useful? -- Freeipa-users@redhat.com mailing list https://www.redhat.com/mailman/listinfo/freeipa-users http://www.freeipa.org/page/Documentation | http://www.freeipa.org/page/Demo; The most important change is replacing ___ with -- -- is usually interpreted by e-mail clients as beginning of signature and automatically stripped from replies. It would prevent mailing list signatures from cumulating in replies like this: [blah blah] Good idea. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Other links in proposed signature were picked almost randomly :-) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Links in mailing-list footer
On Wed, 2014-06-18 at 09:30 +0200, Petr Spacek wrote: Hello list, I wonder if we could improve mailing list footer for freeipa-users. It can be configured in mailig list administration in section Non-digest options. Currently the footer looks like: ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users; What about something more useful? -- Freeipa-users@redhat.com mailing list https://www.redhat.com/mailman/listinfo/freeipa-users http://www.freeipa.org/page/Documentation | http://www.freeipa.org/page/Demo; The most important change is replacing ___ with -- -- is usually interpreted by e-mail clients as beginning of signature and automatically stripped from replies. It would prevent mailing list signatures from cumulating in replies like this: Good idea, I change the footer, and made it more sober, let me know if you like it when you see it. Simo. [blah blah] Good idea. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Other links in proposed signature were picked almost randomly :-) -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem finding new users via command line
Rob, That is correct, I just put my ssh key in for that new user and was unable to ssh to one of the nodes registered with IPA. I also logged in as myself (which did work) and then ran getent password new.user and that yielded nothing, but getent password john.moyer yielded all of my information. On 6/17/14, 11:26 AM, Rob Crittenden wrote: John Moyer wrote: Sorry forgot the second part of your question: rpm -qa | grep ipa libipa_hbac-1.9.2-129.el6_5.4.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-37.el6.x86_64 It's important that we're comparing apples to apples. Is this a search against the same IPA server or do you have multiple masters? I assume that SSSD isn't seeing these new users either which is what lead you to ldapsearch? You might want to do the same search on a working and non-working box and compare the 389-ds access logs to see if there is anything noticeable. rob John On 6/17/14, 8:30 AM, John Moyer wrote: I'm using ldapsearch. The command I was using was like the one below (edited to protect creds/users). ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b dc=digitalreasoning,dc=com -D uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com -w 'password' uid=first.last # extended LDIF # # LDAPv3 # base dc=digitalreasoning,dc=com with scope subtree # filter: uid=first.last # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 Any help is much appreciated! Thanks, John On 6/16/14, 6:22 PM, Rob Crittenden wrote: John Moyer wrote: Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! What command-line are you using? What rpm version is [free]ipa-python? Do you have multiple masters or is this a single IPA server? rob Thanks, John Moyer Thanks, John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax Thanks, John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Add'tl use case for views
Inconsistently managed AD user entries. Many accounts in my AD are posixAccounts, but I encountered one today (created in 2013) which had no posix information whatsoever. This crumpled my assumption that I could leverage posix information from the institutional source. Under my current system, I had to create an external account for him. With views, I could've provided the missing attributes. Dunno why just is. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project