Re: [Freeipa-users] sssd receives another uid/gid after disabled HBAC rule
Hello Sumit, i think maybe there is a different problem i just discovered by accident. As stated in the first email, i have an AD trust with FreeIPA that receives all POSIX attributes from AD, but i get different values: On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get the correct GID (=1, this is the AD group linuxusers) that is set in AD, but on the client (linux1.linux.intern) i get another one ( = 10005): ipa1.linux.intern [root@ipa1 httpd]# getent passwd user1@aaa user1@aaa.intern:*:10005: 1:user1:/home/aaa.intern/user1:/bin/bash -bash-4.2$ id uid=10005(user1@aaa.intern) gid=1(linuxusers@aaa.intern) groups=1(linuxusers@aaa.intern),193304(ad_users) linux1.linux.intern [root@linux1 sssd]# getent passwd user1@aaa user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash [user1@aaa.intern@linux1 ~]$ id uid=10005(user1@aaa.intern) gid=10005(user1@aaa.intern) Gruppen=10005(user1@aaa.intern),193304(ad_users) Logfile on ipa1.linux.intern sssd_nss.log (Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [user1@aaa.intern]. │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'user1@aaa.intern' matched expression for domain 'aaa.intern', user is user1 │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [user1] from [aaa.intern] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [user1@aaa.intern] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed event ltdb_callback: 0x7fe19e562700 │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed event ltdb_timeout: 0x7fe19e562830 │ 03│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running timer event 0x7fe19e562700 ltdb_callback │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x7fe19e562830 ltdb_timeout │va r/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x7fe19e562700 ltdb_callback │ │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [user1@aaa.intern] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe19e563d40][21] │ -- Logfile on linux1.linux.intern sssd_nss.log (Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'user1@aaa' matched expression for domain 'aaa.intern', user is user1 │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam] (0x0100): Requesting info for [user1] from [aaa.intern] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [user1@aaa.intern] │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed event ltdb_callback: 0x20e2c20 │ (W│ │ 00│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed event ltdb_timeout: 0x20e2590 │ (W│ │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running timer event 0x20e2c20 ltdb_callback │ (W│ │ (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000):
Re: [Freeipa-users] sssd receives another uid/gid after disabled HBAC rule
I added the correct logfiles now - sorry! On linux1.linux.intern 1.) service sssd stop; rm -f /var/lib/sss/db/* ; service sssd start 2.) getent passwd user1@aaa Logfile sssd_linux.intern.log (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sbus_dispatch] (0x4000): dbus conn: 23510F0 (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][aaa] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linux,dc=intern]. (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_result] (0x2000): Trace: sh[0x234f5c0], connected[1], ops[0x233b9e0], ldap[0x233f620] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_entry] (0x4000): OriginalDN: [cn=aaa.intern,cn=ad,cn=trusts,dc=linux,dc=intern]. (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_result] (0x2000): Trace: sh[0x234f5c0], connected[1], ops[0x233b9e0], ldap[0x233f620] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linux,dc=intern]. (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_result] (0x2000): Trace: sh[0x234f5c0], connected[1], ops[0x234e550], ldap[0x233f620] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_result] (0x2000): Trace: sh[0x234f5c0], connected[1], ops[0x234e550], ldap[0x233f620] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_entry] (0x4000): OriginalDN: [cn=LINUX.INTERN_id_range,cn=ranges,cn=etc,dc=linux,dc=intern]. (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Sep 10 17:04:24 2014) [sssd[be[linux.intern]]] [sdap_parse_range]
[Freeipa-users] 4.0.2-1 not ready for primetime or testing?
Trying to do some testing with 4.0.2-1 on FC22/rawhide -- the install blows up: Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. and from the logs -- any ideas? 2014-09-10T15:58:42Z DEBUG stderr= 2014-09-10T15:58:42Z CRITICAL Failed to restart the directory server. See the installation log for details. 2014-09-10T15:58:42Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 639, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1127, in main ds.enable_ssl() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 351, in enable_ssl self.start_creation(runtime=10) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 367, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 515, in __restart_instance self.restart(self.serverid) File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 509, in restart raise e 2014-09-10T15:58:42Z DEBUG The ipa-server-install command failed, exception: SystemExit: 1 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.2-1 not ready for primetime or testing?
On 09/10/2014 10:02 AM, Kat wrote: Trying to do some testing with 4.0.2-1 on FC22/rawhide -- the install blows up: Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. and from the logs -- any ideas? What's in /var/log/dirsrv/slapd-*/errors? 2014-09-10T15:58:42Z DEBUG stderr= 2014-09-10T15:58:42Z CRITICAL Failed to restart the directory server. See the installation log for details. 2014-09-10T15:58:42Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 639, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1127, in main ds.enable_ssl() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 351, in enable_ssl self.start_creation(runtime=10) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 367, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 515, in __restart_instance self.restart(self.serverid) File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 509, in restart raise e 2014-09-10T15:58:42Z DEBUG The ipa-server-install command failed, exception: SystemExit: 1 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Force ticket type to des3-cbc-sha1
Darran Lofthouse wrote: Hi there, Hi there any quick way to force the ticket type obtained by kinit to des3-cbc-sha1? For all users everywhere, on a particular host, or for a particular application? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Force ticket type to des3-cbc-sha1
This is just for testing, ideally for one user but will take anything ;-) On 10/09/14 18:16, Rob Crittenden wrote: Darran Lofthouse wrote: Hi there, Hi there any quick way to force the ticket type obtained by kinit to des3-cbc-sha1? For all users everywhere, on a particular host, or for a particular application? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Force ticket type to des3-cbc-sha1
Actually ignore me for a minute, I may be looking at this from the wrong side !! On 10/09/14 18:24, Darran Lofthouse wrote: This is just for testing, ideally for one user but will take anything ;-) On 10/09/14 18:16, Rob Crittenden wrote: Darran Lofthouse wrote: Hi there, Hi there any quick way to force the ticket type obtained by kinit to des3-cbc-sha1? For all users everywhere, on a particular host, or for a particular application? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Force ticket type to des3-cbc-sha1
Thanks, was looking at the wrong side - just needed to re-export the keytab for my service using des3-cbc-sha1 instead. On 10/09/14 18:31, Darran Lofthouse wrote: Actually ignore me for a minute, I may be looking at this from the wrong side !! On 10/09/14 18:24, Darran Lofthouse wrote: This is just for testing, ideally for one user but will take anything ;-) On 10/09/14 18:16, Rob Crittenden wrote: Darran Lofthouse wrote: Hi there, Hi there any quick way to force the ticket type obtained by kinit to des3-cbc-sha1? For all users everywhere, on a particular host, or for a particular application? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Integrating FreeIPA with ActiveDirectory (Windows 2008 R2)
Hi List I've been following the AD integration guide for IPAv3 here: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup However, when I reach the Add trust with AD domain step I get the following error: --- [root@ipa ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) --- ... And I'm at a loss for how to interpret this :-) Details on my setup: - Windows 2008 R2 AD DC - CentOS Linux 6.5 IPA server (installed from yum repos) I've attached the output of ipa trust-add with the debug flag set. There is also a summary of the packet conversation between the IPA server and the AD DC during the run of ipa trust-add: --- [root@ipa ~]# tcpdump host 172.16.107.109 and host 172.16.107.108 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:05:28.624337 IP ipa.linux.mhatest.local.48394 kwthqtstad001.mhatest.local.domain: 0+ A? ipa.linux.mhatest.local. (41) 00:05:28.624857 IP kwthqtstad001.mhatest.local.domain ipa.linux.mhatest.local.48394: 0 NXDomain* 0/1/0 (121) 00:05:33.594937 ARP, Request who-has ipa.linux.mhatest.local (00:50:56:9c:18:d4 (oui Unknown)) tell kwthqtstad001.mhatest.local, length 46 00:05:33.594952 ARP, Reply ipa.linux.mhatest.local is-at 00:50:56:9c:18:d4 (oui Unknown), length 28 00:06:05.056522 IP ipa.linux.mhatest.local.54679 kwthqtstad001.mhatest.local.domain: 0+ SRV? _ldap._tcp.linux.mhatest.local. (48) 00:06:05.057022 IP kwthqtstad001.mhatest.local.domain ipa.linux.mhatest.local.54679: 0* 1/0/0 SRV ipa.linux.mhatest.local.:389 0 100 (91) 00:06:09.599671 ARP, Request who-has ipa.linux.mhatest.local (00:50:56:9c:18:d4 (oui Unknown)) tell kwthqtstad001.mhatest.local, length 46 00:06:09.599686 ARP, Reply ipa.linux.mhatest.local is-at 00:50:56:9c:18:d4 (oui Unknown), length 28 00:06:15.376853 IP ipa.linux.mhatest.local.44400 kwthqtstad001.mhatest.local.domain: 0+ SRV? _ldap._tcp.linux.mhatest.local. (48) 00:06:15.377319 IP kwthqtstad001.mhatest.local.domain ipa.linux.mhatest.local.44400: 0* 1/0/0 SRV ipa.linux.mhatest.local.:389 0 100 (91) 00:06:20.375747 ARP, Request who-has kwthqtstad001.mhatest.local tell ipa.linux.mhatest.local, length 28 00:06:20.376025 ARP, Reply kwthqtstad001.mhatest.local is-at 00:15:5d:0a:0d:8b (oui Unknown), length 46 Any help on how to fix this and establish the AD trust relationship would be much appreciated! Many thanks in advance, Traiano The DNS configuration scenario I'm using is : http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#If_IPA_is_subdomain_of_AD dump1.log Description: Binary data -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integrating FreeIPA with ActiveDirectory (Windows 2008 R2)
On Thu, 11 Sep 2014, Traiano Welcome wrote: Hi List I've been following the AD integration guide for IPAv3 here: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup However, when I reach the Add trust with AD domain step I get the following error: --- [root@ipa ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) --- ... And I'm at a loss for how to interpret this :-) Details on my setup: Please follow http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust to provide useful debugging information. - Windows 2008 R2 AD DC - CentOS Linux 6.5 IPA server (installed from yum repos) Ideally you'd need to use RHEL 7 or CentOS 7 for trusts as IPA version 3.3 is more mature in this regard. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA, SSSD, sudo and Local Users
Hi all: I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a quirky problem. From what I've read thus far, sudo under SSSD can't provide sudo rules for local users that are not part of the directory. To get around this, I've been using the sudo-ldap.conf file to provide sudo with direct access to the directory. This, however, can't make use of service discovery, so if the first server in the ldap_uri list is taken down, sudo delays for the length of the timeout set. My idea for getting around this has been to use sudo in SSSD for users that are in the directory and let sudo-ldap take care of local users with a line in nsswitch.conf like this: sudoers: files sss ldap My problem now seems to be that the ldap query is still run even if a successful hit is made to sssd. Changing the line in nsswitch.conf to: sudoers: files sss [success=return] ldap doesn't seem to actually work. Does anyone have pointers on how I can resolve this particular problem? Thanks! Trevor T. Kates CONFIDENTIALITY NOTICE: This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Certs.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3 98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW 3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY 1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh Jrc6QM2LipgK5KmpjTKa =t75e -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Branding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi List, I am looking into changing the branding on the free-ipa GUI interface. This is something that is being requested by my management, considering that we are asking users to trust an e-mail prodding them to change their password. I don't see an easy method in the GUI interface for changing the logo. I was wondering if anyone else has had need for these changes, and what steps they may have taken to change the branding. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUENY7AAoJEJFMz73A1+zrxuoP/0NUQdonXJFSrxxy1/3vVHuW Mbf/kHo3tCn26GGkNBYgVqa5FJ7hri9eEsRhIR/krJP7mbRk9XoRJ7XcGF8YO+4c O5MtJftMU6vueOWQZx6JZXm9+bqhvDnT24kwq2V19IrQX5Q0JcRY4EOzLc5BgBqR bSlNbhxBj0H+WFdU7z4jkfiSbOoRcYSIV+nlX7hZK9G7WHVqcYRi2iaTQ1kMX5ju oMTbkOrSKK8EixNamvHdr9y4UrxQhEks9Pa1xBHo0sZm2/YTeIX4KRWBs4dT/KKt flSa93AF/8CnPeQHGCHP37FMJLtct7ySRuldo09AQULNN51fqBZlbHpMGSILmbt+ BIrRaG3tZ4cB5rOfYlJ7UBnTFO7o101a1BJIxXWahsg39QBYsEQFswOPmR3ivvfg bJnPbJ7WqB5ir7b21iQJ1kkNcpeScdFhebMlEqskfZ92CBJu/S6Av25mxy4fku4b 1HhOAXK9s1LDR8l8LhwxVOAAIs2ILQ5SxFl6u/hNsgvdC0M5tPtvCnpgvpvoMBB/ E+poXBWbVQkkxl8AI+IERQaUx4Ou+ihwhMrGuBjXry6zts9J3b+cgIHzbbS3thZf PooMTTiiy7R6gZiZdvqjl0G4QmJvegjHjWySZZwIjPKZAeEb7fI8jEpLOSM54KQ6 sqSR7rg3TB0P91YAMqXo =AscS -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certs.
Search the list for a post by me and certs... Basically there is a install flag that will do all the work for you once you have it the cert in the right format. On Sep 10, 2014 5:53 PM, William Graboyes wgrabo...@cenic.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3 98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW 3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY 1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh Jrc6QM2LipgK5KmpjTKa =t75e -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] json api docs
hi All, Is there an offficial API documentation available? Also is there a simple way to logon and run commands through API without a kerberos ticket? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certs.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Chris, Thank you for the suggestion. Looking at http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html Installing a new, third party cert requires a reinstall of IPA? IPA Devs, that is a bit silly don't you think? A year or two in the cert expires, now you have to start from scratch? I will wait for some form of response before I attempt at eating crow in front of management. I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64. On Wed Sep 10 15:55:56 2014, Chris Whittle wrote: Search the list for a post by me and certs... Basically there is a install flag that will do all the work for you once you have it the cert in the right format. On Sep 10, 2014 5:53 PM, William Graboyes wgrabo...@cenic.org wrote: * *BEGIN ENCRYPTED or SIGNED PART* * Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. Thanks, Bill ** *END ENCRYPTED or SIGNED PART* ** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6 FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0 QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5 RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y CB5M63nykETHkkR3ZFkd =8T1Y -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certs.
On 09/10/2014 06:50 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? This is an install time decision so when you deploy a new production environment you will need to use the ipa-server-install with the related arguments to do the chaining. As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. The ability to replace the cert from being a self signed to a chained is a feature that is coming in IPA 4.1 The design page is here: http://www.freeipa.org/page/V4/CA_certificate_renewal What distro are you planning to use? It is considered for the next release of RHEL. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3 98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW 3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY 1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh Jrc6QM2LipgK5KmpjTKa =t75e -END PGP SIGNATURE- -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certs.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Dmitri, Production Environment is going to be RH 6.5, We are still evaluating the usage of systemd. More like we are taking a wait and see approach to to systemd, while actively testing it. Thanks, Bill On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote: On 09/10/2014 07:26 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Chris, Thank you for the suggestion. Looking at http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html Installing a new, third party cert requires a reinstall of IPA? IPA Devs, that is a bit silly don't you think? A year or two in the cert expires, now you have to start from scratch? I will wait for some form of response before I attempt at eating crow in front of management. I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64. Since 3.0 internal certs are issued for 2 years and are renewed automatically. The root cert is valid for more than two years (AFAIR it is 20). On Wed Sep 10 15:55:56 2014, Chris Whittle wrote: Search the list for a post by me and certs... Basically there is a install flag that will do all the work for you once you have it the cert in the right format. On Sep 10, 2014 5:53 PM, William Graboyes wgrabo...@cenic.org wrote: * *BEGIN ENCRYPTED or SIGNED PART* * Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. Thanks, Bill ** *END ENCRYPTED or SIGNED PART* ** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6 FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0 QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5 RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y CB5M63nykETHkkR3ZFkd =8T1Y -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUEOV8AAoJEJFMz73A1+zrgwAQAJkx74MPOVvbnrG+dmY8w7ok J/6NWt9Rb/pS9gRrN7iFopni3BoHuLFC6ltwD6KoWllYClwoXke4T0FQ/nU6Ar6M tsuQMYxP0boxhQua2uF/kZ/atMolxoNMShNixXd4dnWtBlpl+R+V58FtfjSGfy49 qX2Ge6g6wEFATwKReM1KpKCFIfO/yq/wM4NLvvBd6WShJXh6TQBE44y9aXLLJIlP DApoLnMHaopNZITSNKt1t7dgw6ne9O370nQwOxR5L0peH8bxla0FLJ57vX+RCC0f 3EV/tQHKiXET1RqWE927tfPf171Xcq7sdjLRUL2JTVCK3zPZUuVg9WmuqrLUArhW f1XRpn1MM2e0xn18rvHfuRZr2IIUuPE+RfVcQMgEcgtSYuDNlVYCO/ONyTQHxJ/E JRkN6nDOZ1nlItJlrrT0MVgdMKQLG7IxkvOndGsyOShD/XvvjQYlQbDvRvodnAlc JUIlcC3PbGZh+CRymXzu6M7DYceE5rJ/HzbR1UAPM/dep1P6zA3WyTS15tzIJ93f pjLYTciDvPbTOfRTV+1PQvvVDbHZve34wcjGZHaqV35qUQwXcd/DQK18L8S7EmDx BeBmii/cX2qBSyzDNGgSjtBTh0AT67tpJQPnH7brsVc9S75+E/MyDqXZjqiJv/9N i22XgsD/iTzkP3o0OTjs =FKVl -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certs.
On 09/10/2014 07:26 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Chris, Thank you for the suggestion. Looking at http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html Installing a new, third party cert requires a reinstall of IPA? IPA Devs, that is a bit silly don't you think? A year or two in the cert expires, now you have to start from scratch? I will wait for some form of response before I attempt at eating crow in front of management. I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64. Since 3.0 internal certs are issued for 2 years and are renewed automatically. The root cert is valid for more than two years (AFAIR it is 20). On Wed Sep 10 15:55:56 2014, Chris Whittle wrote: Search the list for a post by me and certs... Basically there is a install flag that will do all the work for you once you have it the cert in the right format. On Sep 10, 2014 5:53 PM, William Graboyes wgrabo...@cenic.org wrote: * *BEGIN ENCRYPTED or SIGNED PART* * Hello list, I have been fruitlessly searching for some information, especially related to Certs, namely how to replace the self signed certs with certs from a trusted CA? As we are moving forward into productionizing of our free-ipa install, I am finding information on the net to be a bit lacking. There is also the possibility that I am not looking in the right places, or using the correct search terms. Any help on this front would be greatly appreciated. Thanks, Bill ** *END ENCRYPTED or SIGNED PART* ** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6 FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0 QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5 RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y CB5M63nykETHkkR3ZFkd =8T1Y -END PGP SIGNATURE- -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] json api docs
On 09/10/2014 07:10 PM, Tamas Papp wrote: hi All, Is there an offficial API documentation available? Unfortunately not much. You can search archives and find some recommendations that helped people in the past. https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html We also have a ticket https://fedorahosted.org/freeipa/ticket/3129 Also is there a simple way to logon and run commands through API without a kerberos ticket? Once you authenticated with Kerberos and negotiated GSSAPI the server will issue a cookie that will be stored on the client and can be used to continue operations. But Kerberos is needed for the first connection. It is a requirement because it is a best practice. Thanks, tamas -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certs.
Dmitri Pal wrote: On 09/10/2014 07:57 PM, William Graboyes wrote: Hi Dmitri, Production Environment is going to be RH 6.5, We are still evaluating the usage of systemd. More like we are taking a wait and see approach to to systemd, while actively testing it. The command line options for chaining are there from day one. So you would need to chain your production environment when you deploy it. In future when you migrate to later versions (in couple of years or so) you will be able to change the chaining using the new tools. Right now it is a vary hard multi step manual procedure. This is why we developed the tool. But you should be all set for now. You would not need to change anything for several years. I also think we need to understand what you mean by replace the certs. Do you just want to replace the web and ldap certs, and never need to use any IPA-issued certificates or at you looking to replace the entire CA? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.2-1 not ready for primetime or testing?
Kat wrote: Trying to do some testing with 4.0.2-1 on FC22/rawhide -- the install blows up: Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. and from the logs -- any ideas? I think you're seeing https://bugzilla.redhat.com/show_bug.cgi?id=1139954 It's being worked on. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project