Hi,
I found a bug in the pki packages and CA replica installation.
Environment:
Rhel 6.6
IPA Server 3.0.0-42
Pki components:
pki-symkey-9.0.3-38.el6_6.x86_64
pki-common-9.0.3-38.el6_6.noarch
pki-setup-9.0.3-38.el6_6.noarch
pki-selinux-9.0.3-38.el6_6.noarch
pki-java-tools-9.0.3-38.el6_6.noarch
On Thu, Feb 05, 2015 at 03:12:17PM -0500, Christopher Young wrote:
Some of this might be rudimentary, so I apologize if this is answered
somewhere, though I've tried to search and have not had much luck...
Basically, I would like to be able to issue user certificates (Subject:
On 02/05/2015 04:44 AM, Alexander Bokovoy wrote:
On Thu, 05 Feb 2015, Dmitri Pal wrote:
On 02/04/2015 03:01 PM, Hugh wrote:
On 1/29/2015 4:26 PM, Dmitri Pal wrote:
How are the domains connected? Do you use trust or sync?
Trust. We wanted to have just one account and not need to install
On Thu, 05 Feb 2015, Dmitri Pal wrote:
On 02/05/2015 04:44 AM, Alexander Bokovoy wrote:
On Thu, 05 Feb 2015, Dmitri Pal wrote:
On 02/04/2015 03:01 PM, Hugh wrote:
On 1/29/2015 4:26 PM, Dmitri Pal wrote:
How are the domains connected? Do you use trust or sync?
Trust. We wanted to have just
On 02/05/2015 05:54 AM, Matt . wrote:
In the past we have done some testsetups with password expiring after
we added a user, at the moment I have difficulties with this on 4.1.2
What I need is the following:
- We add a user using json/kinit
- The user is added in the right way
- tThe user
HI,
I'm already doing so without any luck. If you remember something,
would be nice to know!
So it should be possible to do still ?
2015-02-05 14:26 GMT+01:00 Dmitri Pal d...@redhat.com:
On 02/05/2015 07:59 AM, Matt . wrote:
Hi,
OK, but as far as I understand we made some change, using a
On 02/05/2015 07:59 AM, Matt . wrote:
Hi,
OK, but as far as I understand we made some change, using a
commandline command which I cannot remember or find, which goes around
the password policy, or the attribute you talk about, when you add a
user.
Can I change that globally? As we did it
On 02/05/2015 08:32 AM, Matt . wrote:
HI,
I'm already doing so without any luck. If you remember something,
would be nice to know!
So it should be possible to do still ?
Do the
ipa user-show --raw, there will be a time stamp. It is
krbPasswordExpiration attribute. It will be set to the user
alireza baghery wrote:
hi
i integrated ipa (centos 6.5) with AD windows server 2008 and anything
do work
i install replica server as follow:
#(ipaserve ipa): replica- prepare ipareplica. example. com - -
ip- address 192. 168. 1. 2
scp /var/lib/ipa/replica- info-
Hi,
OK, but as far as I understand we made some change, using a
commandline command which I cannot remember or find, which goes around
the password policy, or the attribute you talk about, when you add a
user.
Can I change that globally? As we did it seems... but we were testing
so much back
Hi,
I'm looking for an easy way to validate that all replication agreements are
functioning correctly between all of my IPA masters and replicas. I am aware
that I can run 'ipa-replica-manage list -v' from each IPA master, but I was
looking for something more centralized that could give me a
Matt . wrote:
HI,
I'm already doing so without any luck. If you remember something,
would be nice to know!
So it should be possible to do still ?
If the DN of the entry adding the password is in passSyncManagersDNs in
the entry dn: cn=ipa_pwd_extop,cn=plugins,cn=config then the password
On 02/05/2015 01:21 PM, Dmitri Pal wrote:
On 02/05/2015 05:54 AM, Matt . wrote:
In the past we have done some testsetups with password expiring after
we added a user, at the moment I have difficulties with this on 4.1.2
What I need is the following:
- We add a user using json/kinit
- The
Hi,
Thank, this brought me further.
I don't see that attribute while kinit as admin.
When I use an ldap editor and login ad DM on my full cn domain I can
get into kerberos = My DN = cn=global policy. When when I set the
krbMaxPwdLife very high this doesn't matter, I need to higher up the
first
OK this works out good, I can login without changing my password directly.
But my expire is still on a day which should be set higer.
min is on 0 everywhere, max is 90 days.
How to accomplish that ?
2015-02-05 17:13 GMT+01:00 Matt . yamakasi@gmail.com:
Yes, when receiving your email I
Matt . wrote:
OK this works out good, I can login without changing my password directly.
But my expire is still on a day which should be set higer.
min is on 0 everywhere, max is 90 days.
How to accomplish that ?
I can't think of a way without modifying code.
Changing the password
Some of this might be rudimentary, so I apologize if this is answered
somewhere, though I've tried to search and have not had much luck...
Basically, I would like to be able to issue user certificates (Subject:
email=sblblabla@blabla.local) in order to use client SSL security on some
things.
A user contacted me today for a password reset. I made the reset on the
ipa-primary. The user opened a terminal session on an SSH Client to a server in
the realm and logged in. They received the required immediate password change
requirement and did so. They can log off and log back on that
Auerbach, Steven wrote:
A user contacted me today for a password reset. I made the reset on the
ipa-primary. The user opened a terminal session on an SSH Client to a
server in the realm and logged in. They received the required immediate
password change requirement and did so. They can log
On 02/04/2015 03:01 PM, Hugh wrote:
On 1/29/2015 4:26 PM, Dmitri Pal wrote:
How are the domains connected? Do you use trust or sync?
Trust. We wanted to have just one account and not need to install
additional software on the AD servers if possible.
1) Is it possible to log into a
On 02/05/2015 12:23 AM, alireza baghery wrote:
hi
i integrated ipa (centos 6.5) with AD windows server 2008 and anything
do work
i install replica server as follow:
#(ipaserve ipa): replica- prepare ipareplica. example. com - -
ip- address 192. 168. 1. 2
scp /var/lib/ipa/replica-
Baird, Josh wrote:
Hi,
I'm looking for an easy way to validate that all replication agreements are
functioning correctly between all of my IPA masters and replicas. I am aware
that I can run 'ipa-replica-manage list -v' from each IPA master, but I was
looking for something more
Christopher Young wrote:
Some of this might be rudimentary, so I apologize if this is answered
somewhere, though I've tried to search and have not had much luck...
Basically, I would like to be able to issue user certificates (Subject:
email=sblblabla@blabla.local) in order to use client
Roderick Johnstone wrote:
On 29/01/15 21:43, Roderick Johnstone wrote:
On 29/01/2015 17:32, Jakub Hrozek wrote:
On Wed, Jan 28, 2015 at 01:57:28PM +, Roderick Johnstone wrote:
On 28/01/15 10:57, Jakub Hrozek wrote:
On Tue, Jan 27, 2015 at 10:03:37PM +, Roderick Johnstone wrote:
Hi
I'm trying to set up a trust between IPA and Active Directory, and it keeps
failing. The problem is the same as this one
(https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html), but
the solution is not. In that case, it was solved by enabling IPv6 in the
kernel, and in this
Yes, when receiving your email I found that indeed. My ldapEditor
doesn't allow me to add that value, so this need to be done using the
commandline ?
2015-02-05 15:03 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
HI,
I'm already doing so without any luck. If you remember
Hi,
is it possible to create a one way AD trust relationship with FreeIPA/IDM 3.3?
- From Windows I created an incoming one-way trust relationship, with a
trust-secret
- on Linux I use the trust-secret with ipa: ipa trust-add --type=ad
ipawindows.mtl.sfl --trust-secret
everything seems to be
The screen mockup in that ticket is based on a Perl script that I stuck
in cgi-bin to pull just those stats off each IPA server I have and
display them. Can share the code if you're interested.
D
-Original Message-
From: freeipa-users-boun...@redhat.com
Obvious next question: Any plans to implement that functionality or advice
on how one might get some level of functionality for this? Would it be
possible to create another command-line based openssl CA that could issue
these but using IPA as the root CA for those?
I'm just trying to provide a
On Thu, 05 Feb 2015, Dmitri Pal wrote:
On 02/04/2015 03:01 PM, Hugh wrote:
On 1/29/2015 4:26 PM, Dmitri Pal wrote:
How are the domains connected? Do you use trust or sync?
Trust. We wanted to have just one account and not need to install
additional software on the AD servers if possible.
1)
That would be great, thanks!
Josh
-Original Message-
From: Innes, Duncan [mailto:duncan.in...@virginmoney.com]
Sent: Thursday, February 05, 2015 11:34 AM
To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Real-time replication status (RFE)?
The
Some of this might be rudimentary, so I apologize if this is answered
somewhere, though I've tried to search and have not had much luck...
Basically, I would like to be able to issue user certificates (Subject:
email=sblblabla@blabla.local) in order to use client SSL security on some
things.
On 29/01/15 21:43, Roderick Johnstone wrote:
On 29/01/2015 17:32, Jakub Hrozek wrote:
On Wed, Jan 28, 2015 at 01:57:28PM +, Roderick Johnstone wrote:
On 28/01/15 10:57, Jakub Hrozek wrote:
On Tue, Jan 27, 2015 at 10:03:37PM +, Roderick Johnstone wrote:
Hi
I'm migrating from a legacy
33 matches
Mail list logo