Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-20 Thread Jakub Hrozek 
On Sat, Sep 19, 2015 at 06:32:40AM -0700, Gustavo Mateus wrote:
> I've already included that in the IPA permissions.
> Anonymous access to ipaSshPubKey is marked as public already. Read and
> Search is allowed.

as your ldapsearch proved, it's still not working. If you search the
server logs, you might see what exact attributes were requested and
whether they were permitted.

(Requesting just the single attribute might make the server logs a bit
more readable)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-20 Thread Jakub Hrozek 
On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> >
> >>On 18 Sep 2015, at 19:17, Gustavo Mateus  wrote:
> >>
> >>That only shows this:
> >>
> >># extended LDIF
> >>#
> >># LDAPv3
> >># base

Re: [Freeipa-users] V6 and v4

2015-09-20 Thread Janelle 

On 9/13/15 11:46 PM, Alexander Bokovoy wrote:

On Sun, 13 Sep 2015, Janelle wrote:

Hello,

I read something recently that if ip v6 is disable on a server this
hurts performance in some way? Is there more info on this or did I
misread it?

Do not disable IPv6 stack on your machines. By disabling IPv6 you are
not doing good. On contrary, many contemporary software projects are
using IPv6-enabled network calls by default because both IPv6 and IPv4
share the same name space on the machine so you only need to listen on a
IPv6 port to accept both IPv4 and IPv6. This is a recommended approach
for networking applications' developers for years already.

Note that this means only that support for IPv6 stack is enabled in the
kernel. You are not required to go with IPv6 networking addresses, this
is not really needed if you don't want to. But allowing applications to
be IPv6 aware is required.

FreeIPA has several components which are programmed in such way that
they expect IPv6 stack to be enabled for reasons outlined above. If you
disable IPv6 stack, FreeIPA will partially malfunction and will not
really be in a supported state, especially when we are talking about
trusts to Active Directory (and, in future, IPA to IPA trust).

Now it makes me wonder if my problems with replicas and RUVs were caused 
by v6 being disabled.


Time for some investigation.
~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project