Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder

On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > responder" > > with the following command. I can confirm certificate with serial

Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder

On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > responder" > with the following command. I can confirm certificate with serial 0x14 is > present in the system and is not expired/revoked, etc. I'm a

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

In our FreeIPA deployment the clients use pam_nss_ldapd with the "compat" schema. No ipa-client. I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the replicas (out of 8) where the external app authenticates against IPA's LDAP. These 2 replicas are more used like readonly. The

[Freeipa-users] "Could not locate issuing CA" when querying OCSP responder

After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder" with the following command. I can confirm certificate with serial 0x14 is present in the system and is not expired/revoked, etc. I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" in the Dogtag

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

We were not sure that Signing-Cert required for LDAP/Apache certificates renewal. Thank you very much for your update Rob. We are going to renew the certificates without Signing-Cert. On Mon, Jul 25, 2016 at 6:08 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> We are

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

Linov Suresh wrote: We are using CentOS 6.4/FreeIPA 3.0.0 LDAP/Apache certificates were expired and when we tried to renew, we found Signing-Cert is missing. # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not find cert: Signing-Cert : File not found How do we recreate

[Freeipa-users] Could not find cert: Signing-Cert : File not found

We are using CentOS 6.4/FreeIPA 3.0.0 LDAP/Apache certificates were expired and when we tried to renew, we found Signing-Cert is missing. # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not find cert: Signing-Cert : File not found How do we recreate Signing-Cert certificate?

Re: [Freeipa-users] Cannot renew expired certificates in IPA 4.2

lm gnid wrote: Hello, as in the link bellow, your help will be appreciated! https://bugzilla.redhat.com/show_bug.cgi?id=1343796 The bug lacks almost all context so I have no idea what you have already done. In any case, the -vvv may be part of the problem, it does not mean verbose. rob

Re: [Freeipa-users] Unable to add CA on an already configured replica

pgb205 wrote: Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but *NOT *ipa-srv2. The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg replication file on

Re: [Freeipa-users] slow login with freeipa 4.2.0

On Mon, 25 Jul 2016 21:23:19 +0530 Rakesh wrote: RR> Hi, RR> RR> I am facing slow login issue with IPA 4.2.0 version. The login takes around RR> 18-19s Any change that it's running on a VM? If so, check your entropy: cat /proc/sys/kernel/random/entropy_avail If it's low (like < 1k), install

Re: [Freeipa-users] slow login with freeipa 4.2.0

On Mon, Jul 25, 2016 at 09:23:19PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am facing slow login issue with IPA 4.2.0 version. The login takes around > 18-19s > > date;ssh testuser@10.16.32.4 > Mon Jul 25 11:14:54 UTC 2016 > testuser@10.65.32.4's password: > Last login: Mon Jul 25 11:10:35

Re: [Freeipa-users] listing users, groups and the host they access with sudo rules

On Mon, Jul 25, 2016 at 02:13:49PM +, Stefan Uygur wrote: > Hi everyone, > I am using ipa-server-3.0.0-47.el6_7.2.x86_64 on my redhat 6 and I was > wondering if there is a way in IPA to list the users, with their group and > the hosts they can access along with sudo permissions. > > This is

Re: [Freeipa-users] Bypass pre-hashed passwords verification

Sébastien Julliot wrote: Looks like I spoke too fast. Using ldappasswd, no problems with ldap queries. But kinit rejects my password .. That is expected. You changed to a pre-hashed password (potentially) so how can IPA generate Kerberos credentials? I think ldappasswd working is a bug.

Re: [Freeipa-users] Insufficient 'write' privilege to the 'userCertificate'

mohammad sereshki wrote: hi I get below error from "getcert list",would you please help me to solve it? ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry

Re: [Freeipa-users] vaults and service accounts

On 25.07.2016 16:22, Anthony Clark wrote: I wondered about that, but the docs specifically say public key, and the command line option to "ipa vault-add" is "--public-key" From "ipa vault-add --help" --public-key=BYTESVault public key --public-key-file=STR File containing the

Re: [Freeipa-users] vaults and service accounts

I wondered about that, but the docs specifically say public key, and the command line option to "ipa vault-add" is "--public-key" >From "ipa vault-add --help" --public-key=BYTESVault public key --public-key-file=STR File containing the vault public key So I hope you can understand my

[Freeipa-users] listing users, groups and the host they access with sudo rules

Hi everyone, I am using ipa-server-3.0.0-47.el6_7.2.x86_64 on my redhat 6 and I was wondering if there is a way in IPA to list the users, with their group and the hosts they can access along with sudo permissions. This is for auditing purposes and IPA doesn't seem to have a functionality that

Re: [Freeipa-users] Replicating users/groups from AD

On 25.7.2016 15:30, Simo Sorce wrote: > On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: >> Greetings! >> >> Yes, I had been hoping there would be a way to incorporate domain >> trusts between Active Directory and FreeIPA while the clients relying >> on these for identity management

Re: [Freeipa-users] Replicating users/groups from AD

On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: > Greetings! > > Yes, I had been hoping there would be a way to incorporate domain > trusts between Active Directory and FreeIPA while the clients relying > on these for identity management shared the same DNS domain (eg. >

Re: [Freeipa-users] Freeipa and FQDN requirement

On Mon, 25 Jul 2016, Ilan Green wrote: Thanks, The issue per customer is having loads of legacy applications programmed to use short host names - it will be cumbersome to fix it What Petr asked about is to not host IPA server on the same machine as those legacy apps. Have IPA servers separate

Re: [Freeipa-users] Replicating users/groups from AD

Greetings! Yes, I had been hoping there would be a way to incorporate domain trusts between Active Directory and FreeIPA while the clients relying on these for identity management shared the same DNS domain (eg. linux.company.com and windows.company.com). It sounds like that isn't going

Re: [Freeipa-users] Freeipa and FQDN requirement

Thanks, The issue per customer is having loads of legacy applications programmed to use short host names - it will be cumbersome to fix it Ilan Green Senior Technical Account Manager - EMEA Red Hat Mobile (+972) 52 3403218 email: igr...@redhat.com - Original Message - > From:

Re: [Freeipa-users] Bypass pre-hashed passwords verification

Hello Rob, The indicated method was unsuccessful, but I found another way to do it :) Here is a summary of my unsuccessful tests : ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' --- Utilisateur « testuser »

Re: [Freeipa-users] vaults and service accounts

On 24.07.2016 16:33, Anthony Clark wrote: Hello All, I have a crazy notion of storing a host's SSH private keys in a ipa vault, so that a rebuilt host can use the same keys. I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos base repository, so I'm constrained to

Re: [Freeipa-users] Unable to add CA on an already configured replica

On 22.07.2016 20:17, pgb205 wrote: Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but *NOT *ipa-srv2. The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg

[Freeipa-users] ca-error 2100

hido you know how can i solve it? getcert list|grep -i err     ca-error: Server denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry

Re: [Freeipa-users] change GID not work

Thank you very much @ all. I see I must change the GID for docker. _ Best regards Junhe Jian -Ursprüngliche Nachricht- Von: Lukas Slebodnik [mailto:lsleb...@redhat.com] Gesendet: Freitag, 22. Juli 2016 21:25 An: Rob Crittenden Cc: Junhe Jian;

Re: [Freeipa-users] Question DNS: DNS views & FreeIPA

On 22.7.2016 18:50, Günther J. Niederwimmer wrote: > Hello List, > > what is the best way to include a local DNS Server? Could you be more specific? What exactly are you trying to achieve? > Can I configure on a IPA DNS Server (extern) views for a internal DNS > without > problems ? > > Is