Re: [Freeipa-users] Adjusting nsslapd-cachememsize

On 03/20/2017 03:14 PM, Lachlan Musicman wrote: Directly editing the lse.ldif didn't work. ipactl start hangs on pki-tomcatd. I think I've broken it. I seem to recall ldap not liking being edited by hand. You have to make sure dirsrv is not running before you edit dse.ldif. Not sure if

Re: [Freeipa-users] Adjusting nsslapd-cachememsize

Directly editing the lse.ldif didn't work. ipactl start hangs on pki-tomcatd. I think I've broken it. I seem to recall ldap not liking being edited by hand. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 17 March 2017 at 19:45,

Re: [Freeipa-users] compat and nested groups for Unix system

On ma, 20 maalis 2017, Iulian Roman wrote: On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote:

[Freeipa-users] ldap connector from IIQ to ipa

Hello, We do plan to integrate IPA with IdentityIQ (sailpoint) for user provisioning. Because IPA does abstract all the ldap commands via new set of commands and APIs, i am not sure if the standard ldap connector is the right option and if it is supported ( taking into consideration that a

Re: [Freeipa-users] compat and nested groups for Unix system

On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy wrote: > On ma, 20 maalis 2017, Iulian Roman wrote: > >> On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy >> wrote: >> >> On ma, 20 maalis 2017, Iulian Roman wrote: >>> >>> Hello, I noticed

Re: [Freeipa-users] Use SQLite format NSS database?

Martin Basti wrote: > > > On 20.03.2017 16:12, Ian Pilcher wrote: >> On 03/20/2017 04:00 AM, David Kupka wrote: >>> Generally I would not recommend touching this on production system. >>> Why do you want to change the database format? >> >> My FreeIPA server also acts as a reverse proxy/TLS

Re: [Freeipa-users] Use SQLite format NSS database?

On 20.03.2017 16:12, Ian Pilcher wrote: > On 03/20/2017 04:00 AM, David Kupka wrote: >> Generally I would not recommend touching this on production system. >> Why do you want to change the database format? > > My FreeIPA server also acts as a reverse proxy/TLS endpoint for my > home sprinkler

Re: [Freeipa-users] compat and nested groups for Unix system

On ma, 20 maalis 2017, Lukas Slebodnik wrote: On (20/03/17 17:00), Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If

Re: [Freeipa-users] compat and nested groups for Unix system

On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: > On ma, 20 maalis 2017, Iulian Roman wrote: > >> Hello, >> >> I noticed that nested group feature do not work with the unix ldap clients >> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. >>

Re: [Freeipa-users] compat and nested groups for Unix system

On ma, 20 maalis 2017, Iulian Roman wrote: On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn

Re: [Freeipa-users] Certificate Access issue

On (20/03/17 16:39), Alexander Bokovoy wrote: >On ma, 20 maalis 2017, Artem Golubev wrote: >> Good day! >> >> We use freeipa server 4.3.1, we usually grant access via ssh keys to linux >> clients. >> We currently face the following issue with access on certificate: when we >> add certificate to

Re: [Freeipa-users] Use SQLite format NSS database?

On 03/20/2017 04:00 AM, David Kupka wrote: Generally I would not recommend touching this on production system. Why do you want to change the database format? My FreeIPA server also acts as a reverse proxy/TLS endpoint for my home sprinkler system (https://opensprinkler.com/), allowing me to

Re: [Freeipa-users] Certificate Access issue

On Mon, Mar 20, 2017 at 02:55:37PM +0300, Artem Golubev wrote: > Good day! > > We use freeipa server 4.3.1, we usually grant access via ssh keys to linux > clients. > We currently face the following issue with access on certificate: when we > add certificate to user's account, user is not able to

Re: [Freeipa-users] compat and nested groups for Unix system

On (20/03/17 17:00), Alexander Bokovoy wrote: >On ma, 20 maalis 2017, Iulian Roman wrote: >> Hello, >> >> I noticed that nested group feature do not work with the unix ldap clients >> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If >> i use the cn=compat and change the

Re: [Freeipa-users] compat and nested groups for Unix system

On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. Compat tree

[Freeipa-users] compat and nested groups for Unix system

Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. My question is if it is allowed to mix the compat and

Re: [Freeipa-users] Certificate Access issue

On ma, 20 maalis 2017, Artem Golubev wrote: Good day! We use freeipa server 4.3.1, we usually grant access via ssh keys to linux clients. We currently face the following issue with access on certificate: when we add certificate to user's account, user is not able to login via ssh. How can we

[Freeipa-users] upgrade ipa-server fails changing dogtag key

When yum updating our ipa-server running CentOS 7.3.1611 from ipa-server-4.4.0-14.el7.centos.1.1.x86_64 to ipa-server-4.4.0-14.el7.centos.6.x86_64 we got this error: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see

[Freeipa-users] Certificate Access issue

Good day! We use freeipa server 4.3.1, we usually grant access via ssh keys to linux clients. We currently face the following issue with access on certificate: when we add certificate to user's account, user is not able to login via ssh. How can we solve this problem? We would like to have a

Re: [Freeipa-users] Errors in IPA logs

On 20 March 2017 at 19:38, Martin Basti wrote: > On 19.03.2017 22:58, Lachlan Musicman wrote: > > Hi, > > I've reported a bug against SSSD and Lukas has pointed to a number of > FreeIPA errors in our logs. > I've can't find any information on how I might fix these errors or

Re: [Freeipa-users] Use SQLite format NSS database?

On Sat, Mar 18, 2017 at 11:58:35AM -0500, Ian Pilcher wrote: > Can IPA 4.4 (on CentOS 7) use a SQLite format NSS database in > /etc/httpd/alias? > > I would presumably have to prepend "sql:" to the NSSCertificateDatabase > setting in nss.conf. > > Anything else? > > -- >

Re: [Freeipa-users] Errors in IPA logs

On 19.03.2017 22:58, Lachlan Musicman wrote: > Hi, > > I've reported a bug against SSSD and Lukas has pointed to a number of > FreeIPA errors in our logs. > I've can't find any information on how I might fix these errors or > what I might do to mitigate them. Any pointers appreciated: > > First

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem [SOLVED]

On 20/03/2017 08:29, Jakub Hrozek wrote: > On Fri, Mar 17, 2017 at 01:52:17PM +, Bob Hinton wrote: >> On 17/03/2017 12:48, Lukas Slebodnik wrote: >>> On (17/03/17 10:40), Bob Hinton wrote: On 17/03/2017 08:41, Jakub Hrozek wrote: > On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton

Re: [Freeipa-users] Options for existing CA/DNS infrastructure

On Sun, Mar 12, 2017 at 10:47:02PM -0400, Rob Foehl wrote: > I'm looking at deploying FreeIPA in a few environments with substantial DNS > and/or CA infrastructure, and have some choices to make... > > How much trouble will I have if FreeIPA is delegated a zone like > ipa.example.com with all

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

On Fri, Mar 17, 2017 at 01:52:17PM +, Bob Hinton wrote: > On 17/03/2017 12:48, Lukas Slebodnik wrote: > > On (17/03/17 10:40), Bob Hinton wrote: > >> On 17/03/2017 08:41, Jakub Hrozek wrote: > >>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote: > Morning, > > We have