in the
process) in IPA 2.1/2.2?
Kind regards,
James Hogarth
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
But in short the only thing to do is change the CRL generator per those
instructions. It is otherwise already a full CA. If none or all of them are
generating a CRL it isn't the end of the world either way, you could just
end up with slightly different CRLs on different masters which can be
Hi all,
As mentioned on IRC today I've finished my write up of using Apache
with SNI and kerberos authentication with an IPA backend
I'd be interested in any feedback:
http://freeipa.org/page/Apache_SNI_With_Kerberos
Kind regards,
James
___
Well, at the moment we only set up a two way trust
but the windows admins would certainly be able to delete the outgoing
trust right after it is created, it should cause trouble for win users
that want to access ipa hosts.
We may take an RFE about creating only a one way trust, but it won't
I'll try and replicate the blog findings in the course of the next couple of
days if it works I'll add it to the wiki ...
Set up a test this morning using Centos 6:
nss-3.13.1-7.el6_2.x86_64
mod_nss-1.0.8-14.el6_2.x86_64
The behaviour was... odd
SNI itself must have been working as
Only one nss database may be opened at a time. mod_nss should probably error
out if multiple are defined to prevent confusion.
I'd think a nickname should be unique to a given VirtualServer. If not then
it's a bug.
That makes sense - and yeah it should probably error out rather than
just
but Im getting hammered by my management for instant answers...they
asked last night and expect an answer this morning.and I'm expected to
catch up and deploy several important solutions/projects all hinging on IPA
ASAP...
2.2 isnt in RHEL6.3 though?
Are you using fedora, centos
Hi all,
As mentioned on IRC today I've finished my write up of using libvirt
(kvm virtualization)
with VNC consoles and kerberos authentication with an IPA backend
I'd be interested in any feedback:
http://freeipa.org/page/Libvirt_with_VNC_Consoles
Kind regards,
James
Is there any information on what the roadmap might be now that 2.2 is out
the door?
The current roadmap still references the 2.1 release around a year ago.
Check out the info here: https://fedorahosted.org/freeipa/roadmap
So far as I'm aware the bulk of the 3.0 work is for cross realm
Yes I'd missed this,
echo nisdomainname ods.vuw.ac.nz /etc/rc.d/rc.local
Is it not possible to automate this (sudo setup) more in the
ipa-client-install ? control whether you want it via a sudo_enable=yes or no
somewhere?
Ive added it to my kickstart for now so my sudo setup is
Hey all,
Just a quick heads up in for the mailing list archive in case someone
bumps into this after drilling through it a bit in IRC on Friday...
If you are making use of --enable-dns-updates in ipa-client-install
and for whatever reason your client may change its address more often
than once
Hi all,
I was adding and removing the same hosts and a fairly high rate from
IPA and I've managed to get myself into an odd situation...
On trying to delete or unprovision one of the hosts I'm getting IPA
error 401: Certificate operation cannot be completed: EXCEPTION
(Certificate serial number
I suspect I've hit a replication conflict...
Just to close this off ... it was a replication issue - the
certificates hadn't yet replicated... deleting from the server
originally enrolled against it was fine.
James
___
Freeipa-users mailing list
Hi,
When trying to view a particular service (or the related host) I'm getting
the following error in the UI:
IPA Error 4301
Certificate operation cannot be completed: EXCEPTION (Certificate serial
number 0xffe000c not found)
Now I've seen similar issue in the past when replication has played
Hi, caching capabilities were not optimal in the tech preview, but it was
fully functional (or at least should be, I don't think anyone really tried
it in production), unless sssd is configured with multiple domains.
I looked at the 6.3 technical notes for sudo, sssd and ipa but couldn't
I believe that at one point we included a configuration very similar to
the snippet above in man sssd-sudo. It should be there in 6.4, not 100%
sure now.
Just checked the man page and indeed that minimal snippet is there ...
I really need to spend more time going through new man pages etc at
Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem.
Thanks Petr ... looks like that's not in the CentOS repositories ... I'll
give those guys a heads up ...
A quick look and it appears that the SRPM isn't in the public FTP server
... opened bug
I meanwhile I recommend you to build version 2.6:
https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-2.6.tar.bz2
It includes some fixes not-yet accepted for RHEL.
Interesting... I might build and test but generally I prefer to keep to
packages accepted to rhel...
As an FYI
Hi guys,
I'm just picking up the nice to have ticket of configure the default TTL as
part of my general TTL refactor work seeing as the exposing and
modification of TTL in the UI is unlikely to be complete before 3.3 freeze
(mostly working but a few bugs remaining) :
Did anyone find a solution for this? I am having the same experience.
Wow that was a mess...
To use hostgroups for sudo ensure nisdomainname is set on the hosts to the
IPA domain.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
Please contact me on IRC (pspacek in #freeipa @ FreeNode) or via e-mail.
We need to coordinate, because bind-dyndb-ldap is undergoing heavy
refactoring right now.
Also, remember that modification in bind-dyndb-ldap will require
modification on FreeIPA side (CLI/WebUI/API).
Sure - I'm
Hi,
We're looking to add monitoring to our IPA replicas and want to provide a
user with the minimum possible permissions to do so.
Allowing the user to have the Replication Administrators role works but for
monitoring the ability to add/modify/remove is overkill by a long shot.
There's no
On 1 August 2013 09:36, Martin Kosek mko...@redhat.com wrote:
The patch for this would do basically this:
- remove the following aci:
(targetattr != aci)(version 3.0; aci replica admins read access; allow
(read,
search, compare) groupdn = ldap:///cn=Modify Replication
On 1 August 2013 15:55, Rob Crittenden rcrit...@redhat.com wrote:
James Hogarth wrote:
On 1 August 2013 09:36, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
The patch for this would do basically this:
- remove the following aci:
(targetattr != aci)(version
24 matches
Mail list logo