Re: [Freeipa-users] Announcing FreeIPA 4.4.2

On 10/14/2016 03:29 PM, Coy Hile wrote: > > > Will there be builds in a COPR for rhel/cents 7? I would recommend waiting on RHEL-7.3, which should be released soon enough. RHEL-7.3 contains an IdM/FreeIPA version that is very close to upstream version 4.4.2. Martin -- Manage your

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

On 10/13/2016 09:17 PM, Petr Vobornik wrote: > The FreeIPA team would like to announce FreeIPA 4.4.2 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. Builds > for Fedora 24 will be available in the official COPR repository >

Re: [Freeipa-users] Cleaning Up an Unholy Mess

On 08/25/2016 08:04 PM, Ian Harding wrote: > > > On 08/25/2016 10:41 AM, Rob Crittenden wrote: >> Ian Harding wrote: >>> >>> >>> On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: > I tried to simply uninstall and reinstall freeipa-dal and this > happened. > >

Re: [Freeipa-users] Admin password no more working

On 08/18/2016 04:16 PM, Deepak Dimri wrote: > Hi All, > > While trying to automate IPA client registration programatically, i seems > have > made my admin password out of sync between KDC and > /etc/krb5.keytab. This looks confusing, admin password and /etc/krb5.keytab do not look related. The

Re: [Freeipa-users] FreeIPA / CentOS 7.2 / Issues on Startup

On 08/18/2016 12:48 AM, Devin Acosta wrote: > > My first primary FreeIPA Master server has gone belly up. When I try to start > the server it shows this message in the "error' log. However the other issue > i > have is when I try to start the server using "ipactl start" it times out > after

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

On 08/16/2016 09:25 AM, Petr Spacek wrote: > On 15.8.2016 20:18, Linov Suresh wrote: >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0 >> >> >> We can only add the clients from IPA Server 01, not from IPA Server 02. >> When I tried to add the client from IPA Server 02, getting the

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

Please check the FreeIPA training presentation. There are more details for this. TLDR, you will need to create one Python plugin to get this into API/CLI and one Web UI plugin if you also want to extend Web UI. The presentation above has some examples. On 08/09/2016 02:20 PM, Deepak Dimri wrote:

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

Hi Deepak, This console is not available for regular or shipped with FreeIPA (AFAIK), it is only included in the Red Hat Directory Server product. With FreeIPA, you will need to extend the schema with CLI tools (ldapmodify) as indicated in the presentation that Martin Basti shared. Martin On

Re: [Freeipa-users] IPA and FIPS 140-2

IPA. > > > *Michael Sean Conley* > Hardware/Infrastructure > Intelligence, Information and Services > *Raytheon Company* > 972-643-9887 (office) > > michael.sean.con...@raytheon.com > > Inactive hide details for Martin Kosek ---08/05/2016 06:33:27 AM---Are you now > ask

Re: [Freeipa-users] IPA and FIPS 140-2

Are you now asking about when upstream version is FIPS compliant or some downstream distribution? If you are asking about RHEL, as indicated by https://bugzilla.redhat.com/show_bug.cgi?id=1125174 the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is too late to add it

Re: [Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA

On 07/15/2016 08:17 AM, Zeal Vora wrote: > Hi > > In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / > TRACK method in IPA as a medium based vulnerability. > > Is there a need to allow those two methods in IPA ? > > If not, what is the optimal way to disable those

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

rote: > > On 07/14/2016 12:57 PM, Martin Kosek wrote: > > On 07/13/2016 04:24 AM, Devin Acosta wrote: > >> > >> I was trying to create another Replica but then noticed it was > constantly having > >> issues trying to finish the join

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

On 07/13/2016 04:24 AM, Devin Acosta wrote: > > I was trying to create another Replica but then noticed it was constantly > having > issues trying to finish the joining of the replication. I then ran the > command: > repl-monitor.pl , It appears i have several >

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

On 07/07/2016 05:19 PM, Prashant Bapat wrote: > Anyone ?! > > On 6 July 2016 at 22:36, Prashant Bapat > wrote: > > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have

Re: [Freeipa-users] Replication time and relation to cache size

On 06/21/2016 05:19 PM, Ash Alam wrote: > anyone have any thoughts on this? > > Thank You > > On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote: > > Hello > > I have been going through the lists but i have not found the answer

Re: [Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD

On 06/26/2016 06:57 PM, Supratik Goswami wrote: > Hi > > I am using ipa-server-4.2.0 in my environment, it is having winsync > agreement > with the AD server. > I want to move all new users to "Stage Users" state automatically when they > are > synced from the AD, can anyone please guide me

Re: [Freeipa-users] Password sync settings not working

Good! Thanks for confirmation (I suspected PEBKAC, thus my questions). Martin On 07/02/2016 10:01 PM, Joshua J. Kugler wrote: > Thanks. In a case of extreme PEBKAC, I had copied the example and failed to > update the DN. It works now. > > j > > > On Monday, June 13,

Re: [Freeipa-users] Read-only access to enforce OTP

On 06/16/2016 11:00 AM, Prashant Bapat wrote: > Hi, > > I'm writing a small script which will scan all the users and check if each > one > has setup an OTP. It will send out an email to the user if OTP is missing. > > I added a new entry / >

Re: [Freeipa-users] Best practices on securing freeipa

On 06/14/2016 07:51 PM, Danila Ladner wrote: > Greetings Folks. > I could not find any information on best practices of securing free ipa > servers > and its replicas. > Since the hosts become an important part of IT IM infrastructure, wanted to > see > if anyone can point me to the right

Re: [Freeipa-users] Password sync settings not working

On 06/10/2016 01:59 AM, Joshua J. Kugler wrote: > Howdy! > > We are trying to set up password sync. I have read this: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync > > I have added that attribute: >

Re: [Freeipa-users] FreeIPA 4.4

On 06/08/2016 12:18 PM, Winfried de Heiden wrote: > Hi all, > > Any news/progress about FreeIPA 4.4? > > On http://www.freeipa.org/page/Roadmap: *FreeIPA 4.4*: feature release. > Release > planned for end of May 2016. > > Any updated release date...? The new estimate is rather June, there

Re: [Freeipa-users] Replica without CA: implications?

On 06/08/2016 11:05 AM, Cal Sawyer wrote: > > On 08/06/16 09:23, Martin Kosek wrote: >> On 06/07/2016 04:10 PM, Cal Sawyer wrote: >> ... >>> I found that installing a replica with firewalld enabled would consistently >>> fail >>> during initial rep

Re: [Freeipa-users] sessions failing when using different hostname

On 06/08/2016 09:42 AM, Jan Pazdziora wrote: > On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote: >> On 06/01/2016 07:48 PM, Anthony Clark wrote: >>> >>> I'm somewhat at a loss to debug this further. I was wondering if the >>> session >>>

Re: [Freeipa-users] How to get FreeIPA feature requests ack'd?

On 06/07/2016 05:22 PM, Cal Sawyer wrote: > Hello > > The RH Bugzilla is pretty much unnavigable by anyone who doesn't know the > magic > words, so i'm asking here. Apologies in advance if misdirected. Hi Cal, I updated FreeIPA Trac front page, to help you (and others) more with filing bugs

Re: [Freeipa-users] Replica without CA: implications?

On 06/07/2016 04:10 PM, Cal Sawyer wrote: ... > I found that installing a replica with firewalld enabled would consistently > fail > during initial replication. Disabling firewalld always allowed replication > and > later stages to complete > >[24/38]: setting up initial replication

Re: [Freeipa-users] sessions failing when using different hostname

On 06/01/2016 07:48 PM, Anthony Clark wrote: > Hello All, > > I've been asked to allow access to our FreeIPA web UI from a more user > friendly > url than I'm currently using. So I've set up a CNAME password.example.com > for ns01.example.com

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

On 05/30/2016 10:53 PM, Prasun Gera wrote: > > To summarize, your options seem to be: > * Create ipa-ca DNS record in your primary domain > * Update the main default certificate profile (present in FreeIPA 4.2+) > * Migrate whole FreeIPA deployment to other DNS primary you would

Re: [Freeipa-users] Centos 7.2 ipa-backup failure

On 05/30/2016 06:57 PM, Ken Bass wrote: > On 05/30/2016 10:32 AM, Martin Kosek wrote: >> On 05/29/2016 05:33 PM, Ken Bass wrote: >>> Today I tried my very first ipa-backup attempt. The command reported 'The >>> ipa-backup command was successful' >>> >>>

Re: [Freeipa-users] Unable to access to web ui

On 05/30/2016 04:36 PM, Martin Basti wrote: > > > On 30.05.2016 14:20, seli irithyl wrote: >> Hi, >> >> Since last update, I'am unable to log in to web ui with FF (e.g. blank page) >> Any idea where too look for ? >> >> Best regards, >> >> Seli >> >> >> >> >> > Hello, > > can you provide

Re: [Freeipa-users] Install best practice -

On 05/29/2016 07:11 PM, Ben .T.George wrote: > Hi > > I would like to know how can i proceed with best practices > > My AD domain is : corp.examle.com.kw > My DNS (appliances ) : kw.test.com > > All my clients are pointed to kw.test.com

Re: [Freeipa-users] Centos 7.2 ipa-backup failure

On 05/29/2016 05:33 PM, Ken Bass wrote: > Today I tried my very first ipa-backup attempt. The command reported 'The > ipa-backup command was successful' > > YET I saw: > > /usr/sbin/db2ldif: line 157: 22567 Segmentation fault /usr/sbin/ns-slapd > db2ldif -D /etc/dirsrv/slapd-DOMAIN-NET -n

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

On 05/29/2016 09:18 AM, Günther J. Niederwimmer wrote: > Hello > I found any Help for the IPA Certificate but I found no way to import the IPA > CA ? > I like to create a webserver with a owncloud virtualhost and other.. > > But it is for me not possible to create the /etc/httpd/alias correct ?

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

On 05/28/2016 05:30 AM, Prasun Gera wrote: > The problem is that I'm not using ipa for dns. dns is handled externally, and > I > don't have admin access. I have 1 master and 1 replica, and all the clients > are > enrolled with --server=a,--server=b during installation, and I think it works >

Re: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication

On 05/27/2016 03:17 PM, Bob Hinton wrote: > Hi Martin, > > On 27/05/2016 14:01, Martin Kosek wrote: >> On 05/25/2016 09:51 PM, Bob Hinton wrote: >>> Hello, >>> >>> We are trying to get Zenoss login authentication to use freeipa over >>> LDA

Re: [Freeipa-users] Error when adding new users via UI:

On 05/24/2016 04:07 PM, Rob Crittenden wrote: > Traiano Welcome wrote: >> Hi >> >> I have IPA server 4,2 running on centos 7 >> (ipa-server-4.2.0-15.el7.centos.3.x86_64). >> >> This morning, after many months of stable operation, I tried to add a >> user and got this error via the web interface:

Re: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?

On 05/23/2016 07:56 PM, Zak Wolfinger wrote: > Does anyone have this combo working? I’m running into problems with > pki-tomcat and tomcat for pwm conflicting and need some pointers. > > Thanks! You may need to do it on FreeIPA replica without a CA then or isolate these somehow (containers?)

Re: [Freeipa-users] What id my AD domain user password not available

On 05/23/2016 03:20 PM, Ben .T.George wrote: > Hi > > Thanks for your reply. > > I saw this before but the thing is i cant able to follow up this one as i am > not > completely getting those steps > > ipa trust-add --type=ad "ad_domain" --trust-secret > > Is asking for key and what i need to

Re: [Freeipa-users] authconfig vs ipa-client-install

On 05/19/2016 04:12 PM, lejeczek wrote: > hi evebody > > I'd like to ask how does, what ipa installation does ot a box, relate to > authconfig? > > I am specifically thinking of the fact that authconfig does not indicate that > IPAv2 is used, on a box which is IPA member/client. > > Is it

Re: [Freeipa-users] Changing spec.page_length?

On 05/17/2016 01:54 AM, Jeffery Harrell wrote: > Is there a “soft” way to change the number of rows in tables like the hosts > and > DNS records search facets? I think I’d happily trade a little interactivity > when > going from one facet to another for the ability to see four or five times as

Re: [Freeipa-users] FreeIPA DNS Module (named.conf)

On 05/16/2016 02:03 PM, Günther J. Niederwimmer wrote: > Hello, > > I have a question about the named.conf, is it possible to change the > named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- > module ? > Hello, FreeIPA indeed replaces default named.conf during

Re: [Freeipa-users] otp question to limit brute force vector for web applications

On 05/13/2016 05:24 PM, Thomas Heil wrote: > Hi, > > On 13.05.2016 16:12, Petr Spacek wrote: >> On 13.5.2016 15:25, Thomas Heil wrote: >>> Hi, >>> >>> I would like to reduce the vector of brute force attacks in my web >>> application written in php. Users can login via passord and otp which >>>

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > Hola, > > We have an interesting scenario that is hard to find any information on. > > Due to permission restrictions, a NAS that is mounted and visible by both AD > and > 'nix clients, every user belongs to a particular primary group. > >

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > Hello, > > Thanks for answer, > > Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: >>> Hello, >>> I have the Problem

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > Hello, > I have the Problem to find the correct way for NSEC3PARAM ? > > With your Help I have this found > > ipa dnszone-mod example.com. --nsec3param-rec " > " > > But it dos not work correct ? > > Now the question, is this the

Re: [Freeipa-users] Exposing LDAP attributes with hyphens in their names?

On 05/06/2016 07:12 PM, Jeffery Harrell wrote: > Hi. I’m very new to IPA; I only picked it up a couple weeks ago. So this may > be > a remedial question. > > I’d like to expose, both via the CLI and the GUI, certain LDAP attributes > which > have hyphens in their names — e.g.,

Re: [Freeipa-users] Automatic consistency checking

On 05/05/2016 04:35 PM, Martin Basti wrote: > > > On 05.05.2016 15:54, Andrew Holway wrote: > > Hello, > > We've been using Freeipa on Centos for a while and found one day that the > replication stuff was broken and that the LDAP database on our pair of IPA > servers was

Re: [Freeipa-users] Looking for documentation for Python API

On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: > On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >> >> So for example for caacl-add: >> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >> description")

Re: [Freeipa-users] Get Creation Time / Last Login Time for Users

On 05/05/2016 03:23 AM, Jeff Hallyburton wrote: > Hello, > > We're looking for a way to get last login time and creation time for > users configured in FreeIPA. This information doesn't seem to be in > the WebUI and ipa user-status only provides limited information (last > failed/successful

Re: [Freeipa-users] sudorule

On 05/04/2016 03:41 PM, Armstrong, Jeffrey wrote: > Hi > > I’m trying to add a to add a sudo command to a sudo rule. It’s executing the > command but it’s not adding the sudo command. > > ipa sudorule-add-allow-command –sudocmds "/bin/su " bkrc_rule > >Rule name: bkrc_rule > >

Re: [Freeipa-users] Who uses FreeIPA?

On 05/04/2016 09:23 AM, Jakub Hrozek wrote: > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: >> On (03/05/16 15:09), Alexandre de Verteuil wrote: >>> Hello all, >>> >>> I've deployed FreeIPA in my home lab and I'm happy to have single >>> sign-on for all my Archlinux virtual

Re: [Freeipa-users] Inplace upgrade

On 05/04/2016 01:31 PM, barry...@gmail.com wrote: > U meant it fail start if update minor version only? > > 2016年5月4日 下午7:25 於 "Lukas Slebodnik" > 寫道： > > On (04/05/16 13:17), barry...@gmail.com wrote: >

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > Hi, > > I am running a freeipa server 4.2.x. > > I have the following password global password policy set to force a history > of 3 > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > --maxfail=3 --failinterval=300 >

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Thanks for confirmation. Can you share with the list what was the root cause of your problem? Maybe it helps someone else. Thanks, Martin On 04/30/2016 08:23 AM, Ben .T.George wrote: > HI All > > this issue has solved > > On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George

Re: [Freeipa-users] Free IPA Client in Docker

On 04/28/2016 08:14 PM, Hosakote Nagesh, Pawan wrote: > Hi, > I am planning to deploy FreeIPA Client in a docker where my Apps are > running. However I hit a road block as there seems to be problem with the > docker’s hostname settings > In DNS records. CCing Jan on this one. Did you try

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite >

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. > I > have followed >

Re: [Freeipa-users] IPA & Yubikey

On 04/22/2016 10:40 PM, Jeremy Utley wrote: > Hello all! > > I'm quite close to reaching the ideal point with our new FreeIPA setup, but > one > thing that is standing in the way is 2FA. I know FreeIPA has support for > Google > Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over

Re: [Freeipa-users] Let's Encrypt SSL pkscs 12 problem notes anyone. CENTOS 7 FreeIPA install

On 04/21/2016 11:22 AM, Branko Quenode wrote: > Hi , > > I am trying to install freeipa with centos and Let's Encrypt SSL. > > I create lets-encrypt with webroot option. > > Then i did > > cat privkey.pem fullchain.pem > /root/key.pem > > openssl pkcs12 -export -in /root/key.pem -out

Re: [Freeipa-users] FreeIPA and PWM

On 04/20/2016 05:23 PM, Tiemen Ruiten wrote: > Hello, > > I'm trying to set up a self-service page for a new IPA domain and I'm trying > to > use PWM for that. > > When I try to bind to FreeIPA from within PWM, with the configured "LDAP > Proxy > User", I get the following error: > > error

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

On 04/15/2016 04:06 PM, Harald Dunkel wrote: > Hi David, > > On 04/15/16 15:11, David Kupka wrote: >> >> Hello Harri, >> >> the attribute you're looking for is 'nsaccountlock'. This command should >> give you uids of all disabled users: >> >> $ ldapsearch -LLL -Y GSSAPI -b

Re: [Freeipa-users] How to set passwords which never expire ?

On 04/12/2016 02:10 PM, dbisc...@hrz.uni-kassel.de wrote: > Hi, > > On Tue, 12 Apr 2016, bahan w wrote: > >> I am using FreeIPA 3.0 and I would like, for specific accounts, to set >> passwords unexpirables. >> >> I tried to set a pwpolicy for this with the option maxage set to 0, but it >> did

Re: [Freeipa-users] Adding FreeIPA to an existing infrastructure

On 04/12/2016 12:14 PM, Remco Kranenburg wrote: > Thanks for all the pointers. I'm tentatively moving forward with a CA-less and > DNS-less IPA server, with Letsencrypt certificates. I think this is also the > setup that is used by the demo at . Is > there

Re: [Freeipa-users] using sudo in ipa

On 04/01/2016 07:14 PM, Armstrong, Jeffrey wrote: > Hi > > I would like to know how to configure sudo in the IdM environment. I need to > know how to configure sudo access without asking for a password. > > */Jeffrey Armstrong/*/–Senior ECS Engineer/ > > ECMS – Application Support Team > >

Re: [Freeipa-users] Tracking Login Times

On 03/21/2016 06:56 PM, Rob Crittenden wrote: > Bob wrote: >> If each IPA server tracks time of last auth independently, then one ipa >> server might disable an inactive account. But that account might be >> active on another servers. In a fail over case where the server that >> that account

Re: [Freeipa-users] Certificate profiles and CA ACLs for service principals

On 03/22/2016 05:55 AM, Fraser Tweedale wrote: > On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: ... > To my fellow FreeIPA developers: are service groups a sensible RFE? > Is there a reason why they have not been implemented? It *is* sensible RFE and it was actually already filed!

Re: [Freeipa-users] Directory Search Question

On 03/18/2016 09:21 PM, Randy Morgan wrote: > We have a FreeIPA Version 4.2 production installation that seems to have a > limitation we cannot figure out how to overcome. Users cannot search, from > the > gui, for a specific user. The only users who can perform a search for a > specific user

Re: [Freeipa-users] YUbiKey for HOTP auth

On 03/12/2016 04:47 PM, Brad Bendy wrote: > Hi, > > YubiKey supports HOTP it appears, but im having a heck of a time > getting the token to add FreeIPA. The YubiKey tool gives me the OATH > Token which is 6 bytes and the secret key in 20 bytes hex. Ive entered > the secret key and OATH token into

Re: [Freeipa-users] devconf.cz talks about FreeIPA

On 02/07/2016 07:56 PM, Alexander Bokovoy wrote: ... > FreeIPA workshop by Torsted Scherf and German Parente > Part1: https://youtu.be/cxRK1MExMsc?t=4m57s > Part2: https://www.youtube.com/watch?v=RBzL1_3nKH4 Just for the record, the workshop was acknowledged as one of the best sessions on

Re: [Freeipa-users] Lock screen when Smart Card is removed.

On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card login > feature. To date the smart card login feature is working very well. However, > my group has been trying to implement locking the screen

Re: [Freeipa-users] ipa-getcert and SELinux

On 03/07/2016 10:03 PM, Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On 03/05/2016 06:00 AM, Rob Crittenden wrote: > Natxo Asenjo wrote: >> >> By the way, revoking the certificate does not block applications using >> it from ldap. >> >> I can still access the ldap server using this cert/key pair *after* >> revoking the certificate using ipa cert-revoke . In order

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On 03/05/2016 12:08 AM, Natxo Asenjo wrote: > On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce wrote: > >> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote: >>> Natxo Asenjo wrote: >> when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login with the

Re: [Freeipa-users] version compatibility between server and client

> Are there any documentations on setting IPA on an Amazon Linux, if not, the > only option would to try compiling this. CCing Alexander in case he has any resources. But as I said above, current situation of FreeIPA on Amazon Linux is not great. > > Thanks, > Rakesh > > On

Re: [Freeipa-users] version compatibility between server and client

On 02/26/2016 05:23 PM, Rakesh Rajasekharan wrote: > Hi!, > > I had successfully set up ipa in our qa environment, but since we are > running cenots 6, i just got 3.0.25 version of IPA. > > I wanted to try out the latest 4.x version, for server by using a centos 7 > OS. But have few questions

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

On 02/26/2016 10:31 AM, Teik Hooi Beh wrote: > And yes, i also need to include -s ipaserver in the get-ipakeytab command, > otherwise it kept giving wrong usage error Just for the record, this should no longer be needed from FreeIPA 4.3.0: https://fedorahosted.org/freeipa/ticket/2203 > On

Re: [Freeipa-users] server installation but client part fails

On 02/23/2016 05:38 PM, lejeczek wrote: > On 23/02/16 15:04, Rob Crittenden wrote: >> lejeczek wrote: >>> hi everybody >>> >>> I'm trying server installation but it fails, I think very last leg, and >>> I was hoping you could suggest places which I should start looking at. >>> >>>[7/7]:

Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

On 02/20/2016 05:58 PM, Ian Pilcher wrote: > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a > traceback every time pki-cad starts: > > Traceback (most recent call last): > File "/usr/sbin/pki-server", line 89, in > cli.execute(sys.argv) > File "/usr/sbin/pki-server",

Re: [Freeipa-users] freeipa permission denied for user

On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote: > I set up freeipa on our environment and its works perfectly for most of the > hosts.. but on few I am getting a permission denied. > > [root@ipa-client-1c :~] ssh tempuser@localhost > tempuser@localhost's password: > Permission denied, please

Re: [Freeipa-users] sudo runs despite being denied by HBAC rules

On 02/09/2016 05:06 PM, Ian Collier wrote: Can anyone help me to understand these logs... is there maybe a bug here? The basic situation is that there is no HBAC rule that would allow sudo. When people try it, sss accepts their password but then denies them access to the sudo command. But

Re: [Freeipa-users] OS migration from Fedora to CentOS?

On 02/05/2016 11:35 AM, Petr Vobornik wrote: > On 02/04/2016 06:14 PM, Christophe TREFOIS wrote: >> Hi all, >> >> We are currently running a 3-replica (all are setup with the —setup-ca flag) >> cluster on Fedora 21, with FreeIPA 4.1.4. >> >> We would like to slowly upgrade to the new version and

Re: [Freeipa-users] Using external certificate in IPA 4.1

On 02/03/2016 06:02 PM, Ossi Ahosalmi wrote: > I'm trying to use our organizations wildcard certificate in IPA. Certificate > is > signed by a trusted CA. > > Running: > ipa-server-certinstall -w -d > > with next combinations: > > - separate .key, .crt and ca chain, all in PEM format > - .crt

Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

On 02/03/2016 12:42 AM, Christopher Young wrote: > I've been doing some reading and perhaps I'm confusing myself, but I > couldn't find any definitive guide on how to go about doing what I > think it a pretty simple thing. > > My ipa-client installs appear to generate a new TLS/SSL/PKI cert for >

Re: [Freeipa-users] Joining a host

On 02/02/2016 11:35 PM, Simpson Lachlan wrote: > Hola, > > Presuming a regular machine, I've started the join as per instructions: > > yum install ipa-client > > [root@vmts-linux1 ~]# ipa-client-install > Error checking LDAP: Operations error: 04DC: LdapErr: DSID-0C0906E8, > comment: In

Re: [Freeipa-users] "Installing the client"

On 02/02/2016 11:35 PM, Alexander Bokovoy wrote: > On Tue, 02 Feb 2016, Simpson Lachlan wrote: >> In the docs, there is a section called "Installing the client". >> >>

Re: [Freeipa-users] ca install fails upgrading to 4.2.0

On 02/02/2016 02:18 AM, Robert van Veelen wrote: > Hi, > I'm trying to create an ipa replica from > ipa-server-3.0.0-47/pki-ca-9.0.3-45 to ipa-server-4.2.0-15/pki-ca-10.2.5-6 > and cannot get the install to complete. The CS is configured as a sub to an > external CA. I keep getting the same error

Re: [Freeipa-users] Fw: [Centos7.2 Freeipa 4.2] browser : your session has expired

On 02/02/2016 09:49 AM, Christopher Lamb wrote: > > > Sorry, Notes is playing up, and sent the last before I could type any text! > > The POST /ipa/session/login_password is successful. > > but the POST /ipa/session/json and GET /ipa/session/login_kerberos both > give 401 unathorized > >

Re: [Freeipa-users] FreeIPA smart card how to

On 02/02/2016 04:49 PM, Michael Rainey (Contractor) wrote: > Greetings FreeIPA Community, > > I have been testing and working with the smart card login feature of the IPA > server, and have had some successes with this project. However, my latest > server/client setup isn't working as expected.

Re: [Freeipa-users] Fw: [Centos7.2 Freeipa 4.2] browser : your session has expired

t; no clock skew >Search for any related errors in /var/log/httpd/error_log --> no errors >today Ok, thanks for ruling out the basic issues, I will let Petr and Alexander dive in the others. When we discover the culprit, it would be nice to add it to this list too. > From: Mart

Re: [Freeipa-users] ca install fails upgrading to 4.2.0

ed thread. > On Tue, 2 Feb 2016 at 08:46 Martin Kosek <mko...@redhat.com> wrote: > >> On 02/02/2016 02:18 AM, Robert van Veelen wrote: >>> Hi, >>> I'm trying to create an ipa replica from >>> ipa-server-3.0.0-47/pki-ca-9.0.3-45 to >> ipa-se

Re: [Freeipa-users] Client-Install failures

On 01/26/2016 10:20 PM, David Zabner wrote: Hi All, I am working on automated deployment of ipa clients through a program called salt and have been seeing an issue. Specifically, calls to ipa.server.internal/ipa/json occasionally return a 500 error. This tends to occur while using

Re: [Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

On 01/26/2016 10:16 AM, wodel youchi wrote: > Hi, > > I am a newbie in freeipa. I am trying to use it with our mail server. Cool! What is your version of the FreeIPA server? It will be important for further investigation. > Our mail server uses openldap with one external schema : qmail.schema,

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

to automate this using >> chef/puppet etc? >> >> On Tue, Jan 26, 2016 at 10:56 AM, Martin Kosek <mko...@redhat.com> wrote: >> >>> Did you follow the instructions in the error message? There is also a >>> longer >>> descript

Re: [Freeipa-users] FREAK Vulnerability

[mailto:chei...@redhat.com] > Sent: 22 January 2016 10:03 > To: Terry John; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FREAK Vulnerability > > On 2016-01-21 17:54, Terry John wrote: >> Thanks for the info. I have tried nearly all the NSSCipherSu

Re: [Freeipa-users] ipa-admintools version incompatibility

ould use, besides using nsupdate? > I hadn't thought about using the nsupdate tool, I'll give that a shot. > Thanks. > > Tony > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Tuesday, January 26, 2016 11:10 AM > To: Izzo, Anthony (U.

Re: [Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

'jeane@example.com'], >> u'givenName': ['DOE']}) >> >> Regards. >> >> 2016-01-26 11:22 GMT+01:00 wodel youchi <wodel.you...@gmail.com>: >> >>> Thanks I will try and report back. >>> >>> I am using Centos 7.2x6

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

positive, use > --skip-schema-check. > > ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA schema > missing on master CA directory server > > > > Thank You > > > > > On Fri, Nov 20, 2015 at 11:13 AM, Martin Kosek <mko...@redhat.com>

Re: [Freeipa-users] ipa-admintools version incompatibility

On 01/26/2016 04:22 PM, Izzo, Anthony wrote: > I have a FreeIPA 4.2 server (on RHEL7) and a FreeIPA 3.0 client (on RHEL6). > I am aware of the incompatibility between versions for ipa-admintools (in my > case I'm trying to use ipa dnsrecord-del). I was just wondering if there is > a

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/25/2016 01:34 PM, thierry bordaz wrote: > On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have >> on all two masters a Error. >> >> NSMMReplicationPlugin - replication keep alive entry

Re: [Freeipa-users] FREAK Vulnerability

On 01/21/2016 05:54 PM, Terry John wrote: I've been trying to tidy the security on my FreeIPA and this is causing me some problems. I'm using OpenVAS vulnerability scanner and it is coming up with this issue EXPORT_RSA cipher suites supported by the remote server: TLSv1.0:

Re: [Freeipa-users] FREAK Vulnerability

On 01/21/2016 03:31 PM, Terry John wrote: > I've been trying to tidy the security on my FreeIPA and this is causing me > some problems. I'm using OpenVAS vulnerability scanner and it is coming up > with this issue > > EXPORT_RSA cipher suites supported by the remote server: > TLSv1.0:

  1   2   3   4   5   6   7   8   9   >