Re: [Freeipa-users] User, keytab, password and ldap

2015-09-24 Thread Martin Kosek
On 09/23/2015 04:32 PM, bahan w wrote: > Hello ! > > I'm using IPA 3.0.0 and I have a problem with one of the user I created. > user3 > > I created this user with the command ipa user-add without specifying any > password. > Then I performed an ipa-getkeytab command with the -P option to have a >

Re: [Freeipa-users] When changing passwords gui displays Login screen is showing

2015-09-24 Thread Martin Kosek
On 09/23/2015 05:27 PM, Andrew Holway wrote: > Hi, > > When a user changes their password the ipa gui briefly redirects to a login > page. The user often has an impulse to click on the login button which, on > occasion, can seem to cause a mess with the password change. > > Anyone else aware of t

Re: [Freeipa-users] V6 and v4

2015-09-24 Thread Martin Kosek
On 09/23/2015 10:05 PM, Janelle wrote: > On 9/13/15 11:46 PM, Alexander Bokovoy wrote: >> On Sun, 13 Sep 2015, Janelle wrote: >>> Hello, >>> >>> I read something recently that if ip v6 is disable on a server this >>> hurts performance in some way? Is there more info on this or did I >>> misread it?

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-24 Thread Martin Kosek
Accepted TLSv1 128 bits DES-CBC3-SHA >> Accepted TLSv1 128 bits RC4-SHA >> Accepted TLSv1 128 bits RC4-MD5 >> Accepted TLS11 256 bits AES256-SHA >> Accepted TLS11 128 bits AES128-SHA >> Accepted TLS11 128 bits DES-CBC3-SHA >

Re: [Freeipa-users] User, keytab, password and ldap

2015-09-24 Thread Martin Kosek
y to have both a > keytab and a password, so it would make sense that this command should > update also the ldap for the user by adding this field userPassword no ? > > Best regards. > > Bahan > > On Thu, Sep 24, 2015 at 9:40 AM, Martin Kosek wrote: > >> O

Re: [Freeipa-users] What todo when a company/domain name should be changed ?

2015-09-30 Thread Martin Kosek
On 09/27/2015 01:34 PM, Matt . wrote: > Hi All, > > I'm investigating what the possibillities are when you have a existing > domain/realm and the company name is changed, so the domain should be > also. I came on this idea because of I wanted to know how flexible the > integration is here. > > As

Re: [Freeipa-users] FreeIPA with third-party wildcard certificate

2015-09-30 Thread Martin Kosek
FreeIPA allows running with CA-less mode, where there is no CA and FreeIPA simply users the offered CA/LDAP certificates: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure Some information is also here: http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastruc

Re: [Freeipa-users] HBAC

2015-09-30 Thread Martin Kosek
On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, TomK wrote: >> Hey Guy's, >> >> (Sending this again as I didn't have this email included in the freeipa-users >> mailing list so not sure if the other message will get posted.) >> >> Before I post a ticket to RH Support for an

Re: [Freeipa-users] FreeIPA install

2015-10-02 Thread Martin Kosek
On 10/02/2015 04:15 AM, Andrew Meyer wrote: I just created a new FreeIPA setup at my home and i'm getting the following: [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa:

Re: [Freeipa-users] Best practices on securing freeipa

2016-06-15 Thread Martin Kosek
On 06/14/2016 07:51 PM, Danila Ladner wrote: > Greetings Folks. > I could not find any information on best practices of securing free ipa > servers > and its replicas. > Since the hosts become an important part of IT IM infrastructure, wanted to > see > if anyone can point me to the right sourc

Re: [Freeipa-users] Unable to install replica using replica file

2016-06-15 Thread Martin Kosek
On 06/15/2016 06:40 AM, Abhijeet Kasurde wrote: > Hi All, > > I am creating master replica setup using following commands and getting error > on replica server > > 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, exception: > NetworkError: cannot connect to 'ldaps://dhcp201-141.

Re: [Freeipa-users] Read-only access to enforce OTP

2016-06-16 Thread Martin Kosek
On 06/16/2016 11:00 AM, Prashant Bapat wrote: > Hi, > > I'm writing a small script which will scan all the users and check if each > one > has setup an OTP. It will send out an email to the user if OTP is missing. > > I added a new entry / > uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc

Re: [Freeipa-users] Password sync settings not working

2016-07-06 Thread Martin Kosek
Good! Thanks for confirmation (I suspected PEBKAC, thus my questions). Martin On 07/02/2016 10:01 PM, Joshua J. Kugler wrote: > Thanks. In a case of extreme PEBKAC, I had copied the example and failed to > update the DN. It works now. > > j > > > On Monday, June 13,

Re: [Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD

2016-07-07 Thread Martin Kosek
On 06/26/2016 06:57 PM, Supratik Goswami wrote: > Hi > > I am using ipa-server-4.2.0 in my environment, it is having winsync > agreement > with the AD server. > I want to move all new users to "Stage Users" state automatically when they > are > synced from the AD, can anyone please guide me o

Re: [Freeipa-users] Replication time and relation to cache size

2016-07-07 Thread Martin Kosek
On 06/21/2016 05:19 PM, Ash Alam wrote: > anyone have any thoughts on this? > > Thank You > > On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote: > > Hello > > I have been going through the lists but i have not found the answer i am > looking for. I a

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-08 Thread Martin Kosek
On 07/07/2016 05:19 PM, Prashant Bapat wrote: > Anyone ?! > > On 6 July 2016 at 22:36, Prashant Bapat > wrote: > > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have created a sysaccount whi

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

2016-07-14 Thread Martin Kosek
On 07/13/2016 04:24 AM, Devin Acosta wrote: > > I was trying to create another Replica but then noticed it was constantly > having > issues trying to finish the joining of the replication. I then ran the > command: > repl-monitor.pl , It appears i have several > replic

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

2016-07-14 Thread Martin Kosek
On 07/14/2016 05:35 PM, Devin Acosta wrote: > ipa01-jap was a host that is no more, is there a simple way to clear these > replication agreements to clean it up? > > On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik <mailto:pvobo...@redhat.com>> wrote: > > On 07

Re: [Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA

2016-07-15 Thread Martin Kosek
On 07/15/2016 08:17 AM, Zeal Vora wrote: > Hi > > In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / > TRACK method in IPA as a medium based vulnerability. > > Is there a need to allow those two methods in IPA ? > > If not, what is the optimal way to disable those met

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-05 Thread Martin Kosek
Are you now asking about when upstream version is FIPS compliant or some downstream distribution? If you are asking about RHEL, as indicated by https://bugzilla.redhat.com/show_bug.cgi?id=1125174 the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is too late to add it there

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-08 Thread Martin Kosek
IPA. > > > *Michael Sean Conley* > Hardware/Infrastructure > Intelligence, Information and Services > *Raytheon Company* > 972-643-9887 (office) > > michael.sean.con...@raytheon.com > > Inactive hide details for Martin Kosek ---08/05/2016 06:33:27 AM---Are you now > ask

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

2016-08-09 Thread Martin Kosek
Hi Deepak, This console is not available for regular or shipped with FreeIPA (AFAIK), it is only included in the Red Hat Directory Server product. With FreeIPA, you will need to extend the schema with CLI tools (ldapmodify) as indicated in the presentation that Martin Basti shared. Martin On 08/

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

2016-08-09 Thread Martin Kosek
Please check the FreeIPA training presentation. There are more details for this. TLDR, you will need to create one Python plugin to get this into API/CLI and one Web UI plugin if you also want to extend Web UI. The presentation above has some examples. On 08/09/2016 02:20 PM, Deepak Dimri wrote: >

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

2016-08-16 Thread Martin Kosek
On 08/16/2016 09:25 AM, Petr Spacek wrote: > On 15.8.2016 20:18, Linov Suresh wrote: >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0 >> >> >> We can only add the clients from IPA Server 01, not from IPA Server 02. >> When I tried to add the client from IPA Server 02, getting the erro

Re: [Freeipa-users] FreeIPA / CentOS 7.2 / Issues on Startup

2016-08-18 Thread Martin Kosek
On 08/18/2016 12:48 AM, Devin Acosta wrote: > > My first primary FreeIPA Master server has gone belly up. When I try to start > the server it shows this message in the "error' log. However the other issue > i > have is when I try to start the server using "ipactl start" it times out > after >

Re: [Freeipa-users] Admin password no more working

2016-08-19 Thread Martin Kosek
On 08/18/2016 04:16 PM, Deepak Dimri wrote: > Hi All, > > While trying to automate IPA client registration programatically, i seems > have > made my admin password out of sync between KDC and > /etc/krb5.keytab. This looks confusing, admin password and /etc/krb5.keytab do not look related. The

Re: [Freeipa-users] Cleaning Up an Unholy Mess

2016-08-25 Thread Martin Kosek
On 08/25/2016 08:04 PM, Ian Harding wrote: > > > On 08/25/2016 10:41 AM, Rob Crittenden wrote: >> Ian Harding wrote: >>> >>> >>> On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: > I tried to simply uninstall and reinstall freeipa-dal and this > happened. > > I

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-14 Thread Martin Kosek
On 10/13/2016 09:17 PM, Petr Vobornik wrote: > The FreeIPA team would like to announce FreeIPA 4.4.2 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. Builds > for Fedora 24 will be available in the official COPR repository >

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-17 Thread Martin Kosek
On 10/14/2016 03:29 PM, Coy Hile wrote: > > > Will there be builds in a COPR for rhel/cents 7? I would recommend waiting on RHEL-7.3, which should be released soon enough. RHEL-7.3 contains an IdM/FreeIPA version that is very close to upstream version 4.4.2. Martin -- Manage your subscription

Re: [Freeipa-users] freeIPA client sudo / sssd setup

2014-04-08 Thread Martin Kosek
On 04/08/2014 10:42 PM, Lukas Slebodnik wrote: > On (08/04/14 13:34), Nathan Broadbent wrote: >>> >>> man sssd-sudo says: >>> CONFIGURING SSSD TO FETCH SUDO RULES >>> All configuration that is needed on SSSD side is >>> to extend the list of services with "sudo" in [sssd] section of >>> sssd.co

Re: [Freeipa-users] DDNS with DHCPD and IPA

2014-04-10 Thread Martin Kosek
On 04/10/2014 06:50 AM, Arthur Fayzullin wrote: > If this > http://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update is it, > then it is quite not easy to understand what is it about. > here, in mail-list it was much more understandable. The HOWTOs provided in http://www.freeipa.org/page

Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

2014-04-10 Thread Martin Kosek
On 04/10/2014 08:31 AM, rashard.ke...@sita.aero wrote: > Hello all > > > When I try to execute and commands from the an ipa-replica I get > > [rkelly@replicahostname ~]$ ipa user-find > ipa: ERROR: did not receive Kerberos credentials > [rkelly@replicahostname ~]$ kinit > Password for rke...@ip

[Freeipa-users] FreeIPA Training Series - FreeIPA 3.3 and SSSD 1.11

2014-04-14 Thread Martin Kosek
s to FreeIPA.org site, see http://www.freeipa.org/page/Documentation#FreeIPA_Training_Series I would like to welcome you to look at the presentations, I hope they will help you learn about the stuff we have been working on since the last Training Series round released almost a year ago. -- Martin K

Re: [Freeipa-users] Locked out admin

2014-04-14 Thread Martin Kosek
On 04/14/2014 11:49 PM, Mario Gonzalez wrote: > Den 14. april 2014 23:25, skrev Rob Crittenden: >> Steven Jones wrote: >>> Login a directory manager? >> >> Right, something like: >> >> $ ldappasswd -x -D 'cn=directory manager' -W -S >> uid=admin,cn=users,cn=accounts,dc=example,dc=com >> >> And don'

Re: [Freeipa-users] Running a FreeIPA replica in a limited-resource environment

2014-04-16 Thread Martin Kosek
On 04/16/2014 08:56 PM, Simo Sorce wrote: > On Wed, 2014-04-16 at 13:40 -0500, Christopher Swingler wrote: >> Hello, FreeIPA list. >> >> We're looking to start using FreeIPA to replace our standard 389 LDAP >> server on our public web server. >> >> That public web server also houses a public wiki,

Re: [Freeipa-users] FreeIPA + Foreman 1.5

2014-04-25 Thread Martin Kosek
On 04/24/2014 10:46 PM, Dmitri Pal wrote: > On 04/23/2014 07:23 PM, Stephen Benjamin wrote: ... >>> I am not sure it is doing the right thing. In the blog you specify >>> bindpw for SUDO, this means you are configuring SUDO without SSSD >>> integration. If you use IPA it is a command switch on the

Re: [Freeipa-users] Free IPA and Google Apps

2014-04-25 Thread Martin Kosek
On 04/25/2014 01:59 AM, Chris Whittle wrote: > I am wanting to use Free IPA as the authentication source for Google Apps. I > can't seem to find any documentation on how to accomplish this. Anyone have > any > experience they would be willing to share? Or install is on CentOS 6.5 fyi. I did

Re: [Freeipa-users] Hardening freeipa on the internet

2014-04-25 Thread Martin Kosek
On 04/25/2014 09:50 AM, Andrew Holway wrote: > Hello, > > I am having a think about running freeipa on the open seas for more > distributed organisations and would like to understand where the > weaknesses might be. I would almost certainly only make the ui > unavailable however I am unsure about

Re: [Freeipa-users] FreeIPA + Foreman 1.5

2014-04-25 Thread Martin Kosek
On 04/25/2014 10:16 AM, Stephen Benjamin wrote: > - Original Message - >> From: "Jan Cholasta" >> To: "Martin Kosek" , d...@redhat.com, "Stephen Benjamin" >> >> Cc: freeipa-users@redhat.com >> Sent: Friday, April 25, 2014 9

Re: [Freeipa-users] FreeIPA + Foreman 1.5

2014-04-25 Thread Martin Kosek
On 04/25/2014 01:23 PM, Stephen Benjamin wrote: ... >> authconfig --nisdomain example.com --update >> nisdomainname example.com >> >> On Fedora or RHEL > 7.0, you would also need to enable systemd service to >> make >> the NIS domain name setup persistent: >> >> # service rhel-domainname.service st

Re: [Freeipa-users] Best practices for core servers

2014-04-30 Thread Martin Kosek
On 04/28/2014 01:03 PM, Bret Wortman wrote: > We are planning to reconfigure our core Freeipa servers, basically building a > replacement infrastructure and migrating to it. What we're planning right now > is > a core of three Freeipa servers each of which has a CA, with as much > distribution

Re: [Freeipa-users] Hardening freeipa on the internet

2014-04-30 Thread Martin Kosek
On 04/28/2014 05:16 PM, Simo Sorce wrote: > On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote: >>> I realized that you probably want to disable anonymous access to LDAP. It >>> will prevent random strangers to enumerate all users in your database... >> >> This sounds like a bug no? anonymous a

Re: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?

2014-05-19 Thread Martin Kosek
On 05/17/2014 04:22 AM, Chris Whittle wrote: > I have an existing key and crt that has be successfully installed on other > subdomain servers... Where is the best place to start? To start what? :-) Without knowing what you want to achieve, I would like to point you to our training presentation des

Re: [Freeipa-users] Theming FreeIPA

2014-05-19 Thread Martin Kosek
On 05/17/2014 04:27 PM, Christopher Swingler wrote: > Short and to the point, but I have the same question. :) > > > On May 16, 2014, at 9:08 PM, Chris Whittle wrote: > >> Is there a doc anywhere? CC-ing Petr Vobornik to help with that. You can already achieve some theming with overriding the

Re: [Freeipa-users] Stock with a Master in read-only mode

2014-05-20 Thread Martin Kosek
On 05/21/2014 08:36 AM, Davis Goodman wrote: > Hi, > > Lately I’ve been having issues of replication between my server and my 2 > replicas. > > I decided I was going to delete my 2 replicas and start over keeping my > master intact. > > I wasn`t successfull in getting all 3 servers to replicat

Re: [Freeipa-users] Stock with a Master in read-only mode

2014-05-21 Thread Martin Kosek
On 05/21/2014 09:12 AM, Davis Goodman wrote: > > > > > On May 21, 2014, at 2:45 , Martin Kosek wrote: > >> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>> Hi, >>> >>> Lately I’ve been having issues of replication between my server and m

Re: [Freeipa-users] Stock with a Master in read-only mode

2014-05-21 Thread Martin Kosek
On 05/21/2014 01:31 PM, Davis Goodman wrote: > > > > > <http://www.digital-district.ca/> > > On May 21, 2014, at 6:54 , Martin Kosek <mailto:mko...@redhat.com>> wrote: > >> On 05/21/2014 09:12 AM, Davis Goodman wrote: >>> &

Re: [Freeipa-users] Export user and host list to a csv or text file

2014-05-23 Thread Martin Kosek
On 05/23/2014 06:42 AM, Sanju A wrote: > Dear All, > > Is there any command to export the user and host list to a csv or text format There is no such command out of the shelf, I would personally just write a short Python script to export the hosts (or anything else) in a format I need. Example f

Re: [Freeipa-users] Wildcard DNS record supported ?

2014-05-23 Thread Martin Kosek
On 05/23/2014 12:15 PM, Matt . wrote: > Hi All, > > Is a wildcard DNS record supported at the moment ? > > If so, how to accomplish this ? > > Thanks! > > Matt It is not supported at the moment, but it will be supported from FreeIPA 4.0 (currently planned to be released at the end of June) Up

Re: [Freeipa-users] Wildcard DNS record supported ?

2014-05-23 Thread Martin Kosek
On 05/23/2014 03:44 PM, Petr Spacek wrote: > On 23.5.2014 13:59, Matt . wrote: >> Hi Martin, >> >> I have seen it indeed and discusses on #freeipa >> >> Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? > > In theory yes, but nobody tested that. > > Please note that new b

Re: [Freeipa-users] Export user and host list to a csv or text file

2014-05-23 Thread Martin Kosek
mes: >> `ipa show-mappings $command`, e.g., `ipa show-mappings user-add` >> >> More can be read from code or by observing Web UI communication in browser >> developer tools - network tab. >> >> >> Then the python syntax is ~ >> args = ['arg1

Re: [Freeipa-users] Stock with a Master in read-only mode

2014-05-26 Thread Martin Kosek
On 05/25/2014 09:44 PM, Davis Goodman wrote: > On Wed, May 21, 2014 at 12:06 PM, Martin Kosek wrote: > >> On 05/21/2014 01:31 PM, Davis Goodman wrote: >>> >>> >>> >>> >>> <http://www.digital-district.ca/> >>> >>

Re: [Freeipa-users] Wildcard DNS record supported ?

2014-05-26 Thread Martin Kosek
On 05/25/2014 08:29 PM, Rob Crittenden wrote: > Matt . wrote: >> Indeed! > > Look for the regex in ipalib/plugins/dns.py . I'd suspect you'll need to > modify the hostname validator, validate_hostname, in ipalib/util.py. > > Be wary of edge cases. > > For instructions on testing, see http://www.

Re: [Freeipa-users] Stock with a Master in read-only mode

2014-05-27 Thread Martin Kosek
On 05/26/2014 09:00 PM, Davis Goodman wrote: > On Mon, May 26, 2014 at 1:17 PM, Davis Goodman < > davis.good...@digital-district.ca> wrote: > >> >> >> >> On Mon, May 26, 2014 at 4:22 AM, Martin Kosek wrote: >> >>> On 05/25/2014 09:44 PM, Davi

Re: [Freeipa-users] Stock with a Master in read-only mode - SOLVED

2014-05-27 Thread Martin Kosek
On 05/27/2014 01:12 PM, Martin Kosek wrote: > On 05/26/2014 09:00 PM, Davis Goodman wrote: >> On Mon, May 26, 2014 at 1:17 PM, Davis Goodman < >> davis.good...@digital-district.ca> wrote: >> >>> >>> >>> >>> On Mon, May 26, 2014 a

Re: [Freeipa-users] Setting up FreeIPA with replicas without DNS

2014-05-28 Thread Martin Kosek
No worries. Note that at the end of ipa-server-install, you get a list of DNS records (SRV, A) required to be added (in a BIND zone format). Additional required updates caused by new/removed FreeIPA replicas are on your own though. Martin On 05/28/2014 10:44 AM, rob.har...@stfc.ac.uk wrote: > Wel

[Freeipa-users] FreeIPA public demo available

2014-06-05 Thread Martin Kosek
read all the details in the page referred above. Feedback welcome! -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman

Re: [Freeipa-users] FreeIPA public demo available

2014-06-06 Thread Martin Kosek
Duncan > >> -Original Message- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek >> Sent: 05 June 2014 09:51 >> To: freeipa-users@redhat.com; freeipa-inter...@redhat.com; >> sssd

Re: [Freeipa-users] Error comes out at command prompt after add Godaddy cert

2014-06-17 Thread Martin Kosek
On 06/17/2014 03:39 AM, barry...@gmail.com wrote: > Now cannot use ipa command line like ipa passwd, any missing ? need > reimport back the ipa cert? > > > ipa: ERROR: did not receive Kerberos credentials > > > certutil -d /etc/dirsrv/slapd-ABC-COM -L > > Go Daddy Secure Certification Authorit

Re: [Freeipa-users] Error comes out at command prompt after add Godaddy cert - SOLVED

2014-06-17 Thread Martin Kosek
On 06/17/2014 09:35 AM, Martin Kosek wrote: > On 06/17/2014 03:39 AM, barry...@gmail.com wrote: >> Now cannot use ipa command line like ipa passwd, any missing ? need >> reimport back the ipa cert? >> >> >> ipa: ERROR: did not receive Kerberos credentials >>

Re: [Freeipa-users] FreeIPA 4.0 Demo

2014-07-17 Thread Martin Kosek
On 07/11/2014 10:13 PM, Dmitri Pal wrote: > On 07/10/2014 04:41 AM, Innes, Duncan wrote: >> I may be jumping the gun slightly, but I'm wondering when the demo site will >> be upgraded to FreeIPA 4.0? >> Cheers >> D >> >> This message has been checked for viruses and spam by the Virgin Money email >

Re: [Freeipa-users] attribute "dnaremotebindmethod" not allowed

2014-07-18 Thread Martin Kosek
On 07/17/2014 04:56 PM, Anthony Messina wrote: > After upgrading to Fedora 20's stable 389-ds-base-1.3.2.19-1.fc20.x86_64, > I noticed the following errors during the restart cycle. I have a simple > 2 host MMR setup. Should I be concerned about these? If so, I'd be open > to recommendations. T

Re: [Freeipa-users] PatternFly questions

2014-07-18 Thread Martin Kosek
On 07/18/2014 03:12 PM, Dmitri Pal wrote: > On 07/18/2014 08:17 AM, Innes, Duncan wrote: >> Hi Petr, >> >> On 18/07/2014 11:24, Petr Vobornik wrote: >>> Hello Duncan, >>> >>> thank you for the input. If you or somebody else have any Web UI >> ideas/RFEs, feel free to write them down. I would like

Re: [Freeipa-users] Add user principal with admin privilege

2014-07-18 Thread Martin Kosek
On 07/18/2014 03:16 PM, Eldo Joseph wrote: > Hi, > > Is it possible to add a user principal with admin privileges. > > like kadmin: addprinc -randkey user1/ad...@domain.com > > when ever tried I got this > "Kerberos database constraints violated" > > > Thanks, > Eldo We do not allow adding

Re: [Freeipa-users] 4.0.0 password migration trouble

2014-07-21 Thread Martin Kosek
On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote: > >> So if I understand the 389-ds ticket correctly, I can add pre-hashed >> passwords >> via ldapmodify to the 389 server using directory manager as the bind dn? I >> just can't use the ipa command line tool/script. > > The short answer is "n

Re: [Freeipa-users] ldap modify

2014-07-21 Thread Martin Kosek
On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: > Hello, > > I've been experiencing strange problems trying to manually modify the > userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on > Fedora 20). I'm using the following script: > > CUT > [nasko@ipa ~]$ cat chang

Re: [Freeipa-users] ldap modify

2014-07-21 Thread Martin Kosek
On 07/21/2014 01:30 PM, Atanas Bachvaroff wrote: > > Martin Kosek wrote: >> On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: >>> Hello, >>> >>> I've been experiencing strange problems trying to manually modify the >>> userPassword attrib

Re: [Freeipa-users] Disable AES256 Encryption

2014-07-21 Thread Martin Kosek
On 07/21/2014 03:38 PM, Eldo Joseph wrote: > Is it possible to disable AES256 Encryption from IPA, while making Kerberos > principals... > > -Eldo- I think you would need to hand update krbDefaultEncSaltTypes in cn=YOUR-REALM,cn=kerberos,SUFFIX (via ldapmodify) to make this working. Can you sha

Re: [Freeipa-users] Disable AES256 Encryption

2014-07-21 Thread Martin Kosek
Ok, though in that case the application has 3 other encryption types to kinit with (in default configuration) Martin On 07/21/2014 04:28 PM, Eldo Joseph wrote: > Martin, > > Application compatible issue, AES256 is not been supported. > > Thanks, > Eldo > > On 21/07/20

Re: [Freeipa-users] IPA Replication Status

2014-07-23 Thread Martin Kosek
On 07/23/2014 01:36 PM, Choudhury, Suhail wrote: > Hi, > > I'm finding that on all IPA servers in 1 cluster the replication status shows > as either "busy" or "started", but no "succeeded" status is being reported: > > [root@recsds2 ~]# ipa-replica-manage list -v $HOSTNAME > recsds1.bskyb.com: r

Re: [Freeipa-users] IPA Replication Status

2014-07-23 Thread Martin Kosek
On 07/23/2014 01:58 PM, Choudhury, Suhail wrote: > I have the following errors on different boxes: > > [root@recsds1 sch32]# tail -f /var/log/dirsrv/slapd-RECS-BSKYB-COM/errors > [23/Jul/2014:12:28:54 +0100] NSMMReplicationPlugin - CleanAllRUV Task: > Replicas have not been cleaned yet, retrying

Re: [Freeipa-users] 4.0.0 password migration trouble

2014-07-23 Thread Martin Kosek
On 07/21/2014 07:28 PM, Nordgren, Bryce L -FS wrote: > > >> I will work with DS team to backport the switch option to Fedora 20 389-ds- >> base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem >> ASAP, ideally this week. > > > Thanks much, Martin! Note that fixed 389-ds-

Re: [Freeipa-users] Missing /var/lib/ipa/ca_serialno

2014-07-23 Thread Martin Kosek
Ah, so this is all a matter of old docs. --selfsign installation are deprecated, we now use "CA-less" instead. I updated http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA and added a warning with links to appropriate resources. HTH, Martin On 07/23/2014 05:54 PM, John Moyer wr

Re: [Freeipa-users] attribute "dnaremotebindmethod" not allowed

2014-07-23 Thread Martin Kosek
On 07/23/2014 06:38 PM, Anthony Messina wrote: > On Monday, July 21, 2014 01:09:43 PM Ludwig Krispenz wrote: >> Looks like the schema file was changed, but not added to the list of >> files to be replaced at upgrade, I will open a 389 ticket and have it in >> the next release. >> >> Could you tr

Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-25 Thread Martin Kosek
On 07/24/2014 07:04 PM, Nordgren, Bryce L -FS wrote: > One of our larger users was in a similar situation a few years ago and > ended up running Fedora until RHEL caught up and then migrating the servers. > > I'm running it on F20 because it seemed like the dependencies would make > running it on

[Freeipa-users] Announcing FreeIPA 4.0.1

2014-07-25 Thread Martin Kosek
urn 'none' attr level right as unicode string === Tomáš Babej (3) === * trusts: Validate missing trust secret properly * ipatests: tasks: Fix dns configuration for trusts * trusts: Make cn=adtrust agents sysaccount nestedgroup -- Martin Kosek Supervisor, Software Engineering - Identit

Re: [Freeipa-users] add solaris attribiutes to IPA

2014-07-28 Thread Martin Kosek
On 07/27/2014 10:36 PM, mohammad sereshki wrote: > hi > Would you please let me know who can i add > /etc/user_attr,prof_attr,projet,auth_attr to IPA ? > Iwant to configure RBAC solaris on IPA . > Thanks Would upstream documentation on how to extend FreeIPA server&CLI&WebUI help? http://www.free

Re: [Freeipa-users] add solaris attribiutes to IPA

2014-07-28 Thread Martin Kosek
h LDAP > command line. > > > > ____ > From: Martin Kosek > To: mohammad sereshki ; > "freeipa-users@redhat.com" > Sent: Monday, July 28, 2014 6:06 PM > Subject: Re: [Freeipa-users] add solaris attribiutes to IPA > >

Re: [Freeipa-users] freeipa-client installation(debug) on Ubuntu 10.04 & 12.04

2014-07-29 Thread Martin Kosek
On 07/28/2014 07:29 PM, jaseywang wrote: > Hi > I tried to install freeipa-client on Ubuntu 10.04 & 12.04, but none of them > worked :-( > At the moment, only 12.04 ships the apt repo so that I can use apt to > install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the > package succe

Re: [Freeipa-users] FreeIPA + Ipsilon

2014-07-29 Thread Martin Kosek
On 07/29/2014 03:47 PM, Luca Tartarini wrote: > Hi everyone, > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > configuration is the following: Service Provider (host with Scientific > Linux 6) with ipsilon-client and Identity Provider (another host with > Scientific Lin

Re: [Freeipa-users] Troubleshooting a webui login error

2014-07-31 Thread Martin Kosek
On 07/30/2014 07:16 PM, Robert Walker wrote: > Hi, > > I've got 2 IPA servers running in a relationship. One is ok as far as > logging into the webui and the other will only let me kinit admin on the > console of the server. When I try to login into the webui Your session has > expired. Please re-

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-07-31 Thread Martin Kosek
On 07/31/2014 07:49 AM, Matt Bryant wrote: > All, > > Got an issue with an IPA replica in that the certs in /etc/httpd/alias & > /etc/dirsrv/slapd-IPA-REALM have expired. I assume that this replica does not have a CA and we are only dealing with service HTTPD and DIRSRV service certificates. > H

Re: [Freeipa-users] FreeIPA + Ipsilon

2014-07-31 Thread Martin Kosek
e package on > Scientific Linux, is there a workaround? > > Thanks. > > Luca Tartarini > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > >> On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: >>> On 07/29/2014 03:47 PM, Luca Tartarini wrote: >>&

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-07-31 Thread Martin Kosek
just dealing with an expired cert ... so will try the other > steps suggested .. > > rgds > > Matt Bryant > > On 31/07/14 17:33, Martin Kosek wrote: >> On 07/31/2014 07:49 AM, Matt Bryant wrote: >>> All, >>> >>> Got an issue with an IPA rep

Re: [Freeipa-users] memberof plugin?

2014-08-01 Thread Martin Kosek
On 08/01/2014 12:40 AM, Kat wrote: > Hi, > > I must be missing something obvious in getting memberof plugin to work.. Any > ideas? > > Thanks in advance... > ~K > > -- > > ./fixup-memberof.pl -D 'cn=Directory Manager' -b 'dc=red,dc=lemon,dc=com' -w > - -v > lda

Re: [Freeipa-users] Possible to extract password of ldap

2014-08-01 Thread Martin Kosek
On 08/01/2014 08:23 AM, barry...@gmail.com wrote: > Hi : > > Is it possible to read clear text of password of ipa users by admin ? No. Admin can't even read the hash # ldapsearch -Y GSSAPI -b uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid userPassword SASL/GSSAPI authent

Re: [Freeipa-users] IPA Replica does not start Bind but runs Manually

2014-08-04 Thread Martin Kosek
On 08/04/2014 09:40 AM, Matt . wrote: > Hi, > > Yes I did in the past. THe DNS tabs are there and named is installed. You probably installed DNS service on another FreeIPA server. However, there is a configuration space telling which server has which services configured. It seems that it does not

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-08-04 Thread Martin Kosek
On 08/04/2014 04:45 AM, Erinn Looney-Triggs wrote: > > > > >> Whether related or not I am getting the following in my RHEL 6.5 >> IPA instance /var/log/dirsrv/slapd-PKI-CA/debug log: > >> [26/Jul/2014:20:23:23 +] slapi_ldap_bind - Error: could not >> send startTLS re quest: error -1 (Can't

Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap

2014-08-04 Thread Martin Kosek
On 08/04/2014 01:36 AM, Nordgren, Bryce L -FS wrote: > Spoke too soon. I needed the following "extra" selinux policy module to make > all the AVCs go away. > > BTW: the instructions on http://www.freeipa.org/page/PKI really only work if > you leave the password blank when you create a new databa

Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap

2014-08-04 Thread Martin Kosek
On 08/04/2014 07:06 PM, Nordgren, Bryce L -FS wrote: > >> Hmm, sorry for incomplete instructions then. I updated the instructions to >> cope with that situation better (details in >> https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free >> to report more findings or even better

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-08-05 Thread Martin Kosek
On 08/05/2014 12:03 AM, Erinn Looney-Triggs wrote: > On 08/04/2014 01:51 PM, Ade Lee wrote: >> OK - I suspect you may be running into an issue with serial number >> generation. Each time we install a clone, we end up allocating a new >> range of serial numbers for the clone. > >> The idea is to

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-08-05 Thread Martin Kosek
On 08/04/2014 10:41 PM, Erinn Looney-Triggs wrote: > On 08/04/2014 08:46 AM, Rob Crittenden wrote: >> Erinn Looney-Triggs wrote: >>> On 08/04/2014 04:01 AM, Martin Kosek wrote: >>>> On 08/04/2014 04:45 AM, Erinn Looney-Triggs wrote: >>>>> >>

Re: [Freeipa-users] Building previous release rpms are failing

2014-08-05 Thread Martin Kosek
On 08/05/2014 12:05 PM, Curtis L. Knight wrote: > Hey, > > I have been trying to build rpms from different releases without much > success. I can build 4.0+ rpms but I have not tested them. Going backward > like with release-3-3-5, it fails on lint/pylint routine. I comment out the > lint call in

Re: [Freeipa-users] Building previous release rpms are failing

2014-08-05 Thread Martin Kosek
On 08/05/2014 12:32 PM, Martin Kosek wrote: > On 08/05/2014 12:05 PM, Curtis L. Knight wrote: ... >> #./make-lint $(LINT_OPTIONS) >> >> run 'make rpms' again to get beyond lint errors shown below >> >> >> cd install; if [ ! -e Makefile ]; then

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-08-06 Thread Martin Kosek
.. > > rgds > > Matt > > On 31/07/2014 6:21 pm, Martin Kosek wrote: >> (Adding back the users list as this may be interesting for everyone) >> >> Ok, the steps suggested below should help. If the DS does not want to start >> at >> all because of the exp

Re: [Freeipa-users] Building previous release rpms are failing

2014-08-07 Thread Martin Kosek
On 08/07/2014 01:39 PM, Curtis L. Knight wrote: > On Tue, Aug 5, 2014 at 11:26 PM, Rob Crittenden wrote: > >> Curtis L. Knight wrote: >>> On Tue, Aug 5, 2014 at 7:21 AM, Martin Kosek >> <mailto:mko...@redhat.com>> wrote: >>> >>> On 08/05

Re: [Freeipa-users] WebUI krbprincipal expiration calendar widegt

2014-08-11 Thread Martin Kosek
On 08/10/2014 01:58 PM, James James wrote: > Hello, > > > Is there a way to patch my ipa .3.0.0 with this patch: > https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ? > > The DateTime data type will be very useful ! > > Regards It would be quite difficult, if not only because

Re: [Freeipa-users] MinSSF suggestions?

2014-08-11 Thread Martin Kosek
On 08/11/2014 04:24 PM, Jakub Hrozek wrote: > On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote: >> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote: >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA256 >>> >>> It would seem to be prudent to set the minssf setting for 389 to 56, >>

Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium

2014-08-12 Thread Martin Kosek
Thank you! I liked this page to http://www.freeipa.org/page/HowTos#Authentication and also improved formatting of the page. I am not sure about the "role" section though, we do not use "role" objectclass, so Okta's search probably returns no results anyway. It may be better to keep that blank IMO.

Re: [Freeipa-users] Replicating o=ipaca

2014-08-12 Thread Martin Kosek
On 08/13/2014 02:15 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 08/12/2014 11:49 AM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: The documentation seems to be a little fuzzy on setting up two CAs, some parts indicate this is a bad idea because the CRLs can c

<    1   2   3   4   5   6   7   8   9   10   >