On Wed, Jan 15, 2014 at 6:49 AM, Simo Sorce s...@redhat.com wrote:
On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote:
On 01/14/2014 06:17 AM, Natxo Asenjo wrote:
Is there anything else I can do or do I just have to live with the
error on syslog?
I wonder if putting this user
On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote:
On what platform are you ? With sudo-sssd integration you shouldn't use
directly ldap anymore.
centos 6.5 on these hosts. So if I use sssd insted of ldap
On Thu, Mar 27, 2014 at 7:37 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote:
Hi.
I have a working network with IdM (FreeIPA).
I'd like to integrate it with Samba, according to
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
What's the recommended way to backup current IPA
On Thu, Mar 27, 2014 at 7:58 PM, Todd Maugh tma...@boingo.com wrote:
My Master IPA server has been lost,
My replica is still up and functioning.
what is the best way to proceed?
Do I rebuild my master and add it has a replica?
how do I get my master back in line with my IPA env?
On Mon, Jun 9, 2014 at 12:16 PM, Matt . yamakasi@gmail.com wrote:
Hi All,
Is it possible in some way to automount a WebDav share to a Ubuntu
Client when a user logings in on the commandline ?
I'm only able to use WebDav on these machines.
autofs should work with webdav, and googling
On Mon, Jun 9, 2014 at 12:41 PM, Matt . yamakasi@gmail.com wrote:
Hi,
I'm only concerned about how to pass the password in this one... it
seesm to be hardcoded and I would like to have it used by
ldap/freeipa.
ideally the webdav server would accept gssapi/kerberos, then you would not
On Mon, Sep 1, 2014 at 2:48 PM, Tevfik Ceydeliler
tevfik.ceydeli...@astron.yasar.com.tr wrote:
Actually All I wanna do is , give permission to user to use some commanf.
for example apt-get or something else.
I Think I can do it with IPA
right?
sure, I do it all the time. But Lukas was
On Mon, Sep 8, 2014 at 11:44 AM, Gerardo Padierna asl.gera...@gmail.com
wrote:
Hello folks,
hi,
I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also
hi,
This might save some time to someone, so let me post it to the list.
TLDR, when using php to connect to an AD ldaps host using ADCS from IPA
joined hosts modify /etc/openldap/ldap.conf or $HOME/.ldaprc and change the
TLS_CACERT environment variable to
TLS_CACERT
hi,
Centos 6.5.
I want to create a certificate request for our mysql servers. I came up
with this command line:
$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
`dnsdomainname` -U id-kp-serverAuth -K
On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
hi,
Centos 6.5.
I want to create a certificate request for our mysql servers. I came up
with this command line:
$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn
hi,
On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote:
Yes, you don't need to obtain a machine certificate. In fact we have
stopped doing this upstream.
Do you mean ipa will not have a CA in the future? Or will it be optional?
Or am I misunderstanding this :-) ? I
hi,
On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
hi,
On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Yes, you don't need to obtain a machine certificate. In fact we have
On Thu, Sep 18, 2014 at 10:51 PM, Rob Crittenden rcrit...@redhat.com
wrote:
Natxo Asenjo wrote:
ok. I was thinking on starting a pilot with dot1.x and hosts
certificates are usually used for this, so it would be nice to have a
cli switch during enrollment.
Ok, do you have a preference
hi,
today our monitoring system started warning us that the web ui certificate
for our first kdc will expire in 30 days.
I have checked manually with this command:
$ sudo getcert list |grep auto-renewauto-renew: yes
auto-renew: yes
auto-renew: yes
auto-renew: yes
auto-renew:
On Thu, Oct 9, 2014 at 8:42 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
today our monitoring system started warning us that the web ui certificate
for our first kdc will expire in 30 days.
I have checked manually with this command:
$ sudo getcert list |grep auto-renewauto
hi,
if during the enrollment of a host a host certificate is created, then
this will be a nssdb type certificate.
However, lots of applications use file certificates and we can very
easily create one of those (even using configuration management
tools):
/usr/bin/ipa-getcert request -r -f
On Thu, Oct 9, 2014 at 2:33 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
if during the enrollment of a host a host certificate is created, then
this will be a nssdb type certificate.
However, lots of applications use file certificates and we can very
easily create one of those (even
hi,
yet another certificate authority question.
We have a centos 6.5 ipa environment with two domain controllers
(kdc01, kdc02). The first one is the first replica and maintains the
crl (or so it should).
Recently our monitoring warned us that the web host certificate for
kdc01 was about to
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
files I see are very old (the MasterCRL.bin file is dated 28 june
2013), and on the kdc02 it is newer (July 2 2013).
on 28 June 2013 I patched
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
files I see are very old (the MasterCRL.bin file
On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com
wrote:
But if I go to the crl url (http://kdc01
On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
still get the old crl dated june 28th last year.
Should I modify ipa-pki-proxy.conf as well on the CRL generator host
to point to the /ca/ee/ca
hi,
I have been really busy, apologies for the delay in answering.
On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I get it from the crl generator using /ipa/crl
hi,
On Wed, Nov 5, 2014 at 9:39 AM, Martin Kosek mko...@redhat.com wrote:
On 11/04/2014 01:39 PM, Natxo Asenjo wrote:
hi,
On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
How often does the crl list get generated? i still do not see recent data
On Wed, Nov 5, 2014 at 7:37 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141103-09.temp (Permission
denied)
And I think I found
hi,
By the way, is it safe to rename this file:
$ ls -lh /var/lib/pki-ca/logs/debug
-rw-r-. 1 pkiuser pkiuser 841M Nov 5 19:54 /var/lib/pki-ca/logs/debug
It's quite big :-). Can I just rename it while the dirsrv is running
and will a new one be created or do I have to stop the pki-cad
On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
And I think I found it:
https://fedorahosted.org/freeipa/ticket/3727
permissions of that folder:
$ ls -ld publish/
drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/
I just changed them to pkiuser:pkiuser, let's
hi Martin,
On Fri, Nov 7, 2014 at 10:46 AM, Martin Kosek mko...@redhat.com wrote:
Good! I am glad you fixed the problem. I added this case to
http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old
nice. Hopefully it will help someone.
I am wondering what caused the issue. In the
hi,
is this the right list to post certmonger questions?
Here I see only a developer's list without too much activity:
https://fedorahosted.org/certmonger/
My question is simple. After upgrading a vm running centos 6.5 to 6.6
I am seeing this error on reboot in messages:
Nov 10 15:51:31
Hi Nalin,
On Mon, Nov 10, 2014 at 5:19 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote:
How can I debug this?
First thing would be to run the daemon with additional logging - I
usually use '-d3' to watch what's going on while
hi Nali,
On Tue, Nov 11, 2014 at 12:57 PM, Martin Kosek mko...@redhat.com wrote:
So if the lurking double encoded certificate is in LDAP, and thus Apache DS
shows is invalid (it shows as OK in my RHEL-7.0 server), maybe the easiest way
to fix it would be to:
- Open your Apache DS
- Back up
hi,
On Tue, Nov 11, 2014 at 2:13 PM, Martin Kosek mko...@redhat.com wrote:
I meant IPA server running on RHEL/CentOS 6.5 or older... This is the one that
can regenerate CAcert entry without double encoding.
ok.
So I removed the cacert object and ran
ipa-ldap-updater --upgrade --ldapi
(it
hi,
This seems to happen only in 32bits vm's. At least in my limited
testing, 2 out 2 32bits hosts running 6.5 after upgrading have this
problem. A amd64 host is ok.
$ rpm -qa | grep certmonger
certmonger-0.75.13-1.el6.x86_64
$ rpm -qa | grep certmonger
certmonger-0.75.13-1.el6.i686
--
hi,
On Tue, Nov 11, 2014 at 7:14 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Tue, Nov 11, 2014 at 11:13:12AM -0500, Nalin Dahyabhai wrote:
Since you mention that this seems to be specific to 32-bit boxes, I
think I need to switch to that one to try to sort out what's happening
here, since
On Fri, Feb 6, 2015 at 3:30 PM, Martin Kosek mko...@redhat.com wrote:
On 02/06/2015 12:53 AM, Christopher Young wrote:
Obvious next question: Any plans to implement that functionality or
advice
on how one might get some level of functionality for this? Would it be
possible to create
On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler
tevfik.ceydeli...@astron.yasar.com.tr wrote:
Hi,
Altough I have this configuration in client .conf:
##
client 172.30.47.241 {
secret = 877909
shortname = VodafonePinarsuAPNYeni1
On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com wrote:
Ben .T.George wrote:
HI
thanks for the rply.
even i tried native auto_master file with directory checking script. if
i feed the user manually to the script, the directory is creating and
while login request
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote:
On 03/06/2015 11:02 AM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com
wrote:
On 03/06/2015 09:39 AM, Herwono W Wijaya wrote:
vCenter SSO works well with Univention
On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote:
Hi List,
We have trying to install IPA-Client using source code. While installing
we are seeing many error out of which most are resolved but stuck at below
while doing make.
Is there any suggestion to get out of it.
On Fri, Mar 27, 2015 at 5:58 AM, Yogesh Sharma yks0...@gmail.com wrote:
(Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [sss_krb5_cc_verify_ccache]
(0x0020): 1078: [-1765328190][Credentials cache permissions incorrect]
(Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [check_old_ccache]
(0x0040):
On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote:
Thanks, but when I trying to use admin user (default user created by IPA),
I am able to login. The issue is happening only with new users we are
trying to create.
(Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625
hi,
On Fri, May 1, 2015 at 12:52 AM, William Graboyes wgrabo...@cenic.org
wrote:
I guess it is time to get deep into API documentation. This is a hell of
a lot of hoops to jump through just so that users who don't have shell
access can easily change their passwords without having to see a
hi,
If I retrieve the usercertificate attribute for host objects I get some
gibberish.
How can I decode the info I get from ldapsearch? The command I used was:
ldapsearch -b cn=computers,cn=accounts,dc=sub,dc=domain,dc=tldl -t -Y
gssapi -Z -h kdc01.sub.dmain.tld usercertificate
which creates
hi,
On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal d...@redhat.com wrote:
On 04/03/2015 09:46 AM, Brian Topping wrote:
On Apr 3, 2015, at 6:48 AM, Tamas Papp tom...@martos.bme.hu
tom...@martos.bme.hu wrote:
hi All,
I have CentOS 6.6 server and want to upgrade to 7.1.
What is the upgrade
On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth mar...@die5roths.de wrote:
Yersterday I did the installation of freeipa on my banana Pi with
modifying the source file ipalib/constants.py:('startup_timeout', 300).
I changed it to 900 s. And the setup process was successful! The start of
the
hi rob,
On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com
mailto:natxo.ase...@gmail.com wrote:
hi,
If I retrieve the usercertificate attribute for host objects I get
hi Rob,
On Wed, May 20, 2015 at 2:08 PM, Rob Crittenden rcrit...@redhat.com wrote:
Nat
You could try adding -inform DER
cool, that works ;-)
Thanks.
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com
wrote:
hi,
If I retrieve the usercertificate attribute for host objects I get some
gibberish.
How can I decode the info I get from ldapsearch?
maybe there is a way to feed that to openssl. What I ended up doing
hi,
On Wed, Jun 24, 2015 at 9:06 AM, Harald Dunkel harald.dun...@aixigo.de
wrote:
Hi folks,
I have a general problem with freeipa: It is *highly* complex
and depends upon too many systems working together correctly
(IMHO).
My concern is, if there is a problem, then the usual tools
On Fri, Jul 3, 2015 at 7:54 PM, Esdras La-Roque esdras.laro...@gmail.com
wrote:
Hi guys,
is it possible utilize freeipa certificate, issued for a machine,
integrated in Rsyslog for redirection remotely logs?
not with rsyslog, but with logstash and the logstash forwarder.
I tried with
Hi,
Maybe just one more redirect if people come directly to https://freeipa.org?
$ curl -LIv https://freeipa.org
* Rebuilt URL to: https://freeipa.org/
* Hostname was NOT found in DNS cache
* Trying 209.132.183.105...
* Connected to freeipa.org (209.132.183.105) port 443 (#0)
* Initializing
On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com wrote:
sipazzo wrote:
and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The allow-all rule has been
hi,
I just noticed some stuff was not functioning properly and it's because the
crl url is being redirected to https (centos 6.7).
$ curl http://kdc01.unix.domain.tld/ipa/crl/
301 Moved Permanently
Moved Permanently
The document has moved https://kdc01.unix.domain.tld/ipa/crl/
">here.
hi,
On Tue, Nov 10, 2015 at 5:02 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote:> Any ideas on how to fix this?
>
> You should have a sections like these in /etc/httpd/conf.d/ipa.conf:
>
>
> SetHandler None
>
> ...
> # For CRL publi
but going back to ipa-rewrite.conf, these 2 seem contradictory:
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}!^kdc01.unix.iriszorg.nl$ [NC]
RewriteRule ^/ipa/(.*)
hi,
do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we
purge them on a regular basis (say, keep 60 days dump the rest)?
$ ls -l | wc -l
3621
this is in a server installed 3 years ago.
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
hi,
On Mon, Nov 9, 2015 at 6:58 PM, Oliver Dörr wrote:
> Hi,
>
> I'm completly new to this list and the product behind it. I'm trying to
> use perl to get a list from my IPA installation of all users that are on
> the server.
>
unfortunately I cannot help you right now,
On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo <natxo.ase...@gmail.com>
wrote:
> hi,
>
> since yesterday I have a strange situation in one of our joined hosts.
>
> i can login using a kerberos ticket, but not using name/password.
>
> In /var/log/secure I see thi
hi,
since yesterday I have a strange situation in one of our joined hosts.
i can login using a kerberos ticket, but not using name/password.
In /var/log/secure I see this:
sshd[29607]: pam_sss(sshd:auth): received for user username: 4 (System
error)
--
--
Groeten,
natxo
--
Manage your
hi,
this is in a centos host running 6.7, by the way.
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
hi,
Fixed, /tmp had the wrong permissions, was not owned by root:root.
Thanks for the debugging tips!
--
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the
hi Sumit,
On Thu, Nov 5, 2015 at 10:14 AM, Sumit Bose wrote:
> > how can I troubleshoot this issue?
>
> You should check the SSSD debug logs, see
> https://fedorahosted.org/sssd/wiki/Troubleshooting for details about how
> to enable debug logging and where to find the logs.
>
hi,
On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course
hi,
earlier today I was reading a post about the new freeipa version on my
mobile device and got plenty of warnings about an invalid certificate. On a
fedora laptop no warnings, but this is the problem:
$ curl -LIv https://www.freeipa.org
* Rebuilt URL to: https://www.freeipa.org/
* Hostname
On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo <natxo.ase...@gmail.com>
wrote:
> hi,
>
> In a test network I followed the procedure especified in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_G
hi,
In a test network I followed the procedure especified in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.
hi,
on a a centos 7.1 host when enrolling it with (among other) the switch
--request-cert it does not create a host certificate for it. The host is
properly joined but not certificate is present.
In the ipaclient-install.log file I see this:
2015-09-12T09:34:02Z ERROR certmonger request for
On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo <natxo.ase...@gmail.com>
wrote:
> hi,
>
> on a a centos 7.1 host when enrolling it with (among other) the switch
> --request-cert it does not create a host certificate for it. The host is
> properly joined but not c
hi Ranbir,
On Fri, Dec 11, 2015 at 9:29 PM, Ranbir wrote:
> Hi All,
>
> I want to integrate my Postfix server with IPA. I've found a couple of
> documents on how this can be done, but they don't accomplish the feat
> the same way (they're also not discussing the
On Fri, Dec 11, 2015 at 11:32 PM, Ranbir <m3fr...@thesandhufamily.ca> wrote:
> On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> > what exactly do you want to achieve? 'Integrate' could mean a couple
> > of things, so please specify.
>
> I would like
On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
> includedir /var/lib/sss/pubconf/krb5.include.d/
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = IPA.DOMAIN.TLD
> dns_lookup_realm = true
> dns_lookup_
On Tue, Jan 5, 2016 at 7:22 PM, Karl Forner wrote:
> update:
>
> modifying the /etc/krb5.conf, and replacing the name of my freeipa master
> by the replica fixes the problem.
> So that proves that the kdc is not picked up by discovery.
>
> The problem is that my ubuntu box
On Thu, Nov 19, 2015 at 11:03 PM, Ash Alam wrote:
> Hello All
>
> I am looking for some advice on upgrading. Currently our FreeIPA servers
> are 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This
> upgrade path is not possible per IPA documentation. Minimum
hi holo,
On Fri, Nov 20, 2015 at 11:21 PM, holo wrote:
> Thank you for your reply.
>
> I think i wasnt clear enough. Clients of proxy server are not kerberized.
> I want to just authenticate them for proxy use in kerberos DB when they are
> trying to use it (just by popup
hi,
On Fri, Nov 20, 2015 at 10:47 PM, holo wrote:
> Hello
>
> How can i find FreeIPA ldap creditentials? I want to try to configure
> Squid in similar way like it is described here for ejabberd:
>
>
>
On Mon, May 30, 2016 at 7:14 AM, Ben .T.George
wrote:
> Hi
>
> thanks for the reply.
>
> "the easiest would be to create a zone and delegating that to the ipa
> hosts. No other change necessary."
>
> can you explain little more. You mean need to create separate DNS zone ?
On Sun, May 29, 2016 at 7:11 PM, Ben .T.George
wrote:
> Hi
>
> I would like to know how can i proceed with best practices
>
> My AD domain is : corp.examle.com.kw
> My DNS (appliances ) : kw.test.com
>
> All my clients are pointed to kw.test.com including AD.
>
> How can i
hi,
according to the RHDS documentation (
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html)
one can have multiple directory server instances on the same hosts
Would it be interesting to offer this functionality in
On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
> On Tue, 28 Jun 2016, Natxo Asenjo wrote:
>
>> hi,
>>
>> according to the RHDS documentation (
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Ser
hi Ludwig,
On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz <lkris...@redhat.com>
wrote:
>
> On 06/28/2016 09:50 AM, Natxo Asenjo wrote:
>
>
> I'd like to have internally all sort of ldap access, but externally onlly
> certificate based, for example.
>
> If there i
On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher wrote:
> I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a
> traceback every time pki-cad starts:
>
> Traceback (most recent call last):
> File "/usr/sbin/pki-server", line 89, in
> cli.execute(sys.argv)
hi,
On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
> On Thu, 17 Mar 2016, Natxo Asenjo wrote:
>
>> hi,
>>
>> see subject. For user accounts it's possible (even multivalued),
>>
>> Adding it using an ldap client give
hi,
On Thu, Mar 24, 2016 at 8:14 PM, Armstrong, Jeffrey <
jeffrey.armstr...@gasoc.com> wrote:
> Hello,
>
>
>
> I would like to find out if I can create a large number of users in IPA at
> one time. If so, what is the command to do that.
>
>
>
you can use ipa user-add command in a bash loop, or
hi,
On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote:
>
> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
&g
On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden wrote:
> Ah right. Because all the subjects are the same base the same map will
> be used for both DS and the CA.
>
> Any chance you could write up a HOWTO on this?
Gladly, but I seem unable to login using my recently created
On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
>
>
> On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Ah right. Because all the subjects are the same base the same map will
>> be used for b
hi,
I am testing certificate authentication to ipa ldap ( centos 7.2 ).
I have generated a user certificate following the instructions on
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
After that I modified my $HOME/.ldaprc with these settings:
On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek <mko...@redhat.com> wrote:
> On 03/05/2016 06:00 AM, Rob Crittenden wrote:
> > Natxo Asenjo wrote:
> >>
> >> By the way, revoking the certificate does not block applications using
> >> it from ldap.
> >
On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce <s...@redhat.com> wrote:
> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote:
> > Natxo Asenjo wrote:
>
> > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login
> > > with the fedora acco
By the way, revoking the certificate does not block applications using it
from ldap.
I can still access the ldap server using this cert/key pair *after*
revoking the certificate using ipa cert-revoke . In order to
block it I need to remove the seeAlso value of the user account, or the
certificate
On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler wrote:
> We have a situation where the passwords in FreeIPA need to be synchronized
> with another system in the company (a database of users, which is the
> authoritative source for users and passwords). But, from what I
hi Gady,
On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote:
> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
> [root@prddb1
hi Harald,
On Fri, Apr 15, 2016 at 1:31 PM, Harald Dunkel
wrote:
> Hi folks,
>
> I have no luck with the ipa cli, so I wonder if it is
> possible to ldapsearch for disabled or enabled users?
> A command line like
>
> ldapsearch -LLL -Y GSSAPI -b
hi Rob,
On Thu, Jun 30, 2016 at 1:22 PM, Rob Verduijn
wrote:
> Hello,
>
>
> What would be the most appropriate way to create a search account so that
> a third party tool (wildfly) can use it to search the ipa domain for
> credentials ?
>
I just create a normal account.
hi,
using centos 6.8 (server and client), when trying to view some hosts we get
this error:
$ ipa host-find host-1920.sub.domain.tld
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
I saw a thread last year about
On Wed, Sep 7, 2016 at 2:10 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
> hi,
>
> using centos 6.8 (server and client), when trying to view some hosts we
> get this error:
>
>
> $ ipa host-find host-1920.sub.domain.tld
> ipa: ERROR: Certificate format err
On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote:
>
>> hi,
>>
>> using centos 6.8 (server and client), when trying to view some hosts we
>> get this error:
>>
>>
>> $ ipa host-find host-1920.
: : host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False, pkey_only=False):
CertificateFormatErro
On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
>
> alas, not woriking again.
>
> On the one kdc
>
> $ ipa host-fin
alas, not woriking again.
On the one kdc
$ ipa host-find tftp-1801
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
On the other:
$ ipa host-find tftp-1801
--
1 host matched
--
Host name:
101 - 200 of 232 matches
Mail list logo