Andrew Holway wrote:
> Some time ago I saw an article on how to set up a user that can only
> enrol clients into freeipa.
>
> Does anyone have information on how to do this because we're currently
> using the admin user and this is a bit scary.
Create a role for enrolling hosts and add the
Prasun Gera wrote:
> Yes, that's what I was planning to do. i.e. Convert cipher names from
> SSL to NSS. I wasn't sure about the other settings though. Is there an
> equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there
> equivalent configs for HSTS on the mozilla page? Does NSS
Daryl Fonseca-Holt wrote:
> Hi All,
>
> I am testing migration from NIS with a custom MySQL backend to IPA. In
> our testing ipa user-add starts out at around 12 seconds per user but
> slows down as more users are add. By 5000+ users it is taking 90+
> seconds. We have 120,000+ users. I'm looking
Prasun Gera wrote:
> Thanks for the ticket information. I would still be interested in
> configuring mod_nss properly (irrespective of whether the certs are ipa
> generated or 3rd party). These are the worrying notes from ssllabs test:
>
> The server supports only older protocols, but not the
Cal Sawyer wrote:
> Hi
>
> Very new to IPA and setting up a proof of concept system that i hope
> will replace my existing OpenLDAP 2.3 (no SASL) setup. I'm trying to
> import People, Group ou's into IPA using "ipa migrate-ds". The IPA and
> existing LDAP directories have different BaseDNs (eg
Gilbert Wilson wrote:
> Apologies ahead of time as this is my first post to the list and interaction
> with the FreeIPA project. If I should be taking this question to a different
> forum please point me in the right direction!
>
> The error condition Im encountering is mentioned a few times
Martin Kosek wrote:
> On 11/04/2015 10:27 AM, Prashant Bapat wrote:
>> Ack. But in a live replicated setup wont upgrading from F21->F22 and
>> F22->F23 take a long time. I mean couple of hours ?
>
> It will take some outage time, yes. But if you have appropriate number of
> replicas and are
d rules.
rob
>
> thanks again
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW
> +44 (0)20 7637 5575 | www.blue-bolt.com
>
> On 04/11/15 13:56, Rob Crittenden wrote:
>> Cal Sawyer wrote:
>>> Hi
>>>
>>&
Sean Conley - US wrote:
> Sorry for the redundancy but I thought it would be better to start a new
> thread since I am really asking a different question at this point.
>
> We are trying to stand up an IPA instance using real certs (wildcard)
> for our domain, so that external users get a valid
Rob Verduijn wrote:
> 2015-10-30 20:14 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>> Rob Verduijn wrote:
>>> Hello all,
>>>
>>> It has been a while since I asked this before.
>>>
>>> Multitenancy was put in the free
Martin Basti wrote:
>
>
> On 30.10.2015 11:54, Yogesh Sharma wrote:
>> Additionally, On Replica UI, I am getting below Error Message:
>>
>>
>> IPA Error 4301: CertificateOperationError
>>
>> Certificate operation cannot be completed: Unable to communicate with
>> CMS (Not Found)
>>
>
being descriptive helps.
rob
>
>
>
> On Wed, Oct 28, 2015 at 5:20 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>
> mitra dehghan wrote:
> > hello,
> > I want to implement and IPA server and Sync it wit
James Masson wrote:
>
>
> On 26/10/15 16:11, Martin Kosek wrote:
>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>
>>>
>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>> James Masson wrote:
>>>>>
>>>>> Hi l
Yogesh Sharma wrote:
> Team,
>
> Noticed that user created on IPA Master are not replicating on Replica.
>
> Also, we create a new Zone in Master, However we do not see the same in
> replica server.
You need to figure out why ipa-inf-prd-ng2-01.klikpay.int can't contact
port 389 on
on't see this as root vs other users, you are using a different
principal.
This makes me wonder if the password policy is strange.
You might also want to kinit as freddie and go through the password
reset again, then search LDAP for freddie's password expiration:
$ ldapsearch -Y GSSAPI -s base -b
ui
Rob Verduijn wrote:
> Hello all,
>
> It has been a while since I asked this before.
>
> Multitenancy was put in the freezer back then in favor of this nice project :
> https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.0 e 1.0.2
> Darn...I failed to pay attention a little and suddenly 1.1.1
Gronde, Christopher (Contractor) wrote:
> We have had huge issues with our ipa servers which has left some of our
> applications offline. We want to stand up a temporary OpenLDAP server
> to transfer the users to until we can get IPA back online. Is there a
> way to export the ipa LDAP DB so
mitra dehghan wrote:
> hello,
> I want to implement and IPA server and Sync it with my 2012 ms ad. While
> things go well using an internal CA in each server, I came across kind
> of problem when I want integrate solution with my PKI which is already
> serving the AD server.
> I can install IPA
Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>
> urgrue wrote:
> > Hi,
> > On a new install, I'm being forced a password reset on every
> login. Not
> > sure why but this doesn't lo
Winfried de Heiden wrote:
> Hi all,
>
> In order for an external application to communicate with IPA and/or
> modify on (free)Ipa, we want to use the JSON API.
>
> Where can I find documentation how to use this API?
>
> Thankz!
>
> Winny
>
>
IPA doesn't use REST.
You can get an idea about
urgrue wrote:
> Hi,
> On a new install, I'm being forced a password reset on every login. Not
> sure why but this doesn't look right:
>
> # date
> Tue Oct 27 21:02:57 CET 2015
>
> # ipa user-status blah1
>
> Last successful authentication: 2015-10-27T19:34:53Z
> Last failed authentication:
Prasun Gera wrote:
> I've done that now in addition to the few fixes that I made manually
> earlier. These were the messages:
> SELinux is preventing /usr/sbin/ns-slapd from write access on the file
> ldap_988
> SELinux is preventing /usr/sbin/httpd from read access on the lnk_file
>
James Masson wrote:
>
> Hi list,
>
> I successfully have IPA working with CA certs signed by an upstream Dogtag.
>
> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
>
> Setup fails, using the same 2 step IPA setup process as used with
> upstream Dogtag. I've also
Natxo Asenjo wrote:
> hi,
>
> can you do something like this?
>
> ipa group-add wheel --gid=10
>
> to substitute the local group wheel? Of course nsswitch.conf indicates
> local groups get found first ( group: files sss) but, would it work and
> is it supported?
What is it you expect or desire
Natxo Asenjo wrote:
> hi,
>
> On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>
> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like th
Ben Francis wrote:
> Is it supported?
No but you should be able to use IPA as an identity backend for an
OAuth2 (or other Federation) provider.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for
Andrey Ptashnik wrote:
> Also I dont see IPA server 4.2.1 in RHEL repository, is it already
> available?
4.2 (plus patches) is planned for RHEL 7.2. A beta is available today.
>
> [root@sever]# yum list ipa-server
> ipa-server.x86_64 4.1.0-18.el7_1.4 @rhui-REGION-rhel-server-releases
>
Gronde, Christopher (Contractor) wrote:
> Now I am getting CA_UNREACHABLE
>
> # ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt -K
> HTTP/comipa02..gov -C /usr/lib64/ipa/certmonger/restart_httpd
> Resubmitting "20151007150853" to "IPA".
>
> # ipa-getcert list
> Number of
t
resubmit -i .
Assuming that worked next try to renew ipaCert. If that gets renewed
then do the 3 remaining certs: Apache and the two 389-ds instances.
If that works run ipactl stop, bring time forward, ipactl start.
rob
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...
r(s) actually have
renewed certificates themselves.
rob
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Thursday, October 08, 2015 11:37 AM
> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>;
> Alexander Bokovoy
Janelle wrote:
> Hello,
>
> I hope this is a simply question. I have 1000's of these on my servers
> and it severely bogs them down. Any ideas on how to get rid of unindexed
> searches?
>
> [04/Oct/2015:13:27:54 -0700] conn=1344502 op=11158 RESULT err=0 tag=101
> nentries=0 etime=0 notes=U
>
Nicola Canepa wrote:
> Hello, I'm trying to replicate a subtree of the data from FreeIPA to a
> "foreign" LDAP server, by using LSC (http://lsc-project.org).
> The replication seems to work correctly, but I was unable to create an
> user (maybe even not visible from the web GUI) which could read
>
Łukasz Jaworski wrote:
> Hi,
>
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
>
> environment:
> Fedora 21
>
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
>
Andrew E. Bruno wrote:
> On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob Crittenden wrote:
>> Andrew E. Bruno wrote:
>>> The replica is not showing up when running ipa-replica-manage list.
>>>
>>> # ipa-replica-manage list
>>> srv-m14-32.cbl
Andrew E. Bruno wrote:
> On Mon, Oct 05, 2015 at 02:48:48PM -0400, Rob Crittenden wrote:
>> Andrew E. Bruno wrote:
>>> On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote:
>>>> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote:
>>>>> On Fri, Oct
Sean Hogan wrote:
> Hello,
>
> I have been rolling out an IPA deployment for IBM Watson for the past 3
> months. Initially I did not want to take on application ids (linux OS
> Ids owning apps). I now have to so I have created the accounts in IPA
> however new files created by user wdadeploy are
Andrew E. Bruno wrote:
> On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote:
>> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote:
>>> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
What's the best way to re-initialize a replica?
Suppose one of your replicas
Janelle wrote:
> On 10/5/15 10:16 AM, Simo Sorce wrote:
>> On 05/10/15 11:11, Janelle wrote:
>>> So here is a fun question -- how is this possible?
>>>
>>> from ipa-replica-manage list-ruv
>>>
>>> ipa002.example.com 389 6
>>> ipa003.example.com 389 30 <- Huh???
>>> ipa003.example.com
ise AFAIK the name shouldn't matter.
rob
>
> On Mon, Oct 5, 2015 at 8:19 AM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>
> Janelle wrote:
> > On 10/5/15 7:39 AM, Rob Crittenden wrote:
> >> Torsten Harenberg wrote:
>
Torsten Harenberg wrote:
> Hi Janelle,
>
> Am 04.10.2015 um 19:25 schrieb Janelle:
>> Just wondering if anyone knows why this happens from time to time on
>> servers:
>>
>> $ kinit admin
>> kinit: Clients credentials have been revoked while getting initial
>> credentials
>>
>> there are no failed
Janelle wrote:
> On 10/5/15 7:39 AM, Rob Crittenden wrote:
>> Torsten Harenberg wrote:
>>> Hi Janelle,
>>>
>>> Am 04.10.2015 um 19:25 schrieb Janelle:
>>>> Just wondering if anyone knows why this happens from time to time on
>>>> serv
Dominik Korittki wrote:
> Hello folks,
>
> I am running two FreeIPA Servers with around 100 users and around 15.000
> hosts, which are used by users to login via ssh. The FreeIPA servers
> (which are Centos 7.0) ran good for a while, but as more and more hosts
> got migrated to serve as FreeIPA
Brian Mathis wrote:
> No. FreeIPA requires a *CA* certificate, which is a cert that has the
> ability to sign other certs. Unless you're in a large company with an
> expensive agreement in place with GoDaddy, that is not a permission they
> grant to regular certs. A wildcard cert is only
Simo Sorce wrote:
> On 27/09/15 09:21, Janelle wrote:
>> Hello,
>>
>> I continue to see these a lot, but only on some servers. It causes a lot
>> of confusions with my users. There must be a way to troubleshoot this
>> and find the issue. Also, there is nothing wrong with the password
>> policies.
Janelle wrote:
> On 9/28/15 6:10 AM, Rob Crittenden wrote:
>> Janelle wrote:
>>> Hello,
>>>
>>> I continue to see these a lot, but only on some servers. It causes a lot
>>> of confusions with my users. There must be a way to troubleshoot this
>>
Martin tefany wrote:
> Hello all,
>
> I'd to verify with you if certmonger.service should be enabled by
> default after IPA client installation or not. If I remember correctly,
> it used to start by on CentOS6, IPA client ~3.0.0, after ipa-client
> installation and reboots.
>
> The thing is,
Janelle wrote:
> Hello,
>
> I continue to see these a lot, but only on some servers. It causes a lot
> of confusions with my users. There must be a way to troubleshoot this
> and find the issue. Also, there is nothing wrong with the password
> policies. They are all set to default, and this
David Kupka wrote:
> On 22/09/15 17:02, James Masson wrote:
>>
>> Hi,
>>
>> we're building IPAs in an automated fashion, for environments that get
>> created and destroyed a lot. At the moment, the CA certs used inside
>> these IPAs are self-signed, as part of the normal "ipa-server-install"
>>
Janelle wrote:
> On 9/23/15 10:36 AM, Martin Basti wrote:
>>
>>
>> On 09/23/2015 07:15 PM, Janelle wrote:
>>> I have a user I created for testing, but now shows as both "there"
>>> but not there..
>>>
>>> *ipa user-show jtest*
>>>
>>> ipa: ERROR: jtest: user not found
>>>
>>> *ipa
Andrey Ptashnik wrote:
> Any ideas on that?
/var/log/ipaclient-install.log probably has more details on the DNS
update failure.
rob
>
> Regards,
>
> Andrey Ptashnik | Network Architect
> CCC Information Services Inc.
> 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654
> Office:
wnloads all the available commands and options as metadata and
uses that to help drive some of the interactions.
rob
>
> Thanks!
> - Original Message -
> From: "Rob Crittenden" <rcrit...@redhat.com>
>
> Do you have this configured in the user plugin? Perha
John Duino wrote:
> Greetings!
>
> I am wanting to add a multivalued attribute (mailAlternateAddress, from
> objectClass:MailRecipient) to the User UI. We are running IPA
> 4.1.0-18.el7.centos.4.x86_64, on CentOS7. Adding it to the CLI was fairly
> straightforward.
> I have a plugin at
Thomas Suiter wrote:
> Is there an equivalent host/computer default objectclasses that there is
> for ipa config-mod groupobjectclasses/--userobjectclasses ? We are
> wanting to add some additional attributes to all of the servers, Im
> able to add the object class to individual servers but not
Steven Jones wrote:
RHEL6.7 and IPA 3.0
"self-signed" not understanding such terminology terribly well, I am not sure
at all.
What command will tell me what I have?
Do you have a dogtag CA instance? ipactl status
rob
regards
Steven
____
Christoph Kaminski wrote:
Youenn PIOLET schrieb am 07.09.2015 14:13:35:
> Von: Youenn PIOLET
> An: Christoph Kaminski
> Kopie: Ludwig Krispenz , freeipa-users@redhat.com
> Datum: 07.09.2015
Martin Kosek wrote:
On 09/04/2015 12:00 AM, Rob Crittenden wrote:
Steven Jones wrote:
I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
try and remove the last one the master? it says,
"[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoi
Steven Jones wrote:
It seems I built IPA with self signed certs so I need to upgrade? is this
possible? and if so how on existing servers?
I think it depends heavily on what version of IPA you are running and
what you mean by self-signed.
rob
--
Manage your subscription for the
Janelle wrote:
You will find, if you check in the ns-slapd "errors" log that this
server may no longer be handling replication correctly.
Look in /var/log/dirsrv/slapd-INSTANCE/errors
This probably doesn't have anything to do with replication. Lockout is
per-master because failed (and
Marc Wiatrowski wrote:
On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Marc Wiatrowski wrote:
Hello,
In trying to script some changes for automount locations. I've
noticed
'ipa autom
Marc Wiatrowski wrote:
That looks to have done the trick! (no restart needed) thank you
Great. I opened https://fedorahosted.org/freeipa/ticket/5285 to track this.
rob
On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrot
Steven Jones wrote:
I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try
and remove the last one the master? it says,
"[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.
Directory Manager password:
Deleting a master is irreversible.
To
Marc Wiatrowski wrote:
Hello,
In trying to script some changes for automount locations. I've noticed
'ipa automountlocation-tofiles' doesn't seem to return everything. As
an example:
$ ipa automountlocation-tofiles office | grep abg
returns nothing for abg. Yes, I have run this without the
Janelle wrote:
Hello,
I am very confused. I have a couple of data centers and as expected, I
have setup CA replicas in each DC. However, this is what makes me
nervous/afraid of my configs. In one data center, which sitting on a
master and issuing:
(as seen from ipa006.example.com)
the correct path? - I would have assumed
these certs would have renewed themselves since I¹m +3.0.
I see the Configure renewal section but its an odd situation where we have
to renew and reconfigureŠ
‹Mike
On 8/28/15, 7:45 PM, Rob Crittenden rcrit...@redhat.com wrote:
Mike LoSapio wrote
Mateusz Małek wrote:
Hi everyone,
We're trying to adjust FreeIPA to our environment... quite a bit. Here
are some bullet points:
1. User home directory location is dependent on user primary group and
its value should be autogenerated on user creation.
2. User administrator should be able to
McNiel, Craig wrote:
We have a rather strange need to have '--' in some standard host names
and when I use the CentOS7 ipa-client 4.1 I get the following error message.
[root@pan-smk-pdev lib]# ipa-join -h
craigs--ipa--client--test.pearsondev.com
http://craigs--ipa--client--test.pearsondev.com
Ian Pilcher wrote:
On 08/24/2015 01:47 AM, Martin Kosek wrote:
FreeIPA can play well with other stuff running on the same Apache as
long as
you do not break it's Apache configuration - like mod_nss running on
port 443,
CA proxy or the RPC connection URIs used by ipa tool or other tools.
So the
bahan w wrote:
Hello.
I send you this mail because I'm looking for a way to modify the logging
dir of the different components embedded with FreeIPA.
I already check here :
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html
But I cannot see how to modify the
Detlev Habicht wrote:
Hi all,
i am very new using and testing IPA and i have some questions,
which are not really IPA topics. But perhaps someone can help
me and send me a link, where i can read and learn such things:
I see in the LDAP tree a suffix like this:
Martin Kosek wrote:
On 08/20/2015 11:57 AM, Detlev Habicht wrote:
Hi all,
i am new using IPA and learning IPA i am also learning some
other things new for me.
Migrating our system to IPA i found some problems with private groups.
We don’t used it up to now.
Trying to disable this feature
Janelle wrote:
ipa-server-install --uninstall --unattended
I don't think it is the prompt that's hanging. I'd either wait to see
whether it clears things up itself or try to figure out what service is
hanging. Some of the timeouts are 5 minutes IIRC so it may take a while
in the worse case
Janelle wrote:
Hi,
Is there a way to force freeipa web server to accept http requests and
not redirect to https? Reason is simple - offloading SSL to a load
balancer on the front end. (this is for web only, not the LDAP or Kerberos)
Thank you
~J
You could try disabling the rewrite rules to
Yogesh Sharma wrote:
Team,,
We are having issue in configuring Auto Membership for Usergroup i.e.
when ever we add/update a user to IPA , it should get added to a group
on the basis of his/her Job Title.
Below is the rule:
[root@ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers
Grouping
sipazzo wrote:
Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7
clients, Solaris 10 clients and a handful of Solaris 11 clients. I
followed this guide in setting up the solaris clients: 3.8. Configuring
a Solaris System as a FreeIPA Client
Dewangga Bachrul Alam wrote:
I've tried both of them (web ui CLI), still no luck.
Screenshoot attached, the password expired not follow the global_policy.
I've create another new user, it was same with user `subhan`. The
password expired not follow global_policy.
Janelle wrote:
Hello again,
Just to keep your Tuesday fun, is this possible:
16 servers.
ipa-replica-manage list shows all 16
1 of the servers broke a couple of weeks ago and was removed with
clean-ruv but STILL shows up in the replica list, but not a single
master has a replica
John Johnson wrote:
Kerberos version is 1.12.2 on RHEL7.1. I guess I'm wondering if the
issue is hardware-related, somehow specific to laptops; or if it's
related to the way laptops are assumed to be used, i.e. portable, etc.
It would be helpful if you described what isn't working.
rob
On
Brian Topping wrote:
Hi I was just looking at http://www.freeipa.org/page/User_certificate_use_cases
and was trying to do some self-service to see when it might get scheduled.
Unless I am mistaken, it doesn't even seem to exist in the backlog. Is that
intentional?
The reason I started to
Matt . wrote:
I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615]
Certificate not found: 'Server-Cert'
So, it's no good at all :)
I think you need to take a step back and tell us what you've done to get
into this situation.
The error messages are fairly clear. The first one
Martin Chamambo wrote:
I have the following configuration below and im able to login via SSH
into a 32 bit server. With the same username im able to login on other
servers
Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for the
information necessary to assist.
rob
--
Manage
Joseph, Matthew (EXP) wrote:
Hello,
We are currently in the process of replacing our IdM 3.x server with 4.x.
There are going to be some major directory changes during the upgrade so
I need to keep both the old and new IdM servers up and running separately.
Part of our configuration is using
new cert then your
simplest solution is:
# ipactl stop
# favorite editor /etc/dirsrv/slapd-REALM/dse.ldif
Find nsSSLPersonalitySSL and replace the value with the right one.
# ipactl start
rob
2015年7月6日 下午11:52於 Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com寫道:
barry
barry...@gmail.com wrote:
server 1
ipa-replica-manage list
Segmentation fault (core dumped)
server 2
ipa-replica-manage list
Can't contact LDAP server
but it seem still syn as i add new ac then server 2 have
i delete server2 's anme server 1 still delte.
I'd start with the seg fault.
Matt . wrote:
Hi All,
I'm cleaning up and playing around with some old dev setups and
reviewing these tests.
This is a replica setup but the replica is no CA. Now I'm testing out
how to manage cluster when I remove the ipa1 (CA) and create a new
replica with CA from the ipa2.
IPA2 should
uses nicknames to reference a given certificate. This nickname needs
to exist in it's database. I'm guessing that you changed the database,
and therefore the nickname in the database, without also updating the
server configuration with this new nickname.
rob
2015-07-06 21:39 GMT+08:00 Rob
Haiden, Scott B. wrote:
Hello,
I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a
FreeIPA server running on it. I am trying to get a TGT from it, from my
Windows 7 Enterprise machine. I am able to easily interact with it from
other
Linux hosts, but I am not having
Stephen Ingram wrote:
I setup IPA using the internal CA. I'd like to continue using this CA,
however, I'd also like to allow authorized external browser users (who
haven't imported our CA) to access the WebUI without receiving a
warning. Is it possible to add a 3rd party certificate and CA such
Andrew E. Bruno wrote:
On Mon, Jun 22, 2015 at 10:02:59AM -0400, Rob Crittenden wrote:
Andrew E. Bruno wrote:
On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote:
Rich Megginson wrote:
On 06/19/2015 12:22 PM, Andrew E. Bruno wrote:
Questions:
0. Is it likely that after running
Nathan Peters wrote:
-Original Message- From: Rob Crittenden
Sent: Saturday, June 20, 2015 1:17 PM
To: Nathan Peters
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission
System: Read HBAC Rules with bindtype all to a privilege
Nathan
Prashant Bapat wrote:
Hi Rob,
Thanks for the reply.
The ipa-server-certinstalldid require that I have the cert and the CA
cert in PEM file and the key in another PEM file. And the command went
thru successfully.
But afterwards the HTTP service stopped working. Only way I could get it
to start
Janelle wrote:
On 6/17/15 2:00 PM, Rob Crittenden wrote:
Janelle wrote:
On 6/17/15 6:21 AM, Rob Crittenden wrote:
Janelle wrote:
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It
died. It
was re-installed. However
Matt . wrote:
Hi Guys,
I found some good information about migrating from 3.3 to 4.x using replica's.
It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
CentOS doesn't provide 3.3.
Andrew E. Bruno wrote:
On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote:
Rich Megginson wrote:
On 06/19/2015 12:22 PM, Andrew E. Bruno wrote:
Questions:
0. Is it likely that after running out of file descriptors the dirsrv
slapd database on rep2 was corrupted?
That would
Nathan Peters wrote:
-Original Message- From: Rob Crittenden
Sent: Friday, June 19, 2015 3:38 PM
To: nat...@nathanpeters.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission
System: Read HBAC Rules with bindtype all to a privilege
replay issues possible. You
should re-encrypt, so terminate SSL at the load balancer and then open a
new SSL session to IPA.
rob
On 18 June 2015 at 19:03, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Hi All,
There is a way
Janelle wrote:
Maybe this is an obvious question - but I am missign the simple answer.
If you create a master and want to create 3 replicas -- creating the
first replica works just fine, but I want the 2nd replica chained off
the first, and NOT the master. But unless you install a CA on that
nat...@nathanpeters.com wrote:
nat...@nathanpeters.com wrote:
FreeIPA server 4.1.3 on CentOS 7
I am trying to create a set of privileges or roles that will allow me to
create a user who has read-only access to as much of the FreeIPA web UI
as
possible. Basically my manager want the type of
nat...@nathanpeters.com wrote:
FreeIPA server 4.1.3 on CentOS 7
I am trying to create a set of privileges or roles that will allow me to
create a user who has read-only access to as much of the FreeIPA web UI as
possible. Basically my manager want the type of view into FreeIPA that
they have
Rich Megginson wrote:
On 06/19/2015 12:22 PM, Andrew E. Bruno wrote:
Hello,
First time trouble shooting an ipa server failure and looking for some
guidance on how best to proceed.
First some background on our setup:
Servers are running freeipa v4.1.0 on CentOS 7.1.1503:
-
Prashant Bapat wrote:
Hi All,
There is a way to change the certificate for the web UI.
I went with a standard install with a self signed CA etc. Now I want to
install a cert from a commercial CA. I don't mind using the IPA CA certs
for the 389 DS, just want to change the cert for the UI.
Any
501 - 600 of 1926 matches
Mail list logo