Re: [Freeipa-users] Client enrolment user

Andrew Holway wrote: > Some time ago I saw an article on how to set up a user that can only > enrol clients into freeipa. > > Does anyone have information on how to do this because we're currently > using the admin user and this is a bit scary. Create a role for enrolling hosts and add the

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Yes, that's what I was planning to do. i.e. Convert cipher names from > SSL to NSS. I wasn't sure about the other settings though. Is there an > equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there > equivalent configs for HSTS on the mozilla page? Does NSS

Re: [Freeipa-users] ipa user-add slows down as more users are added

Daryl Fonseca-Holt wrote: > Hi All, > > I am testing migration from NIS with a custom MySQL backend to IPA. In > our testing ipa user-add starts out at around 12 seconds per user but > slows down as more users are add. By 5000+ users it is taking 90+ > seconds. We have 120,000+ users. I'm looking

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Thanks for the ticket information. I would still be interested in > configuring mod_nss properly (irrespective of whether the certs are ipa > generated or 3rd party). These are the worrying notes from ssllabs test: > > The server supports only older protocols, but not the

Re: [Freeipa-users] Unable to import OpenLDAP users/groups with migrate-ds

Cal Sawyer wrote: > Hi > > Very new to IPA and setting up a proof of concept system that i hope > will replace my existing OpenLDAP 2.3 (no SASL) setup. I'm trying to > import People, Group ou's into IPA using "ipa migrate-ds". The IPA and > existing LDAP directories have different BaseDNs (eg

Re: [Freeipa-users] Python IndexError: list index out of range with ipa-server-install --external-cert-file

Gilbert Wilson wrote: > Apologies ahead of time as this is my first post to the list and interaction > with the FreeIPA project. If I should be taking this question to a different > forum please point me in the right direction! > > The error condition I’m encountering is mentioned a few times

Re: [Freeipa-users] Upgrade from 4.1.4

Martin Kosek wrote: > On 11/04/2015 10:27 AM, Prashant Bapat wrote: >> Ack. But in a live replicated setup wont upgrading from F21->F22 and >> F22->F23 take a long time. I mean couple of hours ? > > It will take some outage time, yes. But if you have appropriate number of > replicas and are

Re: [Freeipa-users] Unable to import OpenLDAP users/groups with migrate-ds

d rules. rob > > thanks again > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW > +44 (0)20 7637 5575 | www.blue-bolt.com > > On 04/11/15 13:56, Rob Crittenden wrote: >> Cal Sawyer wrote: >>> Hi >>> >>&

Re: [Freeipa-users] using wildcard cert from external CA

Sean Conley - US wrote: > Sorry for the redundancy but I thought it would be better to start a new > thread since I am really asking a different question at this point. > > We are trying to stand up an IPA instance using real certs (wildcard) > for our domain, so that external users get a valid

Re: [Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?

Rob Verduijn wrote: > 2015-10-30 20:14 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >> Rob Verduijn wrote: >>> Hello all, >>> >>> It has been a while since I asked this before. >>> >>> Multitenancy was put in the free

Re: [Freeipa-users] IPA Replication not working for User and DNS

Martin Basti wrote: > > > On 30.10.2015 11:54, Yogesh Sharma wrote: >> Additionally, On Replica UI, I am getting below Error Message: >> >> >> IPA Error 4301: CertificateOperationError >> >> Certificate operation cannot be completed: Unable to communicate with >> CMS (Not Found) >> >

Re: [Freeipa-users] Sync IPA and AD while using external CA

being descriptive helps. rob > > > > On Wed, Oct 28, 2015 at 5:20 PM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > mitra dehghan wrote: > > hello, > > I want to implement and IPA server and Sync it wit

Re: [Freeipa-users] IPA with external CA signed certs

James Masson wrote: > > > On 26/10/15 16:11, Martin Kosek wrote: >> On 10/26/2015 04:05 PM, James Masson wrote: >>> >>> >>> On 19/10/15 21:06, Rob Crittenden wrote: >>>> James Masson wrote: >>>>> >>>>> Hi l

Re: [Freeipa-users] IPA Replication not working for User and DNS

Yogesh Sharma wrote: > Team, > > Noticed that user created on IPA Master are not replicating on Replica. > > Also, we create a new Zone in Master, However we do not see the same in > replica server. You need to figure out why ipa-inf-prd-ng2-01.klikpay.int can't contact port 389 on

Re: [Freeipa-users] Wrong time / constantly expired passwords

on't see this as root vs other users, you are using a different principal. This makes me wonder if the password policy is strange. You might also want to kinit as freddie and go through the password reset again, then search LDAP for freddie's password expiration: $ ldapsearch -Y GSSAPI -s base -b ui

Re: [Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?

Rob Verduijn wrote: > Hello all, > > It has been a while since I asked this before. > > Multitenancy was put in the freezer back then in favor of this nice project : > https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.0 e 1.0.2 > Darn...I failed to pay attention a little and suddenly 1.1.1

Re: [Freeipa-users] Exporting ipa LDAP DB

Gronde, Christopher (Contractor) wrote: > We have had huge issues with our ipa servers which has left some of our > applications offline. We want to stand up a temporary OpenLDAP server > to transfer the users to until we can get IPA back online. Is there a > way to export the ipa LDAP DB so

Re: [Freeipa-users] Sync IPA and AD while using external CA

mitra dehghan wrote: > hello, > I want to implement and IPA server and Sync it with my 2012 ms ad. While > things go well using an internal CA in each server, I came across kind > of problem when I want integrate solution with my PKI which is already > serving the AD server. > I can install IPA

Re: [Freeipa-users] Wrong time / constantly expired passwords

Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > urgrue wrote: > > Hi, > > On a new install, I'm being forced a password reset on every > login. Not > > sure why but this doesn't lo

Re: [Freeipa-users] rest api

Winfried de Heiden wrote: > Hi all, > > In order for an external application to communicate with IPA and/or > modify on (free)Ipa, we want to use the JSON API. > > Where can I find documentation how to use this API? > > Thankz! > > Winny > > IPA doesn't use REST. You can get an idea about

Re: [Freeipa-users] Wrong time / constantly expired passwords

urgrue wrote: > Hi, > On a new install, I'm being forced a password reset on every login. Not > sure why but this doesn't look right: > > # date > Tue Oct 27 21:02:57 CET 2015 > > # ipa user-status blah1 > > Last successful authentication: 2015-10-27T19:34:53Z > Last failed authentication:

Re: [Freeipa-users] enabling selinux on ipa server

Prasun Gera wrote: > I've done that now in addition to the few fixes that I made manually > earlier. These were the messages: > SELinux is preventing /usr/sbin/ns-slapd from write access on the file > ldap_988 > SELinux is preventing /usr/sbin/httpd from read access on the lnk_file >

Re: [Freeipa-users] IPA with external CA signed certs

James Masson wrote: > > Hi list, > > I successfully have IPA working with CA certs signed by an upstream Dogtag. > > Now I'm trying to use a CA cert signed by a different type of CA - Vault. > > Setup fails, using the same 2 step IPA setup process as used with > upstream Dogtag. I've also

Re: [Freeipa-users] substitute local system groups by ipa groups

Natxo Asenjo wrote: > hi, > > can you do something like this? > > ipa group-add wheel --gid=10 > > to substitute the local group wheel? Of course nsswitch.conf indicates > local groups get found first ( group: files sss) but, would it work and > is it supported? What is it you expect or desire

Re: [Freeipa-users] substitute local system groups by ipa groups

Natxo Asenjo wrote: > hi, > > On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Natxo Asenjo wrote: > > hi, > > > > can you do something like th

Re: [Freeipa-users] OAuth2

Ben Francis wrote: > Is it supported? No but you should be able to use IPA as an identity backend for an OAuth2 (or other Federation) provider. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for

Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0

Andrey Ptashnik wrote: > Also I don’t see IPA server 4.2.1 in RHEL repository, is it already > available? 4.2 (plus patches) is planned for RHEL 7.2. A beta is available today. > > [root@sever]# yum list ipa-server > ipa-server.x86_64 4.1.0-18.el7_1.4 @rhui-REGION-rhel-server-releases >

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

Gronde, Christopher (Contractor) wrote: > Now I am getting CA_UNREACHABLE > > # ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt -K > HTTP/comipa02..gov -C /usr/lib64/ipa/certmonger/restart_httpd > Resubmitting "20151007150853" to "IPA". > > # ipa-getcert list > Number of

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

t resubmit -i . Assuming that worked next try to renew ipaCert. If that gets renewed then do the 3 remaining certs: Apache and the two 389-ds instances. If that works run ipactl stop, bring time forward, ipactl start. rob > > -Original Message- > From: Rob Crittenden [mailto:rcrit...

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

r(s) actually have renewed certificates themselves. rob > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Thursday, October 08, 2015 11:37 AM > To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; > Alexander Bokovoy

Re: [Freeipa-users] unindexed searches?

Janelle wrote: > Hello, > > I hope this is a simply question. I have 1000's of these on my servers > and it severely bogs them down. Any ideas on how to get rid of unindexed > searches? > > [04/Oct/2015:13:27:54 -0700] conn=1344502 op=11158 RESULT err=0 tag=101 > nentries=0 etime=0 notes=U >

Re: [Freeipa-users] ACI for full replica

Nicola Canepa wrote: > Hello, I'm trying to replicate a subtree of the data from FreeIPA to a > "foreign" LDAP server, by using LSC (http://lsc-project.org). > The replication seems to work correctly, but I was unable to create an > user (maybe even not visible from the web GUI) which could read >

Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

Łukasz Jaworski wrote: > Hi, > > I have problem with setup new replicas. > I tried setup two replicas, both failed with the same error. > > environment: > Fedora 21 > > packages: > freeipa-server-4.1.3-2.fc21.x86_64 > 389-ds-base-1.3.3.8-1.fc21.x86_64 > 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 >

Re: [Freeipa-users] re-initialize replica

Andrew E. Bruno wrote: > On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob Crittenden wrote: >> Andrew E. Bruno wrote: >>> The replica is not showing up when running ipa-replica-manage list. >>> >>> # ipa-replica-manage list >>> srv-m14-32.cbl

Re: [Freeipa-users] re-initialize replica

Andrew E. Bruno wrote: > On Mon, Oct 05, 2015 at 02:48:48PM -0400, Rob Crittenden wrote: >> Andrew E. Bruno wrote: >>> On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote: >>>> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: >>>>> On Fri, Oct

Re: [Freeipa-users] Groups

Sean Hogan wrote: > Hello, > > I have been rolling out an IPA deployment for IBM Watson for the past 3 > months. Initially I did not want to take on application ids (linux OS > Ids owning apps). I now have to so I have created the accounts in IPA > however new files created by user wdadeploy are

Re: [Freeipa-users] re-initialize replica

Andrew E. Bruno wrote: > On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote: >> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: >>> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote: What's the best way to re-initialize a replica? Suppose one of your replicas

Re: [Freeipa-users] More replication fun

Janelle wrote: > On 10/5/15 10:16 AM, Simo Sorce wrote: >> On 05/10/15 11:11, Janelle wrote: >>> So here is a fun question -- how is this possible? >>> >>> from ipa-replica-manage list-ruv >>> >>> ipa002.example.com 389 6 >>> ipa003.example.com 389 30 <- Huh??? >>> ipa003.example.com

Re: [Freeipa-users] admin loses access?

ise AFAIK the name shouldn't matter. rob > > On Mon, Oct 5, 2015 at 8:19 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Janelle wrote: > > On 10/5/15 7:39 AM, Rob Crittenden wrote: > >> Torsten Harenberg wrote: >

Re: [Freeipa-users] admin loses access?

Torsten Harenberg wrote: > Hi Janelle, > > Am 04.10.2015 um 19:25 schrieb Janelle: >> Just wondering if anyone knows why this happens from time to time on >> servers: >> >> $ kinit admin >> kinit: Clients credentials have been revoked while getting initial >> credentials >> >> there are no failed

Re: [Freeipa-users] admin loses access?

Janelle wrote: > On 10/5/15 7:39 AM, Rob Crittenden wrote: >> Torsten Harenberg wrote: >>> Hi Janelle, >>> >>> Am 04.10.2015 um 19:25 schrieb Janelle: >>>> Just wondering if anyone knows why this happens from time to time on >>>> serv

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

Dominik Korittki wrote: > Hello folks, > > I am running two FreeIPA Servers with around 100 users and around 15.000 > hosts, which are used by users to login via ssh. The FreeIPA servers > (which are Centos 7.0) ran good for a while, but as more and more hosts > got migrated to serve as FreeIPA

Re: [Freeipa-users] FreeIPA with third-party wildcard certificate

Brian Mathis wrote: > No. FreeIPA requires a *CA* certificate, which is a cert that has the > ability to sign other certs. Unless you're in a large company with an > expensive agreement in place with GoDaddy, that is not a permission they > grant to regular certs. A wildcard cert is only

Re: [Freeipa-users] password resets - errors

Simo Sorce wrote: > On 27/09/15 09:21, Janelle wrote: >> Hello, >> >> I continue to see these a lot, but only on some servers. It causes a lot >> of confusions with my users. There must be a way to troubleshoot this >> and find the issue. Also, there is nothing wrong with the password >> policies.

Re: [Freeipa-users] password resets - errors

Janelle wrote: > On 9/28/15 6:10 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Hello, >>> >>> I continue to see these a lot, but only on some servers. It causes a lot >>> of confusions with my users. There must be a way to troubleshoot this >>

Re: [Freeipa-users] CentOS7: certmonger not enabled by default?

Martin Štefany wrote: > Hello all, > > I'd to verify with you if certmonger.service should be enabled by > default after IPA client installation or not. If I remember correctly, > it used to start by on CentOS6, IPA client ~3.0.0, after ipa-client > installation and reboots. > > The thing is,

Re: [Freeipa-users] password resets - errors

Janelle wrote: > Hello, > > I continue to see these a lot, but only on some servers. It causes a lot > of confusions with my users. There must be a way to troubleshoot this > and find the issue. Also, there is nothing wrong with the password > policies. They are all set to default, and this

Re: [Freeipa-users] Automatic IPA CA cert generation

David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: >> >> Hi, >> >> we're building IPAs in an automated fashion, for environments that get >> created and destroyed a lot. At the moment, the CA certs used inside >> these IPAs are self-signed, as part of the normal "ipa-server-install" >>

Re: [Freeipa-users] Ghost user?

Janelle wrote: > On 9/23/15 10:36 AM, Martin Basti wrote: >> >> >> On 09/23/2015 07:15 PM, Janelle wrote: >>> I have a user I created for testing, but now shows as both "there" >>> but not there.. >>> >>> *ipa user-show jtest* >>> >>> ipa: ERROR: jtest: user not found >>> >>> *ipa

Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4

Andrey Ptashnik wrote: > Any ideas on that? /var/log/ipaclient-install.log probably has more details on the DNS update failure. rob > > Regards, > > Andrey Ptashnik | Network Architect > CCC Information Services Inc. > 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 > Office:

Re: [Freeipa-users] How to add multivalued attribute to UI

wnloads all the available commands and options as metadata and uses that to help drive some of the interactions. rob > > Thanks! > - Original Message - > From: "Rob Crittenden" <rcrit...@redhat.com> > > Do you have this configured in the user plugin? Perha

Re: [Freeipa-users] How to add multivalued attribute to UI

John Duino wrote: > Greetings! > > I am wanting to add a multivalued attribute (mailAlternateAddress, from > objectClass:MailRecipient) to the User UI. We are running IPA > 4.1.0-18.el7.centos.4.x86_64, on CentOS7. Adding it to the CLI was fairly > straightforward. > I have a plugin at

Re: [Freeipa-users] Add objectclasses to computer schema

Thomas Suiter wrote: > Is there an equivalent host/computer default objectclasses that there is > for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are > wanting to add some additional attributes to all of the servers, I’m > able to add the object class to individual servers but not

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

Steven Jones wrote: RHEL6.7 and IPA 3.0 "self-signed" not understanding such terminology terribly well, I am not sure at all. What command will tell me what I have? Do you have a dogtag CA instance? ipactl status rob regards Steven ____

Re: [Freeipa-users] Antwort: Re: Antwort: Re: Faulty LDAP record

Christoph Kaminski wrote: Youenn PIOLET schrieb am 07.09.2015 14:13:35: > Von: Youenn PIOLET > An: Christoph Kaminski > Kopie: Ludwig Krispenz , freeipa-users@redhat.com > Datum: 07.09.2015

Re: [Freeipa-users] Replacing the "master"

Martin Kosek wrote: On 09/04/2015 12:00 AM, Rob Crittenden wrote: Steven Jones wrote: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoi

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

Steven Jones wrote: It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? I think it depends heavily on what version of IPA you are running and what you mean by self-signed. rob -- Manage your subscription for the

Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

Janelle wrote: You will find, if you check in the ns-slapd "errors" log that this server may no longer be handling replication correctly. Look in /var/log/dirsrv/slapd-INSTANCE/errors This probably doesn't have anything to do with replication. Lockout is per-master because failed (and

Re: [Freeipa-users] ipa automountlocation-tofiles

Marc Wiatrowski wrote: On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: Marc Wiatrowski wrote: Hello, In trying to script some changes for automount locations. I've noticed 'ipa autom

Re: [Freeipa-users] ipa automountlocation-tofiles

Marc Wiatrowski wrote: That looks to have done the trick! (no restart needed) thank you Great. I opened https://fedorahosted.org/freeipa/ticket/5285 to track this. rob On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrot

Re: [Freeipa-users] Replacing the "master"

Steven Jones wrote: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002. Directory Manager password: Deleting a master is irreversible. To

Re: [Freeipa-users] ipa automountlocation-tofiles

Marc Wiatrowski wrote: Hello, In trying to script some changes for automount locations. I've noticed 'ipa automountlocation-tofiles' doesn't seem to return everything. As an example: $ ipa automountlocation-tofiles office | grep abg returns nothing for abg. Yes, I have run this without the

Re: [Freeipa-users] CA replicas different views???

Janelle wrote: Hello, I am very confused. I have a couple of data centers and as expected, I have setup CA replicas in each DC. However, this is what makes me nervous/afraid of my configs. In one data center, which sitting on a master and issuing: (as seen from ipa006.example.com)

Re: [Freeipa-users] certificate renewal stuck

the correct path? - I would have assumed these certs would have renewed themselves since I¹m +3.0. I see the Configure renewal section but its an odd situation where we have to renew and reconfigureŠ ‹Mike On 8/28/15, 7:45 PM, Rob Crittenden rcrit...@redhat.com wrote: Mike LoSapio wrote

Re: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment

Mateusz Małek wrote: Hi everyone, We're trying to adjust FreeIPA to our environment... quite a bit. Here are some bullet points: 1. User home directory location is dependent on user primary group and its value should be autogenerated on user creation. 2. User administrator should be able to

Re: [Freeipa-users] Trying to enroll clients on CentOS7 with '--' in the host name failing

McNiel, Craig wrote: We have a rather strange need to have '--' in some standard host names and when I use the CentOS7 ipa-client 4.1 I get the following error message. [root@pan-smk-pdev lib]# ipa-join -h craigs--ipa--client--test.pearsondev.com http://craigs--ipa--client--test.pearsondev.com

Re: [Freeipa-users] Adding virtual servers to IPA httpd

Ian Pilcher wrote: On 08/24/2015 01:47 AM, Martin Kosek wrote: FreeIPA can play well with other stuff running on the same Apache as long as you do not break it's Apache configuration - like mod_nss running on port 443, CA proxy or the RPC connection URIs used by ipa tool or other tools. So the

Re: [Freeipa-users] How to modify the logging dir

bahan w wrote: Hello. I send you this mail because I'm looking for a way to modify the logging dir of the different components embedded with FreeIPA. I already check here : http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html But I cannot see how to modify the

Re: [Freeipa-users] Questions to compat LDAP suffix

Detlev Habicht wrote: Hi all, i am very new using and testing IPA and i have some questions, which are not really IPA topics. But perhaps someone can help me and send me a link, where i can read and learn such things: I see in the LDAP tree a suffix like this:

Re: [Freeipa-users] private groups

Martin Kosek wrote: On 08/20/2015 11:57 AM, Detlev Habicht wrote: Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature

Re: [Freeipa-users] Cannot uninstall ipa-server

Janelle wrote: ipa-server-install --uninstall --unattended I don't think it is the prompt that's hanging. I'd either wait to see whether it clears things up itself or try to figure out what service is hanging. Some of the timeouts are 5 minutes IIRC so it may take a while in the worse case

Re: [Freeipa-users] freeipa on http?

Janelle wrote: Hi, Is there a way to force freeipa web server to accept http requests and not redirect to https? Reason is simple - offloading SSL to a load balancer on the front end. (this is for web only, not the LDAP or Kerberos) Thank you ~J You could try disabling the rewrite rules to

Re: [Freeipa-users] IPA User Group Auto membership

Yogesh Sharma wrote: Team,, We are having issue in configuring Auto Membership for Usergroup i.e. when ever we add/update a user to IPA , it should get added to a group on the basis of his/her Job Title. Below is the rule: [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers Grouping

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

sipazzo wrote: Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 clients, Solaris 10 clients and a handful of Solaris 11 clients. I followed this guide in setting up the solaris clients: 3.8. Configuring a Solaris System as a FreeIPA Client

Re: [Freeipa-users] Having problem with pwd_expiration

Dewangga Bachrul Alam wrote: I've tried both of them (web ui CLI), still no luck. Screenshoot attached, the password expired not follow the global_policy. I've create another new user, it was same with user `subhan`. The password expired not follow global_policy.

Re: [Freeipa-users] Keeping a Tuesday fun - replication? without replication?

Janelle wrote: Hello again, Just to keep your Tuesday fun, is this possible: 16 servers. ipa-replica-manage list shows all 16 1 of the servers broke a couple of weeks ago and was removed with clean-ruv but STILL shows up in the replica list, but not a single master has a replica

Re: [Freeipa-users] OTP and Laptops

John Johnson wrote: Kerberos version is 1.12.2 on RHEL7.1. I guess I'm wondering if the issue is hardware-related, somehow specific to laptops; or if it's related to the way laptops are assumed to be used, i.e. portable, etc. It would be helpful if you described what isn't working. rob On

Re: [Freeipa-users] Client Certificates not in backlog

Brian Topping wrote: Hi I was just looking at http://www.freeipa.org/page/User_certificate_use_cases and was trying to do some self-service to see when it might get scheduled. Unless I am mistaken, it doesn't even seem to exist in the backlog. Is that intentional? The reason I started to

Re: [Freeipa-users] Apache not starting because of cert password issue ?

Matt . wrote: I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] Certificate not found: 'Server-Cert' So, it's no good at all :) I think you need to take a step back and tell us what you've done to get into this situation. The error messages are fairly clear. The first one

Re: [Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686

Martin Chamambo wrote: I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for the information necessary to assist. rob -- Manage

Re: [Freeipa-users] Multiple CA certificates (for PassSync)

Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using

Re: [Freeipa-users] error after change cert

new cert then your simplest solution is: # ipactl stop # favorite editor /etc/dirsrv/slapd-REALM/dse.ldif Find nsSSLPersonalitySSL and replace the value with the right one. # ipactl start rob 2015年7月6日 下午11:52於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com寫道： barry

Re: [Freeipa-users] what error log i should check

barry...@gmail.com wrote: server 1 ipa-replica-manage list Segmentation fault (core dumped) server 2 ipa-replica-manage list Can't contact LDAP server but it seem still syn as i add new ac then server 2 have i delete server2 's anme server 1 still delte. I'd start with the seg fault.

Re: [Freeipa-users] IPA replica without CA, how to become CA

Matt . wrote: Hi All, I'm cleaning up and playing around with some old dev setups and reviewing these tests. This is a replica setup but the replica is no CA. Now I'm testing out how to manage cluster when I remove the ipa1 (CA) and create a new replica with CA from the ipa2. IPA2 should

Re: [Freeipa-users] error after change cert

uses nicknames to reference a given certificate. This nickname needs to exist in it's database. I'm guessing that you changed the database, and therefore the nickname in the database, without also updating the server configuration with this new nickname. rob 2015-07-06 21:39 GMT+08:00 Rob

Re: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server

Haiden, Scott B. wrote: Hello, I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a FreeIPA server running on it. I am trying to get a TGT from it, from my Windows 7 Enterprise machine. I am able to easily interact with it from other Linux hosts, but I am not having

Re: [Freeipa-users] 3rd party certificate for WebUI only

Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such

Re: [Freeipa-users] ipa replica failure

Andrew E. Bruno wrote: On Mon, Jun 22, 2015 at 10:02:59AM -0400, Rob Crittenden wrote: Andrew E. Bruno wrote: On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Questions: 0. Is it likely that after running

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege Nathan

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

Prashant Bapat wrote: Hi Rob, Thanks for the reply. The ipa-server-certinstalldid require that I have the cert and the CA cert in PEM file and the key in another PEM file. And the command went thru successfully. But afterwards the HTTP service stopped working. Only way I could get it to start

Re: [Freeipa-users] Crazy Cert problem?

Janelle wrote: On 6/17/15 2:00 PM, Rob Crittenden wrote: Janelle wrote: On 6/17/15 6:21 AM, Rob Crittenden wrote: Janelle wrote: On 6/17/15 6:14 AM, Rob Crittenden wrote: Janelle wrote: Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However

Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

Matt . wrote: Hi Guys, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3.

Re: [Freeipa-users] ipa replica failure

Andrew E. Bruno wrote: On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Questions: 0. Is it likely that after running out of file descriptors the dirsrv slapd database on rep2 was corrupted? That would

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

replay issues possible. You should re-encrypt, so terminate SSL at the load balancer and then open a new SSL session to IPA. rob On 18 June 2015 at 19:03, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Prashant Bapat wrote: Hi All, There is a way

Re: [Freeipa-users] Installing replica w/o CA?

Janelle wrote: Maybe this is an obvious question - but I am missign the simple answer. If you create a master and want to create 3 replicas -- creating the first replica works just fine, but I want the 2nd replica chained off the first, and NOT the master. But unless you install a CA on that

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have

Re: [Freeipa-users] ipa replica failure

Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: -

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

Prashant Bapat wrote: Hi All, There is a way to change the certificate for the web UI. I went with a standard install with a self signed CA etc. Now I want to install a cert from a commercial CA. I don't mind using the IPA CA certs for the 389 DS, just want to change the cert for the UI. Any

<    1   2   3   4   5   6   7   8   9   10   >