Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
OK Martin, thanks for the explanation - i suspected it might not work quite
correctly. On that basis I have decided to hold off an wait for a more
optimistic situation.

I really appreciate the advice, looks like my time will be better spent
configuring the clients to use the replica!

On Thu, May 18, 2017 at 1:49 PM Martin Bašti <mba...@redhat.com> wrote:

> It will create clone of the original CA, it will work as backup not a
> separate CA.
>
> I'm afraid it will result into the same behavior because it uses almost
> the same code, but as I said before this issue is on dogtag side and not
> always reproducible.
>
> On 18.05.2017 14:44, Callum Guy wrote:
>
> Thanks for that Martin.
>
> The man page for ipa-ca-install suggests i could pass in my replica file
> to create a "CA-less" configuration. Is this what i want or is a CA-full
> appropriate? All I want to achieve is the additional resilience provided by
> a replica which can both authorise and sign certificates in the event of a
> loss of the master server. I certainly don't want an entirely separate CA
> to be installed - my anticipation is that my replica will be able to become
> an intermediate authority - is that the intended arrangement for a replica?
>
> Finally, do you hold out much hope that ipa-ca-install will work any
> better than --setup-ca flag I was attempting to get working for the replica
> install? If its the same code I would probably just end up with a half
> configured CA and have to rebuild my replica - something I would like to
> avoid repeating after the last couple of days!
>
> On Thu, May 18, 2017 at 1:28 PM Martin Bašti <mba...@redhat.com> wrote:
>
>> ipa-ca-install will install on top of FreeIPA CA-less replica, nothing
>> else, you really don't want to do it manually.
>>
>> On 18.05.2017 14:12, Callum Guy wrote:
>>
>> Thanks Martin, really appreciate the additional information.
>>
>> Are you aware of a separate guide for installing DogTag/PKI on top of
>> FreeIPA - basically I am happy to install separately if it doesn't
>> compromise the FreeIPA server configuration, i'm not clear on whether this
>> is possible without a major time investment.
>>
>> On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mba...@redhat.com> wrote:
>>
>>>
>>> Please note that commits in #6766 will not fix this issue, the issue is
>>> on dogtag side, please see https://pagure.io/dogtagpki/issue/2646
>>> Sorry for troubles
>>>
>>>
>>> On 18.05.2017 12:19, Callum Guy wrote:
>>>
>>> Haha, looks like i'm going CA-less for a while on the replica. I don't
>>> see any immediate requirement for one so time to get on with my life!
>>>
>>> I'll post back if anything changes but I'm probably stuck waiting for
>>> the upgrade too..
>>>
>>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman <data...@gmail.com>
>>> wrote:
>>>
>>>> Sorry cobber. We only found 6766 today - we've been tackling it on and
>>>> off for a couple of weeks :)
>>>>
>>>> --
>>>> "Mission Statement: To provide hope and inspiration for collective
>>>> action, to build collective power, to achieve collective transformation,
>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>
>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>
>>>> On 18 May 2017 at 19:53, Callum Guy <callum@x-on.co.uk> wrote:
>>>>
>>>>> Ah, thanks for that Lachlan - its always reassuring to hear that its
>>>>> not just me!
>>>>>
>>>>> As mentioned above I have it running without the CA so that's a good
>>>>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA 
>>>>> for
>>>>> CentOS. I'm not expecting that to happen quickly so will have to work with
>>>>> what we have for now.
>>>>>
>>>>> Do you happen to know if there is any way to build the CA component
>>>>> separately?
>>>>>
>>>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> https://pagure.io/freeipa/issue/6766
>>>>>>
>>>>>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>>>>>
>>>>>> --
>>>>>> "Mission Statement: To provide hope and inspiration for collective
>>>>>> action, to build collective power

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
Thanks for that Martin.

The man page for ipa-ca-install suggests i could pass in my replica file to
create a "CA-less" configuration. Is this what i want or is a CA-full
appropriate? All I want to achieve is the additional resilience provided by
a replica which can both authorise and sign certificates in the event of a
loss of the master server. I certainly don't want an entirely separate CA
to be installed - my anticipation is that my replica will be able to become
an intermediate authority - is that the intended arrangement for a replica?

Finally, do you hold out much hope that ipa-ca-install will work any better
than --setup-ca flag I was attempting to get working for the replica
install? If its the same code I would probably just end up with a half
configured CA and have to rebuild my replica - something I would like to
avoid repeating after the last couple of days!

On Thu, May 18, 2017 at 1:28 PM Martin Bašti <mba...@redhat.com> wrote:

> ipa-ca-install will install on top of FreeIPA CA-less replica, nothing
> else, you really don't want to do it manually.
>
> On 18.05.2017 14:12, Callum Guy wrote:
>
> Thanks Martin, really appreciate the additional information.
>
> Are you aware of a separate guide for installing DogTag/PKI on top of
> FreeIPA - basically I am happy to install separately if it doesn't
> compromise the FreeIPA server configuration, i'm not clear on whether this
> is possible without a major time investment.
>
> On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mba...@redhat.com> wrote:
>
>>
>> Please note that commits in #6766 will not fix this issue, the issue is
>> on dogtag side, please see https://pagure.io/dogtagpki/issue/2646
>> Sorry for troubles
>>
>>
>> On 18.05.2017 12:19, Callum Guy wrote:
>>
>> Haha, looks like i'm going CA-less for a while on the replica. I don't
>> see any immediate requirement for one so time to get on with my life!
>>
>> I'll post back if anything changes but I'm probably stuck waiting for the
>> upgrade too..
>>
>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman <data...@gmail.com>
>> wrote:
>>
>>> Sorry cobber. We only found 6766 today - we've been tackling it on and
>>> off for a couple of weeks :)
>>>
>>> --
>>> "Mission Statement: To provide hope and inspiration for collective
>>> action, to build collective power, to achieve collective transformation,
>>> rooted in grief and rage but pointed towards vision and dreams."
>>>
>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>
>>> On 18 May 2017 at 19:53, Callum Guy <callum@x-on.co.uk> wrote:
>>>
>>>> Ah, thanks for that Lachlan - its always reassuring to hear that its
>>>> not just me!
>>>>
>>>> As mentioned above I have it running without the CA so that's a good
>>>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for
>>>> CentOS. I'm not expecting that to happen quickly so will have to work with
>>>> what we have for now.
>>>>
>>>> Do you happen to know if there is any way to build the CA component
>>>> separately?
>>>>
>>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com>
>>>> wrote:
>>>>
>>>>> https://pagure.io/freeipa/issue/6766
>>>>>
>>>>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>>>>
>>>>> --
>>>>> "Mission Statement: To provide hope and inspiration for collective
>>>>> action, to build collective power, to achieve collective transformation,
>>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>>
>>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>>
>>>>> On 18 May 2017 at 19:34, Lachlan Musicman <data...@gmail.com> wrote:
>>>>>
>>>>>> We are seeing this. I'm not at work, but I think it's bug report
>>>>>> 6766.
>>>>>>
>>>>>> Patch has already been committed (bot by us), we're waiting for IPA
>>>>>> 4.5.
>>>>>>
>>>>>> cheers
>>>>>> L.
>>>>>>
>>>>>> --
>>>>>> "Mission Statement: To provide hope and inspiration for collective
>>>>>> action, to build collective power, to achieve collective transformation,
>>>>>> rooted in grief and rage but pointed towards vision and dream

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
Thanks Martin, really appreciate the additional information.

Are you aware of a separate guide for installing DogTag/PKI on top of
FreeIPA - basically I am happy to install separately if it doesn't
compromise the FreeIPA server configuration, i'm not clear on whether this
is possible without a major time investment.

On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mba...@redhat.com> wrote:

>
> Please note that commits in #6766 will not fix this issue, the issue is on
> dogtag side, please see https://pagure.io/dogtagpki/issue/2646
> Sorry for troubles
>
>
> On 18.05.2017 12:19, Callum Guy wrote:
>
> Haha, looks like i'm going CA-less for a while on the replica. I don't see
> any immediate requirement for one so time to get on with my life!
>
> I'll post back if anything changes but I'm probably stuck waiting for the
> upgrade too..
>
> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman <data...@gmail.com>
> wrote:
>
>> Sorry cobber. We only found 6766 today - we've been tackling it on and
>> off for a couple of weeks :)
>>
>> --
>> "Mission Statement: To provide hope and inspiration for collective
>> action, to build collective power, to achieve collective transformation,
>> rooted in grief and rage but pointed towards vision and dreams."
>>
>>  - Patrice Cullors, *Black Lives Matter founder*
>>
>> On 18 May 2017 at 19:53, Callum Guy <callum@x-on.co.uk> wrote:
>>
>>> Ah, thanks for that Lachlan - its always reassuring to hear that its not
>>> just me!
>>>
>>> As mentioned above I have it running without the CA so that's a good
>>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for
>>> CentOS. I'm not expecting that to happen quickly so will have to work with
>>> what we have for now.
>>>
>>> Do you happen to know if there is any way to build the CA component
>>> separately?
>>>
>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com>
>>> wrote:
>>>
>>>> https://pagure.io/freeipa/issue/6766
>>>>
>>>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>>>
>>>> --
>>>> "Mission Statement: To provide hope and inspiration for collective
>>>> action, to build collective power, to achieve collective transformation,
>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>
>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>
>>>> On 18 May 2017 at 19:34, Lachlan Musicman <data...@gmail.com> wrote:
>>>>
>>>>> We are seeing this. I'm not at work, but I think it's bug report 6766.
>>>>>
>>>>> Patch has already been committed (bot by us), we're waiting for IPA
>>>>> 4.5.
>>>>>
>>>>> cheers
>>>>> L.
>>>>>
>>>>> --
>>>>> "Mission Statement: To provide hope and inspiration for collective
>>>>> action, to build collective power, to achieve collective transformation,
>>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>>
>>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>>
>>>>> On 18 May 2017 at 18:57, Callum Guy <callum@x-on.co.uk> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I am currently stuck trying to setup the first replica of our master
>>>>>> IPA server. I have tried a number of different approaches including
>>>>>> escalating from a client and nothing is working for me. I perform a full 
>>>>>> OS
>>>>>> reset each time I get stuck.
>>>>>>
>>>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this
>>>>>> version however having performed ipa-server-upgrade - does this mean i'm 
>>>>>> on
>>>>>> 4.4.4?).
>>>>>>
>>>>>> The command is shown below - note that i am skipping the conn check
>>>>>> as my platforms security settings do not allow the SSH session to be
>>>>>> established back on the master, all ports should be available to the
>>>>>> application however.
>>>>>>
>>>>>> [root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101
>>>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>>

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
Haha, looks like i'm going CA-less for a while on the replica. I don't see
any immediate requirement for one so time to get on with my life!

I'll post back if anything changes but I'm probably stuck waiting for the
upgrade too..

On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman <data...@gmail.com> wrote:

> Sorry cobber. We only found 6766 today - we've been tackling it on and off
> for a couple of weeks :)
>
> --
> "Mission Statement: To provide hope and inspiration for collective action,
> to build collective power, to achieve collective transformation, rooted in
> grief and rage but pointed towards vision and dreams."
>
>  - Patrice Cullors, *Black Lives Matter founder*
>
> On 18 May 2017 at 19:53, Callum Guy <callum@x-on.co.uk> wrote:
>
>> Ah, thanks for that Lachlan - its always reassuring to hear that its not
>> just me!
>>
>> As mentioned above I have it running without the CA so that's a good
>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for
>> CentOS. I'm not expecting that to happen quickly so will have to work with
>> what we have for now.
>>
>> Do you happen to know if there is any way to build the CA component
>> separately?
>>
>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com>
>> wrote:
>>
>>> https://pagure.io/freeipa/issue/6766
>>>
>>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>>
>>> --
>>> "Mission Statement: To provide hope and inspiration for collective
>>> action, to build collective power, to achieve collective transformation,
>>> rooted in grief and rage but pointed towards vision and dreams."
>>>
>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>
>>> On 18 May 2017 at 19:34, Lachlan Musicman <data...@gmail.com> wrote:
>>>
>>>> We are seeing this. I'm not at work, but I think it's bug report 6766.
>>>>
>>>> Patch has already been committed (bot by us), we're waiting for IPA 4.5.
>>>>
>>>> cheers
>>>> L.
>>>>
>>>> --
>>>> "Mission Statement: To provide hope and inspiration for collective
>>>> action, to build collective power, to achieve collective transformation,
>>>> rooted in grief and rage but pointed towards vision and dreams."
>>>>
>>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>>
>>>> On 18 May 2017 at 18:57, Callum Guy <callum@x-on.co.uk> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I am currently stuck trying to setup the first replica of our master
>>>>> IPA server. I have tried a number of different approaches including
>>>>> escalating from a client and nothing is working for me. I perform a full 
>>>>> OS
>>>>> reset each time I get stuck.
>>>>>
>>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this
>>>>> version however having performed ipa-server-upgrade - does this mean i'm 
>>>>> on
>>>>> 4.4.4?).
>>>>>
>>>>> The command is shown below - note that i am skipping the conn check as
>>>>> my platforms security settings do not allow the SSH session to be
>>>>> established back on the master, all ports should be available to the
>>>>> application however.
>>>>>
>>>>> [root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101
>>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>>>>>
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> ipa : ERRORCould not resolve hostname ipa2.SITE.net usis
>>>>> check queries IPA DNS directly and ignores /etc/hosts.)
>>>>> Continue? [no]: yes
>>>>> Configuring NTP daemon (ntpd)
>>>>>   [1/4]: stopping ntpd
>>>>>   [2/4]: writing configuration
>>>>>   [3/4]: configuring ntpd to start on boot
>>>>>   [4/4]: starting ntpd
>>>>> Done configuring NTP daemon (ntpd).
>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>>>   [1/42]: creating directory server user
>>>>>   [2/42]: creating directory server instance
>>>>>   [3/42]: updating configuration in dse.ldif
>>>>>   [4/42]: restarting directory server
>>>>>   [5/42]: adding defa

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
Ah, thanks for that Lachlan - its always reassuring to hear that its not
just me!

As mentioned above I have it running without the CA so that's a good start.
I am sure we will upgrade as well once 4.5 becomes stable and GA for
CentOS. I'm not expecting that to happen quickly so will have to work with
what we have for now.

Do you happen to know if there is any way to build the CA component
separately?

On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com> wrote:

> https://pagure.io/freeipa/issue/6766
>
> 4.5.1 - I stand corrected. Can add more tomorrow.
>
> --
> "Mission Statement: To provide hope and inspiration for collective action,
> to build collective power, to achieve collective transformation, rooted in
> grief and rage but pointed towards vision and dreams."
>
>  - Patrice Cullors, *Black Lives Matter founder*
>
> On 18 May 2017 at 19:34, Lachlan Musicman <data...@gmail.com> wrote:
>
>> We are seeing this. I'm not at work, but I think it's bug report 6766.
>>
>> Patch has already been committed (bot by us), we're waiting for IPA 4.5.
>>
>> cheers
>> L.
>>
>> --
>> "Mission Statement: To provide hope and inspiration for collective
>> action, to build collective power, to achieve collective transformation,
>> rooted in grief and rage but pointed towards vision and dreams."
>>
>>  - Patrice Cullors, *Black Lives Matter founder*
>>
>> On 18 May 2017 at 18:57, Callum Guy <callum@x-on.co.uk> wrote:
>>
>>> Hi All,
>>>
>>> I am currently stuck trying to setup the first replica of our master IPA
>>> server. I have tried a number of different approaches including escalating
>>> from a client and nothing is working for me. I perform a full OS reset each
>>> time I get stuck.
>>>
>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this
>>> version however having performed ipa-server-upgrade - does this mean i'm on
>>> 4.4.4?).
>>>
>>> The command is shown below - note that i am skipping the conn check as
>>> my platforms security settings do not allow the SSH session to be
>>> established back on the master, all ports should be available to the
>>> application however.
>>>
>>> [root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca
>>> --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>>>
>>> Directory Manager (existing master) password:
>>>
>>> ipa : ERRORCould not resolve hostname ipa2.SITE.net usis
>>> check queries IPA DNS directly and ignores /etc/hosts.)
>>> Continue? [no]: yes
>>> Configuring NTP daemon (ntpd)
>>>   [1/4]: stopping ntpd
>>>   [2/4]: writing configuration
>>>   [3/4]: configuring ntpd to start on boot
>>>   [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>   [1/42]: creating directory server user
>>>   [2/42]: creating directory server instance
>>>   [3/42]: updating configuration in dse.ldif
>>>   [4/42]: restarting directory server
>>>   [5/42]: adding default schema
>>>   [6/42]: enabling memberof plugin
>>>   [7/42]: enabling winsync plugin
>>>   [8/42]: configuring replication version plugin
>>>   [9/42]: enabling IPA enrollment plugin
>>>   [10/42]: enabling ldapi
>>>   [11/42]: configuring uniqueness plugin
>>>   [12/42]: configuring uuid plugin
>>>   [13/42]: configuring modrdn plugin
>>>   [14/42]: configuring DNS plugin
>>>   [15/42]: enabling entryUSN plugin
>>>   [16/42]: configuring lockout plugin
>>>   [17/42]: configuring topology plugin
>>>   [18/42]: creating indices
>>>   [19/42]: enabling referential integrity plugin
>>>   [20/42]: configuring ssl for ds instance
>>>   [21/42]: configuring certmap.conf
>>>   [22/42]: configure autobind for root
>>>   [23/42]: configure new location for managed entries
>>>   [24/42]: configure dirsrv ccache
>>>   [25/42]: enabling SASL mapping fallback
>>>   [26/42]: restarting directory server
>>>   [27/42]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> Update in progress, 4 seconds elapsed
>>> Update succeeded
>>>
>>>   [28/42]: adding sasl mappings to the directory
>>>   [29/42]: updating schema
>>>   [30/42]: setting Auto Member configuration
>>>   [31/42]: enabli

Re: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
Hi All,

Just following on from this, I have performed an installation without
--setup-ca and it has completed successfully.

I now need to understand what impact this might have, is it the case that I
can still install/configure the CA component? Is there any documentation on
this action?

Also in the event of a failure of my master server (I only have these two)
will all my certificates be invalidated and lost or will the replica still
be able to handle these certificates until a time where a new master has
been created?

Thanks,

Callum


On Thu, May 18, 2017 at 9:57 AM Callum Guy <callum@x-on.co.uk> wrote:

> Hi All,
>
> I am currently stuck trying to setup the first replica of our master IPA
> server. I have tried a number of different approaches including escalating
> from a client and nothing is working for me. I perform a full OS reset each
> time I get stuck.
>
> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version
> however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?).
>
> The command is shown below - note that i am skipping the conn check as my
> platforms security settings do not allow the SSH session to be established
> back on the master, all ports should be available to the application
> however.
>
> [root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca
> --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>
> Directory Manager (existing master) password:
>
> ipa : ERRORCould not resolve hostname ipa2.SITE.net usis
> check queries IPA DNS directly and ignores /etc/hosts.)
> Continue? [no]: yes
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>   [1/42]: creating directory server user
>   [2/42]: creating directory server instance
>   [3/42]: updating configuration in dse.ldif
>   [4/42]: restarting directory server
>   [5/42]: adding default schema
>   [6/42]: enabling memberof plugin
>   [7/42]: enabling winsync plugin
>   [8/42]: configuring replication version plugin
>   [9/42]: enabling IPA enrollment plugin
>   [10/42]: enabling ldapi
>   [11/42]: configuring uniqueness plugin
>   [12/42]: configuring uuid plugin
>   [13/42]: configuring modrdn plugin
>   [14/42]: configuring DNS plugin
>   [15/42]: enabling entryUSN plugin
>   [16/42]: configuring lockout plugin
>   [17/42]: configuring topology plugin
>   [18/42]: creating indices
>   [19/42]: enabling referential integrity plugin
>   [20/42]: configuring ssl for ds instance
>   [21/42]: configuring certmap.conf
>   [22/42]: configure autobind for root
>   [23/42]: configure new location for managed entries
>   [24/42]: configure dirsrv ccache
>   [25/42]: enabling SASL mapping fallback
>   [26/42]: restarting directory server
>   [27/42]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 4 seconds elapsed
> Update succeeded
>
>   [28/42]: adding sasl mappings to the directory
>   [29/42]: updating schema
>   [30/42]: setting Auto Member configuration
>   [31/42]: enabling S4U2Proxy delegation
>   [32/42]: importing CA certificates from LDAP
>   [33/42]: initializing group membership
>   [34/42]: adding master entry
>   [35/42]: initializing domain level
>   [36/42]: configuring Posix uid/gid generation
>   [37/42]: adding replication acis
>   [38/42]: enabling compatibility plugin
>   [39/42]: activating sidgen plugin
>   [40/42]: activating extdom plugin
>   [41/42]: tuning directory server
>   [42/42]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/27]: creating certificate server user
>   [2/27]: configuring certificate server instance
>   [3/27]: stopping certificate server instance to update CS.cfg
>   [4/27]: backing up CS.cfg
>   [5/27]: disabling nonces
>   [6/27]: set up CRL publishing
>   [7/27]: enable PKIX certificate path discovery and validation
>   [8/27]: starting certificate server instance
>
> And here is stays and refuses to move on. The ipareplica-install.log log
> reports:
> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running
> 2017-05-18T08:40:09Z DEBUG request POST
> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
> 2017-05-18T08:40:09Z DEBUG request body ''
>
> I have tried and that port is indeed inaccessible but I can't es

[Freeipa-users] ipa-replica-install hangs: starting certificate server instance

2017-05-18 Thread Callum Guy 
Hi All,

I am currently stuck trying to setup the first replica of our master IPA
server. I have tried a number of different approaches including escalating
from a client and nothing is working for me. I perform a full OS reset each
time I get stuck.

I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version
however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?).

The command is shown below - note that i am skipping the conn check as my
platforms security settings do not allow the SSH session to be established
back on the master, all ports should be available to the application
however.

[root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca
--setup-dns --skip-conncheck --no-forwarders SITE.net.gpg

Directory Manager (existing master) password:

ipa : ERRORCould not resolve hostname ipa2.SITE.net usis check
queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: yes
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: updating configuration in dse.ldif
  [4/42]: restarting directory server
  [5/42]: adding default schema
  [6/42]: enabling memberof plugin
  [7/42]: enabling winsync plugin
  [8/42]: configuring replication version plugin
  [9/42]: enabling IPA enrollment plugin
  [10/42]: enabling ldapi
  [11/42]: configuring uniqueness plugin
  [12/42]: configuring uuid plugin
  [13/42]: configuring modrdn plugin
  [14/42]: configuring DNS plugin
  [15/42]: enabling entryUSN plugin
  [16/42]: configuring lockout plugin
  [17/42]: configuring topology plugin
  [18/42]: creating indices
  [19/42]: enabling referential integrity plugin
  [20/42]: configuring ssl for ds instance
  [21/42]: configuring certmap.conf
  [22/42]: configure autobind for root
  [23/42]: configure new location for managed entries
  [24/42]: configure dirsrv ccache
  [25/42]: enabling SASL mapping fallback
  [26/42]: restarting directory server
  [27/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [28/42]: adding sasl mappings to the directory
  [29/42]: updating schema
  [30/42]: setting Auto Member configuration
  [31/42]: enabling S4U2Proxy delegation
  [32/42]: importing CA certificates from LDAP
  [33/42]: initializing group membership
  [34/42]: adding master entry
  [35/42]: initializing domain level
  [36/42]: configuring Posix uid/gid generation
  [37/42]: adding replication acis
  [38/42]: enabling compatibility plugin
  [39/42]: activating sidgen plugin
  [40/42]: activating extdom plugin
  [41/42]: tuning directory server
  [42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance

And here is stays and refuses to move on. The ipareplica-install.log log
reports:
2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300
2017-05-18T08:40:09Z DEBUG Waiting until the CA is running
2017-05-18T08:40:09Z DEBUG request POST
http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
2017-05-18T08:40:09Z DEBUG request body ''

I have tried and that port is indeed inaccessible but I can't establish a
way to progress this issue from any of the the other log files. Also I have
seen in the 4.4.4 release notes that IPv6 being disabled on the master can
cause issues, re-enabling (at least in /etc/hosts) did not seem to help.

If anyone is able to offer ideas that would be very much appreciated. I am
tempted to remove the --setup-ca option to see if this helps.

Thanks,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy,

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Managed to get PKI/Tomcat patched for TLS 1.2.

*/etc/pki/pki-tomcat/server.xml*
*...*
* sslVersionRangeStream="tls1_2:tls1_2" *

*sslVersionRangeDatagram="tls1_2:tls1_2" *

*...*
Thanks, resolved.

On Thu, Apr 27, 2017 at 10:01 PM Callum Guy <callum@x-on.co.uk> wrote:

> For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0
>
> Directory server change suggested on the link are for an older version.
> Minimum TLS support can be altered as follows:
>
> */etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*
>
> dn: cn=encryption,cn=config
>
> allowWeakCipher: off
>
> cn: encryption
>
> createTimestamp: 20161130110528Z
>
> creatorsName: cn=server,cn=plugins,cn=config
>
> modifiersName: cn=Directory Manager
>
> modifyTimestamp: 20161213085006Z
>
> nsSSLClientAuth: allowed
>
> nsSSLSessionTimeout: 0
>
> nsSSL3Ciphers: default
>
> objectClass: top
>
> objectClass: nsEncryptionConfig
> sslVersionMin: TLS1.2
>
> I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
> /usr/share/pki/server/conf/server.xml seems to roughly match the linked
> article however its all tokenized as shown below:
>
> 203sslOptions="[TOMCAT_SSL_OPTIONS]"
> 204ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
> 205ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
> 206tlsCiphers="[TOMCAT_TLS_CIPHERS]"
> 207sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
> 208
>  sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
> 209sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
>
> I'll feed back if i work it out.
>
> Thanks,
>
> On Thu, Apr 27, 2017 at 8:22 PM Callum Guy <callum@x-on.co.uk> wrote:
>
>> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
>> i run into any issues - i find it difficult to locate these help pages so
>> really do appreciate the advice
>>
>> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden <rcrit...@redhat.com>
>> wrote:
>>
>>> Callum Guy wrote:
>>> > Hi All,
>>> >
>>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>>> > assessment.
>>> >
>>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>>> > non-compliant for my environment.
>>> >
>>> > Also i'm very much hoping not to break my installation!
>>> >
>>> > Does anyone have experience in this area?
>>>
>>> It depends very much on what version you are running but see
>>> https://access.redhat.com/articles/2801181 for inspiration.
>>>
>>> rob
>>>
>>>

-- 



*0333 332   |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0

Directory server change suggested on the link are for an older version.
Minimum TLS support can be altered as follows:

*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*

dn: cn=encryption,cn=config

allowWeakCipher: off

cn: encryption

createTimestamp: 20161130110528Z

creatorsName: cn=server,cn=plugins,cn=config

modifiersName: cn=Directory Manager

modifyTimestamp: 20161213085006Z

nsSSLClientAuth: allowed

nsSSLSessionTimeout: 0

nsSSL3Ciphers: default

objectClass: top

objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2

I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
/usr/share/pki/server/conf/server.xml seems to roughly match the linked
article however its all tokenized as shown below:

203sslOptions="[TOMCAT_SSL_OPTIONS]"
204ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
205ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
206tlsCiphers="[TOMCAT_TLS_CIPHERS]"
207sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
208sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
209sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"

I'll feed back if i work it out.

Thanks,

On Thu, Apr 27, 2017 at 8:22 PM Callum Guy <callum@x-on.co.uk> wrote:

> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
> i run into any issues - i find it difficult to locate these help pages so
> really do appreciate the advice
>
> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Callum Guy wrote:
>> > Hi All,
>> >
>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>> > assessment.
>> >
>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>> > non-compliant for my environment.
>> >
>> > Also i'm very much hoping not to break my installation!
>> >
>> > Does anyone have experience in this area?
>>
>> It depends very much on what version you are running but see
>> https://access.redhat.com/articles/2801181 for inspiration.
>>
>> rob
>>
>>

-- 



*0333 332   |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if i
run into any issues - i find it difficult to locate these help pages so
really do appreciate the advice

On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden <rcrit...@redhat.com> wrote:

> Callum Guy wrote:
> > Hi All,
> >
> > I'm currently looking at hardening my FreeIPA server as part of a PCI
> > assessment.
> >
> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
> > non-compliant for my environment.
> >
> > Also i'm very much hoping not to break my installation!
> >
> > Does anyone have experience in this area?
>
> It depends very much on what version you are running but see
> https://access.redhat.com/articles/2801181 for inspiration.
>
> rob
>
>

-- 



*0333 332   |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Hi All,

I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.

I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.

Also i'm very much hoping not to break my installation!

Does anyone have experience in this area?

Best Regards,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Services

2016-12-21 Thread Callum Guy 
Hi All,

I am looking to find out all the services which FreeIPA has installed and
which must be up and running as part of normal operations. I am clear on
the various systems which have been installed on the master server (we run
no replicas) however I'm not sure what resource I should refer to in order
to improve my understanding.

To get started on this I have retrieved a list of running services using
"systemctl -t service".

Our installation is working pretty well and although we have been
experiencing the odd stability issue we had believed that this is due to
wider platform changes rather than any issues with the installation. In the
service list I am seeing lots of duplicate and failed services and it is
not clear how to interpret the output and whether this is to be expected?

The attached screenshot should explain my question.

Can anyone offer any guidance for the severity of this issue? The most
pressing question is how/why we have multiple 389 instances for various
casings of our domain. The other issue is the large number of OTP service
daemons - is that an issue?!

Thanks in advance,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Directory Manager Password Change | off topic

2016-12-05 Thread Callum Guy 
Ah yes, I hadn't even noticed as Google cleans that up automatically but I
can confirm (explicit) contact from Kimmi and co.




On Mon, Dec 5, 2016 at 5:24 PM Joseph Flynn <jjflyn...@gmail.com> wrote:

Ah, now SophiaB wants in on the action too.  Looks like my lucky day.

Seriously though, I think the community needs to anonymize participants out
of necessity.

On Mon, Dec 5, 2016 at 12:02 PM, Joseph Flynn <jjflyn...@gmail.com> wrote:

Me too.  Within minutes of my first posting, I have good old Kimmi offering
me all kinds of favors.  All of our emails are exposed to the group which
I'd like to trust but we obviously can't.  All it takes is for a spammer to
join the group and they will eventually collect a group of active emails
with a very targeted demographic.

On Mon, Dec 5, 2016 at 11:45 AM, Stefan Uygur <suy...@firstderivatives.com>
wrote:

Guys,

Since I replied to the list I keep receiving spam emails, what is happening?



*From:* Stefan Uygur
*Sent:* 05 December 2016 16:40
*To:* 'Callum Guy'; Florence Blanc-Renaud; freeipa-users@redhat.com
*Subject:* RE: [Freeipa-users] Directory Manager Password Change



Glad you solved your issue.



I’ve been there myself so don’t worry about it at all.



*From:* Callum Guy [mailto:callum@x-on.co.uk <callum@x-on.co.uk>]
*Sent:* 05 December 2016 16:37
*To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Directory Manager Password Change



Hi Stefan,



Thanks for your input, I am able to clarify that I wasn't simply copying
and pasting in - the dollar sign was included in my password rather than
the example. But yes, no denying that my command line skills are to blame.



Further to this problem I am happy to report that the issue is now solved.
My main issue was the dollar sign meaning that I had updated the DM
password incorrectly for FreeIPA. Secondly I appear to have caused an issue
with SSSD and it was a restart of this service which finally resolved the
issue for me. I doubt there is much to be learnt from my issue - definitely
user error.



Thanks so much for your responses, very much appreciated. Apologies for
taking up your time.



Callum







On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur <suy...@firstderivatives.com>
wrote:

Hi,

I think you are copying and pasting the exact same commands from the
article, which is of course a wrong approach. Never copy/paste from web to
execute on your server. That $ signs indicates you can give any name you’d
like.



Follow this article here:

https://access.redhat.com/solutions/308623



Stefan





*From:* freeipa-users-boun...@redhat.com [mailto:
freeipa-users-boun...@redhat.com] *On Behalf Of *Callum Guy
*Sent:* 05 December 2016 13:38
*To:* Florence Blanc-Renaud; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Directory Manager Password Change



Hi Flo,



I have indeed executed every step in order, including the one you have
indicated.



The password I has used included a dollar sign and this meant that echo -n
$DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
everything after the dollar was interpreted as a variable and was missing
in the file. I have corrected this and performed the full process again,
starting with the 389 reset however it is still not working correctly.



I remain in the same state as before where the admin password has not been
changed - this confuses me as my understanding is that admin only exists as
the FreeIPA web admin user whose password I can change separately. Am i
misunderstanding, is there another admin user within FreeIPA which is
directly linked to the directory manager?



Having run out of ideas I have just executed ipa-server-upgrade however
this hasn't helped. My situation remains as follows:



*Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
-b "" "objectclass=*"

*Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
"uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base



Are you able to offer any other ideas?



Other information:

I can confirm that cacert.p12 has been updated by the actions performed.

File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
*NEW_DM_PW *(as per instruction 1 on FreeIPA link)



Best Regards,



Callum





On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <f...@redhat.com> wrote:

On 12/05/2016 01:05 PM, Callum Guy wrote:
> Hi All,
>
> I have been testing FreeIPA and now plan to migrate to production use -
> thanks for creating such a great application!
>
> During the test phase we have been using simple passwords for the admin
> and directory manager users however we need these changed before moving
> into production. I believe we can change the admin password using the
> web interface however as I understand it amending the directory manager
> password is not so straightfo

Re: [Freeipa-users] Directory Manager Password Change

2016-12-05 Thread Callum Guy 
Thanks Stefan, what I didn't mention is that half way through our network
engineer decided to implement a change that silently broke Kerberos
authentication leaving me chasing my tail on the wrong problem. Anyway,
time to move on - have a great day.



On Mon, Dec 5, 2016 at 4:39 PM Stefan Uygur <suy...@firstderivatives.com>
wrote:

> Glad you solved your issue.
>
>
>
> I’ve been there myself so don’t worry about it at all.
>
>
>
> *From:* Callum Guy [mailto:callum@x-on.co.uk]
> *Sent:* 05 December 2016 16:37
> *To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users@redhat.com
>
>
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Stefan,
>
>
>
> Thanks for your input, I am able to clarify that I wasn't simply copying
> and pasting in - the dollar sign was included in my password rather than
> the example. But yes, no denying that my command line skills are to blame.
>
>
>
> Further to this problem I am happy to report that the issue is now solved.
> My main issue was the dollar sign meaning that I had updated the DM
> password incorrectly for FreeIPA. Secondly I appear to have caused an issue
> with SSSD and it was a restart of this service which finally resolved the
> issue for me. I doubt there is much to be learnt from my issue - definitely
> user error.
>
>
>
> Thanks so much for your responses, very much appreciated. Apologies for
> taking up your time.
>
>
>
> Callum
>
>
>
>
>
>
>
> On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur <suy...@firstderivatives.com>
> wrote:
>
> Hi,
>
> I think you are copying and pasting the exact same commands from the
> article, which is of course a wrong approach. Never copy/paste from web to
> execute on your server. That $ signs indicates you can give any name you’d
> like.
>
>
>
> Follow this article here:
>
> https://access.redhat.com/solutions/308623
>
>
>
> Stefan
>
>
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Callum Guy
> *Sent:* 05 December 2016 13:38
> *To:* Florence Blanc-Renaud; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Flo,
>
>
>
> I have indeed executed every step in order, including the one you have
> indicated.
>
>
>
> The password I has used included a dollar sign and this meant that echo
> -n $DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
> everything after the dollar was interpreted as a variable and was missing
> in the file. I have corrected this and performed the full process again,
> starting with the 389 reset however it is still not working correctly.
>
>
>
> I remain in the same state as before where the admin password has not been
> changed - this confuses me as my understanding is that admin only exists as
> the FreeIPA web admin user whose password I can change separately. Am i
> misunderstanding, is there another admin user within FreeIPA which is
> directly linked to the directory manager?
>
>
>
> Having run out of ideas I have just executed ipa-server-upgrade however
> this hasn't helped. My situation remains as follows:
>
>
>
> *Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
> -b "" "objectclass=*"
>
> *Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
> "uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base
>
>
>
> Are you able to offer any other ideas?
>
>
>
> Other information:
>
> I can confirm that cacert.p12 has been updated by the actions performed.
>
> File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
> *NEW_DM_PW *(as per instruction 1 on FreeIPA link)
>
>
>
> Best Regards,
>
>
>
> Callum
>
>
>
>
>
> On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <f...@redhat.com>
> wrote:
>
> On 12/05/2016 01:05 PM, Callum Guy wrote:
> > Hi All,
> >
> > I have been testing FreeIPA and now plan to migrate to production use -
> > thanks for creating such a great application!
> >
> > During the test phase we have been using simple passwords for the admin
> > and directory manager users however we need these changed before moving
> > into production. I believe we can change the admin password using the
> > web interface however as I understand it amending the directory manager
> > password is not so straightforward.
> >
> > I have found this
> > link
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> h

Re: [Freeipa-users] Directory Manager Password Change

2016-12-05 Thread Callum Guy 
Hi Stefan,

Thanks for your input, I am able to clarify that I wasn't simply copying
and pasting in - the dollar sign was included in my password rather than
the example. But yes, no denying that my command line skills are to blame.

Further to this problem I am happy to report that the issue is now solved.
My main issue was the dollar sign meaning that I had updated the DM
password incorrectly for FreeIPA. Secondly I appear to have caused an issue
with SSSD and it was a restart of this service which finally resolved the
issue for me. I doubt there is much to be learnt from my issue - definitely
user error.

Thanks so much for your responses, very much appreciated. Apologies for
taking up your time.

Callum



On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur <suy...@firstderivatives.com>
wrote:

> Hi,
>
> I think you are copying and pasting the exact same commands from the
> article, which is of course a wrong approach. Never copy/paste from web to
> execute on your server. That $ signs indicates you can give any name you’d
> like.
>
>
>
> Follow this article here:
>
> https://access.redhat.com/solutions/308623
>
>
>
> Stefan
>
>
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Callum Guy
> *Sent:* 05 December 2016 13:38
> *To:* Florence Blanc-Renaud; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Flo,
>
>
>
> I have indeed executed every step in order, including the one you have
> indicated.
>
>
>
> The password I has used included a dollar sign and this meant that echo
> -n $DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
> everything after the dollar was interpreted as a variable and was missing
> in the file. I have corrected this and performed the full process again,
> starting with the 389 reset however it is still not working correctly.
>
>
>
> I remain in the same state as before where the admin password has not been
> changed - this confuses me as my understanding is that admin only exists as
> the FreeIPA web admin user whose password I can change separately. Am i
> misunderstanding, is there another admin user within FreeIPA which is
> directly linked to the directory manager?
>
>
>
> Having run out of ideas I have just executed ipa-server-upgrade however
> this hasn't helped. My situation remains as follows:
>
>
>
> *Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
> -b "" "objectclass=*"
>
> *Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
> "uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base
>
>
>
> Are you able to offer any other ideas?
>
>
>
> Other information:
>
> I can confirm that cacert.p12 has been updated by the actions performed.
>
> File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
> *NEW_DM_PW *(as per instruction 1 on FreeIPA link)
>
>
>
> Best Regards,
>
>
>
> Callum
>
>
>
>
>
> On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <f...@redhat.com>
> wrote:
>
> On 12/05/2016 01:05 PM, Callum Guy wrote:
> > Hi All,
> >
> > I have been testing FreeIPA and now plan to migrate to production use -
> > thanks for creating such a great application!
> >
> > During the test phase we have been using simple passwords for the admin
> > and directory manager users however we need these changed before moving
> > into production. I believe we can change the admin password using the
> > web interface however as I understand it amending the directory manager
> > password is not so straightforward.
> >
> > I have found this
> > link
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> however
> > I am unsure if this is the correct procedure for our installation -
> > certainly i am having no luck so far.
> >
> > We have the following setup:
> >
> > FreeIPA 4.2.0 - single master server (no replicas), multiple clients
> > CentOS 7.2
> >
> > I have tried the following steps in order:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
> > followed by
> > https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> >
> > After completing that I am no longer able to authenticate user logins.
> > The below covers my current situation:
> >
> > This works:
> > ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
> > "objectclass=*"
> >
> >

[Freeipa-users] Directory Manager Password Change

2016-12-05 Thread Callum Guy 
Hi All,

I have been testing FreeIPA and now plan to migrate to production use -
thanks for creating such a great application!

During the test phase we have been using simple passwords for the admin and
directory manager users however we need these changed before moving into
production. I believe we can change the admin password using the web
interface however as I understand it amending the directory manager
password is not so straightforward.

I have found this link
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password however
I am unsure if this is the correct procedure for our installation -
certainly i am having no luck so far.

We have the following setup:

FreeIPA 4.2.0 - single master server (no replicas), multiple clients
CentOS 7.2

I have tried the following steps in order:

http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
followed by
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

After completing that I am no longer able to authenticate user logins. The
below covers my current situation:

This works:
ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
"objectclass=*"

This does not work:
ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
"objectclass=*"

This works:
ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca" -W
-b "" -s base
OLDPASSWORD

This does not work:
ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca" -W
-b "" -s base
NEWPASSWORD

So i'm i a mixed up state! Is anyone able to offer advise on resolving this
issue?

Thank you,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP Algorithm

2016-11-30 Thread Callum Guy 
Hi David,

I can confirm that using FreeOTP resolves the problem for me.

What a frustration, I am surprised that Google wouldn't add support beyond
SHA1 - perhaps a notice on the OTP documentation page would help others in
this situation.

Thank you so much for your assistance and links to explain the situation. I
hope to pay back the favour in due course.

Best Regards,

Callum


On Wed, Nov 30, 2016 at 1:11 PM David Kupka <dku...@redhat.com> wrote:

> On 30/11/16 10:13, David Kupka wrote:
> > On 29/11/16 12:57, Callum Guy wrote:
> >> Hi Alexander,
> >>
> >> I can confirm that I am using version 4.2.0.
> >>
> >> The bug link provided mentions that it caused GA to fail to scan the
> >> codes.
> >> In my situation it is FreeIPA (or related service) which appears to
> >> fail to
> >> validate codes generated, meaning that only OTP codes generated using
> >> sha1
> >> are validated and accepted.
> >>
> >> Just for clarity I can confirm that I have only tested OTP codes
> >> generated
> >> and configured via the FreeIPA web interface. I will check the command
> >> line
> >> generation and let you know if this makes a difference.
> >>
> >> Best Regards,
> >>
> >> Callum
> >
> > Hello Callum,
> > I've tried it with FreeIPA 4.3.2 (stock Fedora 24) and FreeOTP. I've
> > generated 3 OTPs (with sha256, sha384 and sha512) for tuser in the WebUI
> > and was then able to login into WebUI without problems.
> >
> >
> > $ ipa otptoken-find --owner tuser --all
> > 
> > 3 OTP tokens matched
> > 
> >   dn:
> >
> ipatokenuniqueid=3c899764-7abf-459d-bf2b-7ba4af978a8b,cn=otp,dc=dom-058-216,dc=example,dc=com
> >
> >   Unique ID: 3c899764-7abf-459d-bf2b-7ba4af978a8b
> >   Type: TOTP
> >   Owner: tuser
> >   Key: U5XDN0BYc9KbvG1iYuVPuVHB448=
> >   Algorithm: sha256
> >   Digits: 6
> >   Clock offset: 0
> >   Clock interval: 30
> >   ipatokentotpwatermark: 49349880
> >   objectclass: top, ipatokentotp, ipatoken
> >
> >   dn:
> >
> ipatokenuniqueid=40ad189b-7b7c-44b9-8450-b3eb78057ef6,cn=otp,dc=dom-058-216,dc=example,dc=com
> >
> >   Unique ID: 40ad189b-7b7c-44b9-8450-b3eb78057ef6
> >   Type: TOTP
> >   Owner: tuser
> >   Key: C79y2W+I0z429eRzsRP7qdpROaI=
> >   Algorithm: sha512
> >   Digits: 6
> >   Clock offset: 0
> >   Clock interval: 30
> >   ipatokentotpwatermark: 49349882
> >   objectclass: top, ipatokentotp, ipatoken
> >
> >   dn:
> >
> ipatokenuniqueid=baf6d329-61ad-46f1-beca-6ddb55ba9bb4,cn=otp,dc=dom-058-216,dc=example,dc=com
> >
> >   Unique ID: baf6d329-61ad-46f1-beca-6ddb55ba9bb4
> >   Type: TOTP
> >   Owner: tuser
> >   Key: 2hxrsJjQ6e+3qzVPZremtsB/NCg=
> >   Algorithm: sha384
> >   Digits: 6
> >   Clock offset: 0
> >   Clock interval: 30
> >   ipatokentotpwatermark: 49349881
> >   objectclass: top, ipatokentotp, ipatoken
>
> I've tried with Google Authenicator too and was unable to login.
>
> Alexander found issue [1] asking for SHA256 support. From comment on the
> issue it appear that SHA1 is the only supported hash.
>
> I compared codes generated by oathtool [2] and find out that Google
> Authenticator just ignores the information about used hash function and
> uses SHA1 without any error or warning.
>
> So I can only recommend switching to FreeOTP or returning to SHA-1 hash
> function.
>
> [1] https://github.com/google/google-authenticator-libpam/issues/11
> [2] http://www.nongnu.org/oath-toolkit/oathtool.1.html
>
> >
> >
> >>
> >>
> >> On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy <aboko...@redhat.com
> >
> >> wrote:
> >>
> >>> On ti, 29 marras 2016, Callum Guy wrote:
> >>>> Hi Petr,
> >>>>
> >>>> Thanks for coming back to me on this.
> >>>>
> >>>> I have only tried using Google Authenticator. The generated QR code
> >>>> successfully scans and codes are then generated on the GA device as
> >>> normal.
> >>>> The problem is that the codes simply do not work.
> >>>>
> >>>> My current thinking is that the service which interprets the codes
> >>>> server-side is not configured to use the same algorithm meaning that
> >>>> it is
> >>>> trying to validate sha256/sha512 (both tested and not functional for
> >>>> me)
> >>

Re: [Freeipa-users] OTP Algorithm

2016-11-29 Thread Callum Guy 
Hi Alexander,

I can confirm that I am using version 4.2.0.

The bug link provided mentions that it caused GA to fail to scan the codes.
In my situation it is FreeIPA (or related service) which appears to fail to
validate codes generated, meaning that only OTP codes generated using sha1
are validated and accepted.

Just for clarity I can confirm that I have only tested OTP codes generated
and configured via the FreeIPA web interface. I will check the command line
generation and let you know if this makes a difference.

Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ti, 29 marras 2016, Callum Guy wrote:
> >Hi Petr,
> >
> >Thanks for coming back to me on this.
> >
> >I have only tried using Google Authenticator. The generated QR code
> >successfully scans and codes are then generated on the GA device as
> normal.
> >The problem is that the codes simply do not work.
> >
> >My current thinking is that the service which interprets the codes
> >server-side is not configured to use the same algorithm meaning that it is
> >trying to validate sha256/sha512 (both tested and not functional for me)
> >etc codes against codes perhaps generated with sha1 (the only algorithm
> >that appears to work).
> >
> >I apologise in advance for my naive interpretation of the situation, this
> >really isn't an area where i have experience. I'd love to understand whats
> >going on however I can't find what i need in the OTP documentation.
> Which IPA version we are talking about? There was a case when the URI
> generated by 'ipa otptoken-add' was using a wrong case in the algorithm
> value and this was breaking Google Authenticator.
>
> https://fedorahosted.org/freeipa/ticket/5047
>
> This bug was fixed since 4.1.5 release.
>
> >
> >Best Regards,
> >
> >Callum
> >
> >
> >On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik <pvobo...@redhat.com>
> wrote:
> >
> >> On 11/28/2016 01:03 PM, Callum Guy wrote:
> >> > Hi All,
> >> >
> >> > I wanted to ask a quick question - perhaps a more experienced user
> will
> >> be able
> >> > to help or point me to the correct documentation.
> >> >
> >> > Basically we have implemented password+OTP type authentication which
> >> works great.
> >> >
> >> > When adding a OTP code using the admin login you can choose an
> >> algorithm. For us
> >> > the generated codes only work properly if the weakest sha1 algorithm
> is
> >> chosen/
> >> > To be clear the code generation works fine but the codes are not valid
> >> when
> >> > logging in. Is there a related setting we must change?
> >> >
> >> > Thanks,
> >> >
> >> > Callum
> >> >
> >>
> >> What type of otp token do you use? Does it work with some different?
> >> E.g. FreeOTP vs Google Authenticator ...
> >>
> >>
> >> --
> >> Petr Vobornik
> >>
> >
> >--
> >
> >
> >
> >*0333 332   |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> ><https://twitter.com/xonuk>
> ><http://www.linkedin.com/company/x-on/products>
> ><https://www.facebook.com/XonTel> *
> >X-on is a trading name of Storacall Technology Ltd a limited company
> >registered in England and Wales.
> >Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> >Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> >The information in this e-mail is confidential and for use by the
> >addressee(s) only. If you are not the intended recipient, please notify
> >X-on immediately on +44(0)333 332  <+44%20333%20332%20> and
> delete the
> >message from your computer. If you are not a named addressee you must not
> >use, disclose, disseminate, distribute, copy, print or reply to this
> email. Views
> >or opinions expressed by an individual
> >within this email may not necessarily reflect the views of X-on or its
> >associated companies. Although X-on routinely screens for viruses,
> >addressees should scan this email and any attachments
> >for viruses. X-on makes no representation or warranty as to the absence of
> >viruses in this email or any attachments.
> >
>
> >--
> >Manage your subscription for the Freeipa-users mailing list:
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> >Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy
>

--

Re: [Freeipa-users] OTP Algorithm

2016-11-29 Thread Callum Guy 
Hi Petr,

Thanks for coming back to me on this.

I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as normal.
The problem is that the codes simply do not work.

My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that it is
trying to validate sha256/sha512 (both tested and not functional for me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).

I apologise in advance for my naive interpretation of the situation, this
really isn't an area where i have experience. I'd love to understand whats
going on however I can't find what i need in the OTP documentation.

Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik <pvobo...@redhat.com> wrote:

> On 11/28/2016 01:03 PM, Callum Guy wrote:
> > Hi All,
> >
> > I wanted to ask a quick question - perhaps a more experienced user will
> be able
> > to help or point me to the correct documentation.
> >
> > Basically we have implemented password+OTP type authentication which
> works great.
> >
> > When adding a OTP code using the admin login you can choose an
> algorithm. For us
> > the generated codes only work properly if the weakest sha1 algorithm is
> chosen/
> > To be clear the code generation works fine but the codes are not valid
> when
> > logging in. Is there a related setting we must change?
> >
> > Thanks,
> >
> > Callum
> >
>
> What type of otp token do you use? Does it work with some different?
> E.g. FreeOTP vs Google Authenticator ...
>
>
> --
> Petr Vobornik
>

-- 



*0333 332   |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://twitter.com/xonuk>   
<http://www.linkedin.com/company/x-on/products>   
<https://www.facebook.com/XonTel> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP Algorithm

2016-11-28 Thread Callum Guy 
Hi All,

I wanted to ask a quick question - perhaps a more experienced user will be
able to help or point me to the correct documentation.

Basically we have implemented password+OTP type authentication which works
great.

When adding a OTP code using the admin login you can choose an algorithm.
For us the generated codes only work properly if the weakest sha1 algorithm
is chosen/ To be clear the code generation works fine but the codes are not
valid when logging in. Is there a related setting we must change?

Thanks,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project