Re: [Freeipa-users] Windows Clients can´t access linux services using kerberos
still trying to understand why windows clients do not pass the authentication on a kerberized proxy in a scheme where there is forests trust, I assumed that in a forests trust to cross-authentication between realms was established automatically, i am wrong about this ? i am using freeipa 4.4.3 and i can access to any linux host enrolled in IPA with my windows credentials, the sso work just fine from any linux host any idea what i am missing ? Thanks in advance 2017-03-15 3:18 GMT-04:00 Carlos Raúl Laguna <carlosla1...@gmail.com>: > Hello everyone I need some help with this I have set up an IPA 4.4.3 > server and I have established a forest trust relationship with Active > Directory, everything looks good, after following this guide > http://www.freeipa.org/index. Php? Title = > Squid_Integration_with_FreeIPA_using_Single_Sign_On > & redirect = no on linux clients has worked without problems but has not > been so on my windows clients, I have overlooked something? How do the > windows clients ticket should be register by the proxy? Thanks for your > help any inside will help me . > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Windows Clients can´t access linux services using kerberos
Hello everyone I need some help with this I have set up an IPA 4.4.3 server and I have established a forest trust relationship with Active Directory, everything looks good, after following this guide http://www.freeipa.org/index. Php? Title = Squid_Integration_with_FreeIPA_using_Single_Sign_On & redirect = no on linux clients has worked without problems but has not been so on my windows clients, I have overlooked something? How do the windows clients ticket should be register by the proxy? Thanks for your help any inside will help me . -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to add attributes to default user schema
Hello everyone, I am trying to add a new attribute ¨mailQuota¨ to the default user schema, so far i add the objectclass mailrecipient to the default user objectclasses which contain this specific atribute but so far i only capable to add the attribute manually with user-mod --addattr=mailQuota=102400 but when invoke config-mod --addattr=mailQuota=102400 i get ipa: ERROR: attribute "mailQuota" not allowed. Any way to get around this, also does https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf is still relevant for freeipa 4.3.2 ? Thanks in advance -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com>: > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV _ldap._tcp.ad_domain >> after checkig the logs a see this error >> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" >> >> so i disable the dnssec validation on IPA and it work as expected, i will >> setup dnssec on the windows side and enable dns validation once more on >> IPA >> to see if can get the same outcome. >> > When you use DNSSEC validation, your DNS infrastructure should all be > using DNSSEC. This does not depend on whether you are deploying trust to > AD or not. > > In fact, when installing FreeIPA server, you have option to disable > DNSSEC validation (ipa-server-install --no-dnssec-validation). The same > option exists in ipa-dns-install. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work as expected, i will setup dnssec on the windows side and enable dns validation once more on IPA to see if can get the same outcome. Thanks for you answer 2016-10-20 10:10 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com>: > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hello everyone, >> >> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as >> documentation explain in >> http://www.freeipa.org/page/Active_Directory_trust_setup#If_ >> AD_is_subdomain_of_IPA >> >> however the server is unable to resolve any record from my child domain, i >> found >> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if >> this >> version of IPA is affected by it. >> >> The procedure in the documentation is still valid ?. >> > Given that you have literally provided no logs that would help to help > you, let's start from it. > > Show what's your problem is through the logs. What exact commands are > failing? If you suspect DNS issues, show your named-pkcs11's logs. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA-AD Trust unable to resolve child domain
Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this version of IPA is affected by it. The procedure in the documentation is still valid ?. Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec
Happy new year to all, just to point out that this also affect Fedora23 Free-IPA 4.2.0 and 4.3.0 from corps. locale are set to es_ES.UTF-8. Regards 2016-01-05 23:32 GMT-05:00 Fraser Tweedale: > On Mon, Jan 04, 2016 at 03:13:43PM +0100, Domineaux Philippe wrote: > > Hello, > > > > Happy new year. > > > > So the content of my /etc/locale.conf : > > > > LANG="fr_FR.UTF-8" > > > Happy new year to you too, and thanks for the info. > > I reproduced the issue and there is a now a patch awaiting review. > Ticket: https://fedorahosted.org/freeipa/ticket/5578 > > Cheers, > Fraser > > > -- Forwarded message -- > > From: Fraser Tweedale > > Date: 2015-12-23 5:11 GMT+01:00 > > Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte > with > > utf8 codec > > To: Gmail > > Cc: freeipa-users@redhat.com > > > > > > On Tue, Dec 22, 2015 at 08:39:09AM +0100, Gmail wrote: > > > Here are the files you ask for: > > > > > Thank you. I see Tomcat is running in an fr_FR locale. Could you > > also provide contents of `/etc/locale.conf'? > > > > Cheers, > > Fraser > > > > > > > > > > > Le 22 décembre 2015 à 02:30:06, Fraser Tweedale (ftwee...@redhat.com) > a > > écrit: > > > > > > On Mon, Dec 21, 2015 at 05:29:01PM +0100, Gmail wrote: > > > > Hi all, > > > > > > > > When trying to install on a fresh new Centos 7 I’ve got this error : > > > > > > > > 2015-12-21T16:04:44Z DEBUG The ipa-server-install command failed, > > exception: NetworkError: cannot connect to ' > > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't > > decode byte 0xea in position 13: invalid continuation byte > > > > 2015-12-21T16:04:44Z ERROR cannot connect to ' > > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't > > decode byte 0xea in position 13: invalid continuation byte > > > > > > > > My freeipa-server version is : 4.2.0 > > > > I’m running a Centos 3.10.0-327.3.1.el7.x86_64 > > > > > > > > Any idea of what goes wrong? > > > > > > > Thanks for reporting. I have not seen this error before. Could you > > > please include the following log files and I will take a closer > > > look: > > > > > > /var/log/ipaserver-install.log > > > /var/log/pki/pki-tomcat/ca/debug > > > > > > Cheers, > > > Fraser > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to install ipa-server-trust-ad
Hello everyone, i am using fedora 22 server with copr repos enabled for freeipa 4.2, according with the documentation i execute sudo dnf install -y *ipa-server *ipa-server-trust-ad bind bind-dyndb-ldap however the following error occurs Error: package freeipa-server-trust-ad-4.1.4-2.fc22.x86_64 requires samba-python, but none of the providers can be installed i clean the metadata and try again but no change . Any help will be great -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
Thanks for the clarifications, one more question, does FreeIPA support partial or fractional replications? Regards 2015-05-28 0:25 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 27 May 2015, Carlos Raúl Laguna wrote: Hello Martin, Alexander Seem that the time shift is large between us, If i understand correctly, compat tree will allow me to see all users, regardless they location Windows or FreeIPA, however the kolab-specific attribute must come from FreeIPA and Windows AD where the users entries lays. This means creating custom object classes and attributes for AD schema them update compat plugin to see the custom attribute. The second part where kolab needs to update some value in any of this attribute, for example mailQuota it would be rejected and therefor it must be done from Windows AD or FreeIPA, is this correct? Thanks both of you for your time and input in this matter. Regards Just to make you absolutely clear: using compat tree will not help you at all. Nothing else in FreeIPA could help you in getting Kolab to work with both IPA and AD users at the same time. It would be nice if kolab could grow a capability to connect to multiple LDAP servers at the same time, with non-overlapping user and group trees. I don't think it is there now and I don't see other possibilities here. 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 27 May 2015, Martin Kosek wrote: On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific attribute to work properly, this is not a problem in fact is quite easy to use freeipa as kolab backend, so far so good but the romance only get this far. Since we also use Windows Ad with forest-trust not all user are present in the FreeIPA directory and there it is where my problem lays. Since not all user are in the same box it become difficult to implement one mail system for all users. Regards As I said, we have compat tree that allows LDAP BIND authentication and LDAP identity (not enumeration) for both IPA users and AD users when realm is in place. You can even update the configuration of the compat tree and add the kolab specific fields to be generated there too. There was very similar request on freeipa-users. It was for vSphere, but dealing with very similar use case and the final solution: http://www.freeipa.org/page/HowTo/vsphere5_integration Would that approach work for you? I don't think it will work. compat tree is run-time read-only view of the data coming from somewhere else. You need to have Kolab-specific data available somewhere to be able to inject it in the compat tree. Where would that data be stored for Kolab for AD-specific entries? It would work as long as the attributes are in the real user entries in form of custom attributes and compat plugin can be updated to add those to compat view. What real user entries you are talking about for AD users? Additionally, Kolab wants to modify these custom attributes and compat tree simply does not support modification, they all are refused. If Kolab requires modifications, then this approach would not work with current FreeIPA implementation, yes. No, we are not going into enabling modifications over compat tree, this is simply impossible to achieve, sorry. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
Hello Martin, Alexander Seem that the time shift is large between us, If i understand correctly, compat tree will allow me to see all users, regardless they location Windows or FreeIPA, however the kolab-specific attribute must come from FreeIPA and Windows AD where the users entries lays. This means creating custom object classes and attributes for AD schema them update compat plugin to see the custom attribute. The second part where kolab needs to update some value in any of this attribute, for example mailQuota it would be rejected and therefor it must be done from Windows AD or FreeIPA, is this correct? Thanks both of you for your time and input in this matter. Regards 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 27 May 2015, Martin Kosek wrote: On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific attribute to work properly, this is not a problem in fact is quite easy to use freeipa as kolab backend, so far so good but the romance only get this far. Since we also use Windows Ad with forest-trust not all user are present in the FreeIPA directory and there it is where my problem lays. Since not all user are in the same box it become difficult to implement one mail system for all users. Regards As I said, we have compat tree that allows LDAP BIND authentication and LDAP identity (not enumeration) for both IPA users and AD users when realm is in place. You can even update the configuration of the compat tree and add the kolab specific fields to be generated there too. There was very similar request on freeipa-users. It was for vSphere, but dealing with very similar use case and the final solution: http://www.freeipa.org/page/HowTo/vsphere5_integration Would that approach work for you? I don't think it will work. compat tree is run-time read-only view of the data coming from somewhere else. You need to have Kolab-specific data available somewhere to be able to inject it in the compat tree. Where would that data be stored for Kolab for AD-specific entries? It would work as long as the attributes are in the real user entries in form of custom attributes and compat plugin can be updated to add those to compat view. What real user entries you are talking about for AD users? Additionally, Kolab wants to modify these custom attributes and compat tree simply does not support modification, they all are refused. If Kolab requires modifications, then this approach would not work with current FreeIPA implementation, yes. No, we are not going into enabling modifications over compat tree, this is simply impossible to achieve, sorry. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific attribute to work properly, this is not a problem in fact is quite easy to use freeipa as kolab backend, so far so good but the romance only get this far. Since we also use Windows Ad with forest-trust not all user are present in the FreeIPA directory and there it is where my problem lays. Since not all user are in the same box it become difficult to implement one mail system for all users. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
How i can use a single backend for a email deployment in such scenario ? Since i am using forest trust, therefore users are not present in one place. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
Any ideas how to overcome this? Winsync may be a better approach for us instead of cross-trust.Regards 2015-05-25 13:06 GMT-04:00 Carlos Raúl Laguna carlosla1...@gmail.com: How i can use a single backend for a email deployment in such scenario ? Since i am using forest trust, therefore users are not present in one place. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
Hi Alexander Great news, does this also mean that user created in freeipa are self created/synchronized in the windows ad ? Regtards 2015-05-22 15:00 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: Hi, As per attached message, Fedora 22 final release will come to life next week. If you are planning to use FreeIPA in Fedora 22 or upgrade your FreeIPA deployment to Fedora 22, make sure updates-testing repository is enabled. Several last moment bug fixes related to FreeIPA were not rolled into the final Fedora 22 image and they are waiting in updats-testing for the gates to be open after release. One particular area is support for cross-forest trusts with Active Directory --- Samba in Fedora 22 got upgraded to 4.2.1 version which caused some changes in underlying libraries FreeIPA uses for supporting the cross-forest trust. The fixes are awaiting you after install in the updats-testing. Happy Fedora 22 use! -- / Alexander Bokovoy -- Mensaje reenviado -- From: Jaroslav Reznik jrez...@redhat.com To: devel-annou...@lists.fedoraproject.org, test-announce test-annou...@lists.fedoraproject.org, Fedora Logistics List logist...@lists.fedoraproject.org Cc: Date: Fri, 22 May 2015 14:46:39 -0400 (EDT) Subject: [Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015 At the Fedora 22 Final Go/No-Go Meeting #2 that just occurred, it was agreed to Go with the Fedora 22 Final by Fedora QA, Release Engineering and Development. Fedora 22 Final will be publicly available on Tuesday, May 26, 2015. Meeting details can be seen here: Minutes: http://bit.ly/1Bh2pH1 Log: http://bit.ly/1HzMI5g Thank you everyone for a great job, sleepless nights validating TCs, RCs, fixing bugs, composing stuf and everything else needed for smooth releases. Amazing last three years wrangling releases for me! Jaroslav ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/test-announce -- devel mailing list de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
Just for clarification, If i create a user in Windows 2008R2 it propagates to Freeipa 4.1 because freeIPA trust the AD domain, in this scenario where AD equally trust the freeIPA domain (Fedora 22), a user created in freeIPA should not propagate as well to AD ? Regards 2015-05-22 16:39 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: On Fri, 22 May 2015, Carlos Raúl Laguna wrote: Hi Alexander Great news, does this also mean that user created in freeipa are self created/synchronized in the windows ad ? Regtards With cross-forest trust we don't synchronize anything to AD. Think about it as if FreeIPA was a separate AD forest, two AD forests don't synchronize anything to each other, they _refer_ to each other's domain controllers for operations that require authentication or other changes. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4
2014-10-09 18:12 GMT-04:00 Dmitri Pal d...@redhat.com: On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: Hello to everyone, for some time now i have been pretty much stalking the samba project site, looking forward to forest trust and it seem that they introduced new functions to support trust domains https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt i guess i an future will be possible. Yes in future. Anyway, i am about to do a FreeIPA-Windows deployment and i was wondering if it will be possible in a future migrate from windows to samba? Yes. This is the intent. At least to be able to replace AD with Samba DC in some cases. I am not sure how smooth the migration part will be. And also, which version of FreeIPA is most ready for deployment ? Now? In which distro? In RHEL please use what is in 7.0. If you use Fedora then at least 4.0. You might want to wait couple weeks and use 4.1 when it gets released. Thanks for your time and effort. Regard -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Thanks for your reply, it will be any way to use 4.1 in RHEL 7L.Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4
Hello to everyone, for some time now i have been pretty much stalking the samba project site, looking forward to forest trust and it seem that they introduced new functions to support trust domains https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt i guess i an future will be possible. Anyway, i am about to do a FreeIPA-Windows deployment and i was wondering if it will be possible in a future migrate from windows to samba? And also, which version of FreeIPA is most ready for deployment ? Thanks for your time and effort. Regard -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA customized for Kolab
Will do, need to make a proper guide first.Thanks to all. Regards 2014-07-04 3:26 GMT-04:00 Petr Spacek pspa...@redhat.com: On 4.7.2014 00:49, Carlos Raúl Laguna wrote: In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? Thanks for the fast reply, and Yes, it is required so kolab can check wish is the primary domain. Thanks for your answer. Regards 2014-07-03 18:12 GMT-04:00 Rich Megginson rmegg...@redhat.com: On 07/03/2014 04:09 PM, Carlos Raúl Laguna wrote: Hello everyone, for some time i was trying to make Kolab Groupwere to work with FreeIPA and after some research is now working. It would be great if you can write down what you did to a new wikipage, preferably linked from http://www.freeipa.org/page/HowTos#3rd_party_Applications_Integration Your normal Fedora account will allow you to edit Freeipa.org wiki. Thank you for your time! Petr^2 Spacek Great! However the modification made in FreeIPA makes me wonder if some how limit the functions of the software. Changes Made: Creation of OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's) OU=Shared Folders (Requires by Kolab) OU=Resources (Requires by Kolab) In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? The user are created from Freeipa interface name.surname wish result in a mailbox for that user in the Kolab server. My actual question is if this may break replication, or windows - freeipa forest relationship. Thanks in advance for your time. Regards This should not break replication, nor windows trust/sync, afaik. Not sure what effect this will have on other parts of FreeIPA though. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA customized for Kolab
Hello everyone, for some time i was trying to make Kolab Groupwere to work with FreeIPA and after some research is now working. However the modification made in FreeIPA makes me wonder if some how limit the functions of the software. Changes Made: Creation of OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's) OU=Shared Folders (Requires by Kolab) OU=Resources (Requires by Kolab) In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) The user are created from Freeipa interface name.surname wish result in a mailbox for that user in the Kolab server. My actual question is if this may break replication, or windows - freeipa forest relationship. Thanks in advance for your time. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA customized for Kolab
In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? Thanks for the fast reply, and Yes, it is required so kolab can check wish is the primary domain. Thanks for your answer. Regards 2014-07-03 18:12 GMT-04:00 Rich Megginson rmegg...@redhat.com: On 07/03/2014 04:09 PM, Carlos Raúl Laguna wrote: Hello everyone, for some time i was trying to make Kolab Groupwere to work with FreeIPA and after some research is now working. Great! However the modification made in FreeIPA makes me wonder if some how limit the functions of the software. Changes Made: Creation of OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's) OU=Shared Folders (Requires by Kolab) OU=Resources (Requires by Kolab) In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? The user are created from Freeipa interface name.surname wish result in a mailbox for that user in the Kolab server. My actual question is if this may break replication, or windows - freeipa forest relationship. Thanks in advance for your time. Regards This should not break replication, nor windows trust/sync, afaik. Not sure what effect this will have on other parts of FreeIPA though. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project