Reading through the RHEL 7.1 documents on setting up a trust between IPA and
AD I came across a note that IPA had to be managing DNS in order for this to
work. Why is this? Is there any way around this? At this point the DNS IPA
would manage is DNSSEC signed and as such can't be managed by IPA,
On Monday, March 16, 2015 09:13:56 PM Alexander Bokovoy wrote:
On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote:
Reading through the RHEL 7.1 documents on setting up a trust between IPA
and AD I came across a note that IPA had to be managing DNS in order for
this to work. Why
On 03/12/2015 01:46 PM, Martin Kosek wrote:
On 03/12/2015 07:24 PM, Erinn Looney-Triggs wrote:
On 03/12/2015 02:10 AM, Jan Cholasta wrote:
Dne 12.3.2015 v 08:25 Martin Kosek napsal(a):
On 03/11/2015 09:05 PM, Dmitri Pal wrote:
On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote:
...
Third
On 03/12/2015 02:10 AM, Jan Cholasta wrote:
Dne 12.3.2015 v 08:25 Martin Kosek napsal(a):
On 03/11/2015 09:05 PM, Dmitri Pal wrote:
On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote:
...
Third, there appears to be a behavior change from in ipalib.
I cleaned up a little inventory script
First off congratulations on getting this out. Love the new UI, all pretty and
integrates well with the access.redhat.com UI.
Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was
included in the 4.1.0 release, but near as I can tell it is not part of IPA
4.1.0 in RHEL
Before I go charging down this path too far, I wanted to figure out whether it
is possible for a RHEL 7 system to be a member of both an IPA domain and a
separate AD domain?
At this point trusts are not established between IPA and the AD, this will
happen around the 7.1 release, however, I
This is not exactly the right place to post this message, but I reckon it is
close enough.
A year or so ago, I wrote up a guide for configuring a Postfix client to use
Kerb/GSSAPI to authenticate against a Postfix server acting as a relay. The
guide is here:
On Wednesday, August 13, 2014 08:57:19 PM Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 08/12/2014 09:21 AM, Alexander Bokovoy wrote:
On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256
On 08/11/2014 09:08 AM, Martin Kosek wrote
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/11/2014 09:08 AM, Martin Kosek wrote:
On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy
wrote:
On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/12/2014 09:21 AM, Alexander Bokovoy wrote:
On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256
On 08/11/2014 09:08 AM, Martin Kosek wrote:
On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
On Mon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The documentation seems to be a little fuzzy on setting up two CAs,
some parts indicate this is a bad idea because the CRLs can clobber
each other, other parts, such as the migration guide from RHEL 6.5 to
7 seem to indicate that it is ok, albeit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/12/2014 09:21 AM, Alexander Bokovoy wrote:
On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256
On 08/11/2014 09:08 AM, Martin Kosek wrote:
On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
On Mon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/12/2014 12:33 PM, Alexander Bokovoy wrote:
On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
I guess the part I don't get here, is that this setting does
not disable anonymous access to rootdse it just requires, as
far as I understand
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/12/2014 11:49 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
The documentation seems to be a little fuzzy on setting up two
CAs, some parts indicate this is a bad idea because the CRLs can
clobber each other, other parts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
It would seem to be prudent to set the minssf setting for 389 to 56,
however I am wondering why this isn't done by default, and if there is
any reason why I shouldn't do it?
Thanks,
- -Erinn
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Here you go: dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1
dbs.beginSerialNumber=1 dbs.enableSerialManagement=true
dbs.endReplicaNumber=50 dbs.endRequestNumber=990
dbs.endSerialNumber=ff6 dbs.ldap=internaldb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/04/2014 01:51 PM, Ade Lee wrote:
OK - I suspect you may be running into an issue with serial number
generation. Each time we install a clone, we end up allocating a
new range of serial numbers for the clone.
The idea is to keep
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ok I am throwing up the white flag on this one and starting anew.
Clearly there are several things broken down there in the murky
depths, and well I just don't trust my install all that much at this
point.
Thanks for all the help I really
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/04/2014 08:46 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 08/04/2014 04:01 AM, Martin Kosek wrote:
On 08/04/2014 04:45 AM, Erinn Looney-Triggs wrote:
Whether related or not I am getting the following in my
RHEL 6.5 IPA
to clean that up.
Ade
On Mon, 2014-08-04 at 12:10 -0700, Erinn Looney-Triggs wrote:
On 08/04/2014 11:48 AM, Ade Lee wrote:
OK - so its not really even getting started on the install.
My guess is there is some cruft from previous
installs/uninstalls that was not cleaned up
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/30/2014 02:31 PM, Ade Lee wrote:
On Tue, 2014-07-29 at 17:49 -0700, Erinn Looney-Triggs wrote:
Ok, well I tried deleting it using certutil it deletes both,
I tried using keytool to see if it would work any better, no
dice there. I'll
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Whether related or not I am getting the following in my RHEL 6.5
IPA instance /var/log/dirsrv/slapd-PKI-CA/debug log:
[26/Jul/2014:20:23:23 +] slapi_ldap_bind - Error: could not
send startTLS re quest: error -1 (Can't contact LDAP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/30/2014 02:31 PM, Ade Lee wrote:
On Tue, 2014-07-29 at 17:49 -0700, Erinn Looney-Triggs wrote:
Ok, well I tried deleting it using certutil it deletes both,
I tried using keytool to see if it would work any better, no
dice there. I'll
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ok, well I tried deleting it using certutil it deletes both, I
tried using keytool to see if it would work any better, no dice
there. I'll try the rename, but at this point I am not holding my
breath on that, it seems all operation are a bit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 08:04 AM, Ade Lee wrote:
On Mon, 2014-07-28 at 07:41 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 07:17 AM, Rob Crittenden wrote:
Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 07/27/2014 12:02 AM, Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 11:07 AM, Ade Lee wrote:
On Mon, 2014-07-28 at 08:26 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 08:04 AM, Ade Lee wrote:
On Mon, 2014-07-28 at 07:41 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 07:17 AM, Rob Crittenden
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 11:07 AM, Ade Lee wrote:
On Mon, 2014-07-28 at 08:26 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 08:04 AM, Ade Lee wrote:
On Mon, 2014-07-28 at 07:41 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 07:17 AM, Rob Crittenden
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 11:07 AM, Ade Lee wrote:
No exceptions thrown in the journal.
When investigating the cacert.p12 file that is bundled up for
the replica's I see two caSigningCert's. One is the older one,
before I renewed and one is the new,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 12:20 PM, Ade Lee wrote:
On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 11:07 AM, Ade Lee wrote:
No exceptions thrown in the journal.
When investigating the cacert.p12 file that is bundled up
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 12:56 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 07/28/2014 12:20 PM, Ade Lee wrote:
On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 11:07 AM, Ade Lee wrote:
No exceptions thrown
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 12:20 PM, Ade Lee wrote:
On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 11:07 AM, Ade Lee wrote:
No exceptions thrown in the journal.
When investigating the cacert.p12 file that is bundled up
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/28/2014 12:56 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 07/28/2014 12:20 PM, Ade Lee wrote:
On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote:
On 07/28/2014 11:07 AM, Ade Lee wrote:
No exceptions thrown
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote:
On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
Well it hasn't been all the pretty trying to move from RHEL 6.5
to RHEL 7.
I have two servers providing my ipa instances ipa and ipa2.
Given
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/27/2014 12:02 AM, Erinn Looney-Triggs wrote:
On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote:
On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
Well it hasn't been all the pretty trying to move from RHEL
6.5 to RHEL 7.
I have two
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Well it hasn't been all the pretty trying to move from RHEL 6.5 to
RHEL 7.
I have two servers providing my ipa instances ipa and ipa2. Given that
I don't have a great deal of spare capacity the plan was to remove
ipa2 from the replication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
Well it hasn't been all the pretty trying to move from RHEL 6.5 to
RHEL 7.
I have two servers providing my ipa instances ipa and ipa2. Given
that I don't have a great deal of spare capacity
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On a RHEL 6.5 environment the IPA command line tools are failing me
with the following:
ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa.foo.com/ipa/xml,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hopefully I am not overlooking something. However, it appears that
with RHEL 7 IPA includes the OTP auth piece. However, I can't seem to
find any documentation on how to use it.
I can deconstruct from the Fedora test day, but before I head down
that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/2014 02:54 PM, Alexander Bokovoy wrote:
On Fri, 21 Mar 2014, Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
Hopefully I am not overlooking something. However, it appears
that with RHEL 7 IPA includes the OTP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/2014 08:57 AM, Petr Viktorin wrote:
On 03/07/2014 04:34 PM, Rich Megginson wrote: [...]
The ipa command line tools use RPC, but they use XML. If you run
ipa -vv dnsrecord-add ... you can see the XML sent and received.
There is a bit of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/05/2013 01:35 AM, Martin Kosek wrote:
On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote:
On 12/04/2013 07:15 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 11/27/2013 11:11 AM, Rob
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/05/2013 12:18 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 12/05/2013 01:35 AM, Martin Kosek wrote:
On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote:
On 12/04/2013 07:15 AM, Rob
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/04/2013 07:15 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 11/27/2013 11:11 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/03/2013 05:45 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Rob, Thanks so much for the help. It was the first certificate
but other than that you were spot on, we can't all be perfect ;).
That fixed the issue and I am now able
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/27/2013 11:11 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 11/25/2013 11:09 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Folks just wanted to touch base again before
On 12/3/2013 9:45 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2013 10:18 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 12/02/2013 08:03 AM, Rob Crittenden wrote:
Erinn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2013 07:40 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
In the process of prepping a replication host for changing over
the CA I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2013 08:03 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 12/02/2013 07:40 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2013 10:18 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
On 12/02/2013 08:03 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
In the process of prepping a replication host for changing over the
CA I had to use certmonger to generate another certificate on my
secondary IPA server. Unfortunately it seems to fail every
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In the process of prepping a replication host for changing over the CA
I had to use certmonger to generate another certificate on my
secondary IPA server. Unfortunately it seems to fail every single
time. Here is what I am running and here is what I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/25/2013 11:09 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Folks just wanted to touch base again before the American holiday
season starts. My CA, which is subordinate to AD CS will be
expiring on December 9th, I submitted a bug
Folks just wanted to touch base again before the American holiday season
starts. My CA, which is subordinate to AD CS will be expiring on
December 9th, I submitted a bug, y'all drew up docs etc for a plan
(thanks). Now I just wanted to see how it was going and if need be what
manual steps I will
Folks,
I wanted to touch base with y'all about how/if work is progressing on
the ability to replace the CA certificate. My certificate is a
subordinate of an AD CS instance and will be expiring in December, after
two years. Some how, some way, without rebuilding I would like to be
able to replace
On 10/14/2013 10:26 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Folks,
I wanted to touch base with y'all about how/if work is progressing on
the ability to replace the CA certificate. My certificate is a
subordinate of an AD CS instance and will be expiring in December, after
two
On 10/01/2013 09:11 AM, Petr Spacek wrote:
Hello list,
we would like to get more details about DNS views and how you use them
in real life. Also, any idea how user a interface should work is more
than welcome!
(If you don't know views, read it as differentiate answer to a DNS
query on client's
On 09/24/2013 12:06 PM, Petr Spacek wrote:
On 24.9.2013 19:23, Erinn Looney-Triggs wrote:
I wanted to bring up the idea of integrating TLSA records into FreeIPA
so that a host that is issued a certificate for say the web server (via
dogtag) would also publish that information in DNS using
I wanted to bring up the idea of integrating TLSA records into FreeIPA
so that a host that is issued a certificate for say the web server (via
dogtag) would also publish that information in DNS using a TLSA record.
This is very much like how SSHFP records are handled now in FreeIPA.
Has this been
On 07/12/2013 11:36 AM, Simo Sorce wrote:
On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
On 07/10/2013 12:12 PM, Simo Sorce wrote:
On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
Folks,
I swear I am not trying
On 07/12/2013 01:25 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 07/12/2013 01:19 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Is there a reason that ipa-client-install does not add the CA of the
IPA
server to the ca-bundle.crt file in /etc/pki/certs/?
Seems like
On 07/12/2013 05:03 PM, Dmitri Pal wrote:
On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
GSSAPI inside of a TLS channel apparently isn't secure unless the
channel is secure and verified. The irony being that GSSAPI auth outside
of a TLS connection is just fine for postfix
Folks,
I swear I am not trying to drive up traffic to my very small blog, but I
wrote up some instruction for how to configure the postfix mail client
to use Kerberos to relay through a Postfix gateway.
Instructions are here for folks that are interested:
So my CA certificate in IPA is a subordinate certificate of an AD CS
instance. These certificates by default are only valid for two years,
and mine will be up come this December.
So, I am looking for a way to replace this certificate in IPA.
Any thoughts?
-Erinn
signature.asc
Description:
On 04/15/2013 09:45 AM, Adam Bishop wrote:
Hi,
I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump.
The server hostname resolves to more than one address:
:::::4
xxx.xxx.xxx.180
Please provide the IP address to be used for this host
On 02/26/2013 10:29 AM, Dmitri Pal wrote:
On 02/21/2013 12:31 PM, Dmitri Pal wrote:
On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
On 02/21/2013 09:40 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 02/21/2013 09:34 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 02/21
On 02/26/2013 12:08 PM, Martin Kosek wrote:
On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote:
On 02/26/2013 10:29 AM, Dmitri Pal wrote:
On 02/21/2013 12:31 PM, Dmitri Pal wrote:
On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
On 02/21/2013 09:40 AM, Rob Crittenden wrote:
Erinn Looney
For the fool hearty amongst us, as in me, I upgraded to RHEL 6.4 today.
So far the Web UI portion of IPA is broken. I receive the following
error via the UI: IPA Error 903 an internal error has occurred.
Other things appear to be working fine, though my testing hasn't been
all that thorough at
On 02/21/2013 09:07 AM, Rob Crittenden wrote:
add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember'
DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'IPA v3' )
add:objectClasses:
On 02/21/2013 09:40 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 02/21/2013 09:34 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 02/21/2013 09:07 AM, Rob Crittenden wrote:
add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME
'ipaExternalMember'
DESC 'External Group
On 02/21/2013 09:34 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 02/21/2013 09:07 AM, Rob Crittenden wrote:
add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember'
DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
On 02/11/2013 10:00 AM, rashard.ke...@sita.aero wrote:
I was wondering if I need to be concerned about IPA 2 being updated
automatically to IPA 3? We have a working IPA 2 environment in place now
and wanted to know if IPA needed to be added to an exclude list. We are
afraid of breaking our
On 01/09/13 00:02, Martin Kosek wrote:
On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote:
On 01/08/13 12:45, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 01/08/13 11:44, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote:
HI,
I assume RHEL
On 01/08/13 11:44, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote:
HI,
I assume RHEL 6.4 is GA shortly just how straigh forward is the
upgrade from one IPA version to another please?
regards
Should just require an rpm upgrade and a restart
On 01/08/13 11:55, Jakub Hrozek wrote:
On Tue, Jan 08, 2013 at 11:49:11AM -0900, Erinn Looney-Triggs wrote:
On 01/08/13 11:44, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote:
HI,
I assume RHEL 6.4 is GA shortly just how straigh forward
On 01/08/13 12:45, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 01/08/13 11:44, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote:
HI,
I assume RHEL 6.4 is GA shortly just how straigh forward is the
upgrade from one IPA version to another
On 01/04/13 06:56, Han Boetes wrote:
Your information about the quest putty version seems to be outdated. ;-)
Quest Softare no longer maintains recent releases of PuTTY. To obtain
the latest stable release of PuTTY please goto PuTTY Download Page
* The functionality that was provided by
On 12/12/12 09:09, rashard.ke...@sita.aero wrote:
What are the disadvantages of using an external DNS source? My three
options are install DNS services on the IPA server, use the local Active
Directory DNS, or connect to a linux based DNS appliance. Is it common
not to use DNS at all if so
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiring I would rather know sooner than
later when it comes to this.
-Erinn
signature.asc
Description: OpenPGP digital signature
On 11/05/12 10:25, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiring I would rather know sooner than
later when it comes to this.
Kudos for planning
On 11/05/12 10:42, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/05/12 10:25, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiring I would rather
by the way, though the problem appeared in 6.2 for me.
Regards
Johan
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Erinn Looney-Triggs
Sent: den 1 november 2012 23:15
To: FreeIPAUsers
Subject: [Freeipa-users] Process
On 11/02/12 07:28, Rich Megginson wrote:
On 11/02/2012 09:06 AM, Simo Sorce wrote:
On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote:
Looks a lot like a problem I have as well.
Check out the /proc/xxx/fd directory of the dirsrv process for your
IPA realm, in my case it's full of dead
Have any folks run into this:
PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open
FD table is full.)
From the dirsrv logs. It appears that this may have been what killed IPA
in total on one server for me last night. I can't turn up anything via
Google.
After a restart of all
On 08/28/2012 11:23 PM, Jakub Hrozek wrote:
On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote:
I am hoping I haven't missed something here, but it appears that the
SELinux user mapping portion is not working for me. This is tested on a
RHEL 6.3 client and server.
The rule I
I am hoping I haven't missed something here, but it appears that the
SELinux user mapping portion is not working for me. This is tested on a
RHEL 6.3 client and server.
The rule I have:
Rule name: Developers staff_U
SELinux User: staff_u:s0-s0:c0.c1023
Description: Confines developers on
On 08/16/2012 11:18 AM, Sigbjorn Lie wrote:
On 08/16/2012 09:08 PM, Rich Megginson wrote:
On 08/16/2012 11:46 AM, Erinn Looney-Triggs wrote:
On 08/15/2012 05:13 PM, Rich Megginson wrote:
On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote:
After a restart of the system I received the following
After a restart of the system I received the following errors:
Starting dirsrv:
FOO-COM...[15/Aug/2012:21:48:26 +] startup - The default
password storage scheme SSHA could not be read or was not found in the
file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory.
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented with cannot find name for user ID
etc. etc. for all groups
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented with cannot find name for user ID
etc. etc. for all groups
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented with cannot find name for user ID
etc. etc. for all groups they are a member of
id returns nothing but the numbers, and a getent passwd username
returns nothing, when running as the user.
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented with cannot find name for user ID
etc. etc. for all groups
On 07/16/2012 01:32 PM, Steven Jones wrote:
I have craeted a sshd rule only for the HBAC, but I find a std user can
su - to root, is this correect behavior?
How do I? or can I? stop this unless explicitly allowed?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria
University, Wellington, NZ
0064 4 463 6272
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com]
Sent: Tuesday, 17 July 2012 9:38 a.m.
To: freeipa-users@redhat.com
On 05/21/2012 01:00 PM, Jan-Frode Myklebust wrote:
If joining a machine to IPA automatically gives it a SSL keyset, it
seems silly to also join the puppetca for config management.
Has anybody looked into using IPA-dogtag as CA for puppet and func?
-jf
It looks like, as far as I can tell, the IPA pki setup does not by
default include subjectKeyIdentifier in the SSL certificates issued. I
am using ipa-getcert -f foo -k bar, to generate and submit the request.
I am a little hazy about how all of this fits together at this point, so
please forgive
On 02/09/2012 06:48 AM, Dale Macartney wrote:
Morning all
I have a working setup of ejabberd authenticated to pam on an IPA client
which works great.. However, unlike my other projects to provide
details of integration with IPA, I am struggling with the SSO aspect of
it, simply because
On 02/01/2012 03:43 AM, Westerlund Johnny wrote:
You pointed me in the correct direction. I only needed to setup ldap.conf in
a correct way and it worked perfectly.
the documentation for setting up sudo on rhel6 describes how to setup the
nslcd.conf, i just did ldap.conf a symlink of that
On 01/30/2012 10:20 AM, Dale Macartney wrote:
Hi Erinn
I originally asked the question as I was thinking my auth attempts were
failing when using ipa, however this was not the case.
On closer inspection, i found that the authentication was successful yet
dovecot was failing to read a
On 1/27/2012 4:53 PM, JR Aquino wrote:
On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote:
Has anyone successfully gotten firefox in windows with firefox and mit
kerberos?
I've followed several how to's, but i cant get firefox to take/pass my tgt.
The Key to success:
On 01/18/2012 11:50 AM, JR Aquino wrote:
On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote:
I can't really figure out what the proper syntax is for the sudo rules
in IPA. I have a number of options that I would like included by
default, I have put them in place, from ipa sudorule-show
1 - 100 of 119 matches
Mail list logo
