I don't believe that the attribute is an OU.
try performing a:
ipa group-show engineering --all --raw
I believe that your automember rule wants to be cn=^Engineering
You cannot hope to secure that which you do not first understand
~~~
Jr Aquino
If you don't find an answer for doing it -minus- a ticket, here is what I would
suggest.
Create a service user who's only role permissions give them the ability to
delete users.
Then perform a getkeytab for the user:
ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k
Some further reading material about operating in a security model where you
accept that things are already compromised:
* CISecurity did a good job on the Kerberos benchmark that was written:
http://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=mitkerberos110.100
* Two Factor
If you are seeing clock skew errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors that look like this, then you will need to verify the time/date of the server to make sure NTP isn't freaked out. If the system date is correct, it is possible that the change numbergenerator has
subjected to Password Policy expirations etc.
You cannot hope to secure that which you do not first understand
~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT
On Aug 20, 2013, at 6:46 AM, Rich Megginson
rmegg...@redhat.commailto:rmegg...@redhat.com wrote:
On 08/20/2013 05:55 AM, Bret Wortman wrote:
Okay, now I'm thinking I need to dump all my replicas and start them fresh. My
/var/log/slapd-FOO-COM/errors is filled with messages like this:
On Jun 25, 2013, at 2:52 AM, Martin Kosek mko...@redhat.com
wrote:
On 06/24/2013 03:36 PM, Rob Crittenden wrote:
Dean Hunter wrote:
On Mon, 2013-06-24 at 09:07 +0300, Alexander Bokovoy wrote:
On Sun, 23 Jun 2013, Dean Hunter wrote:
Section 14.4. Applying the Configured sudo Policies to
.
Rich asked me to bring this issue up to the attention of the mailing list so
that we could continue to track the root cause of the issue(s) and hopefully
come to a conclusion about how to fix them.
Keeping your head in the cloud
~
Jr Aquino | Sr
On Jun 5, 2013, at 5:26 PM, Rich Megginson wrote:
On 06/05/2013 05:49 PM, JR Aquino wrote:
I have been having replication issues since the update to RHEL6.4 and
389-ds-base-1.2.11.15-12.
It is entirely possible that we have more than just 1 problem.
Frequently we seeing errors in our
should indicate where any matches occurred.
Keeping your head in the cloud
~
JR Aquino
Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Exploit Researcher and Advanced
are matching on is: enrolledby ?
Keeping your head in the cloud
~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester
Citrix Online
something or if we have any bugs in there, we need to get
them identified and fixed.
Thanks,
_
John Moyer
On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote:
On Apr 30, 2013, at 9:30 AM, John Moyer
john.mo
, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote:
On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com
wrote:
One thing to add is that this build user only has the following access:
Host Administrators
Host enrollment
Would he need more access to do the membership
previous inclusive regex, and replace it with
uid=build,cn=users,cn=accounts,dc=example,dc=com
See if that does the trick
Thanks,
_
John Moyer
On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote:
On Apr 30, 2013, at 10
,
_
John Moyer
On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote:
On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com
wrote:
It comes back with a ton of stuff the row you are probably interested in is
this one
!
Not a problem John, thanks for your patience!
Glad to be of help!
I'm very happy to see that some of the stuff that I use daily saves other folks
time and headaches too!
-JR
Thanks,
_
John Moyer
On Apr 30, 2013, at 2:17 PM, JR Aquino
I've got about 30mins before I get into my next meeting.
Are you able to hop into IRC in Freenode to work in realtime on #freeipa?
Keeping your head in the cloud
~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced
Try editing /etc/openldap/ldap.conf:
TLS_CACERT /etc/ipa/ca.crt
TLS_REQCERT allow
See if that helps
Keeping your head in the cloud
~
Jr Aquino | Sr. Information Security Specialist
GIAC Exploit Researcher and Advanced Penetration Tester |
GIAC Certified
token prompt...
mod_nss is clearly the piece that is causing the prompting but I'm not sure
what is breaking here or how I can work around it.
Can someone help?
Keeping your head in the cloud
~
Jr Aquino | Sr. Information Security Specialist
GIAC Exploit
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA
93117x-apple-data-detectors://0/0
T: +1 805.690.3478tel:+1%C2%A0805.690.3478
C: +1 805.717.0365tel:+1%20805.717.0365
jr.aqu
On the host in question Run the command: domainname
That wants to match whatever your domain is. If it doesn't it will fail even if
you have all the server rules configured correctly. This is a sudo +
netgroups/hostgroups 'feature'
~
Jr Aquino | Sr
don't need this, you can remove it from pam
If you want to work around this, set your password from the IPA webui or via
the cli: ipa passwd username
Hope this info helps!
Keeping your head in the cloud
~
JR Aquino
Senior Information Security Specialist
, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred
- Original Message -
From: JR Aquino jr.aqu...@citrix.com
To: Tim Hildred thild...@redhat.com
Cc: freeipa
On Aug 5, 2012, at 1:54 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
Hi,
I have setup a sudo command but no matter what I do I cannot get a host-group
to work, but I can specify a specific host without issue.I assume this is
a problem with the sssd deamon on the RHEL6.3 client? So
On Jul 11, 2012, at 3:23 PM, Dmitri Pal wrote:
On 07/11/2012 06:15 PM, JR Aquino wrote:
Note that this is also a future feature planned for 3.x
https://fedorahosted.org/freeipa/ticket/2276
Slightly different issue. This ticket is about allowing you to change
your password when it is expired
On Jul 10, 2012, at 12:28 PM, KodaK wrote:
Further information:
I do have:
ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com
Go ahead and remove this line. Previous legacy versions of sssd required it.
I believe it just gets in the way now.
You also want to run: $
On Jun 6, 2012, at 12:30 AM, Sigbjorn Lie sigbj...@nixtra.com wrote:
On Wed, June 6, 2012 00:54, JR Aquino wrote:
On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote:
On 06/06/2012 12:26 AM, JR Aquino wrote:
On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote:
On 06/05/2012 11:44 PM, JR
On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
A couple days ago my (apache) certificates expired. Users are able to kinit
but tools such as sudo fail because of the expired certificates. Lots of
reading/Google'ing later I found this script (steps) to renew these certs:
I'm just curious,
On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:
On 06/05/2012 10:42 PM, Steven Jones wrote:
Hi
This has bug has pretty much destroyed my IPA deployment...I had a
pretty bad memory leak had to reboot every 36 hours...made worse by trying
later 6.3? rpms didnt fix the leak and it went
On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote:
On 06/05/2012 11:44 PM, JR Aquino wrote:
On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:
On 06/05/2012 10:42 PM, Steven Jones wrote:
Hi
This has bug has pretty much destroyed my IPA deployment...I had a
pretty bad memory leak had
On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote:
On 06/06/2012 12:26 AM, JR Aquino wrote:
On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote:
On 06/05/2012 11:44 PM, JR Aquino wrote:
On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:
On 06/05/2012 10:42 PM, Steven Jones wrote:
Hi
This has
On May 16, 2012, at 12:23 PM, David Copperfield wrote:
Hi all,
I accidentally removed one of my IPA replica host on IPA web UI by mistake,
on the host list I planed to remove ipaclient02.example.com, but accidentally
the mouse moved to ipareplica02.example.com and the latter got removed
Try: ipactl stop then ipactl start
Doesn't look like dirsrv is running on 389 and 636
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA
93117x
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu...@citrix.commailto:jr.aqu...@citrix.com
http://www.citrixonline.com
On May 16, 2012, at 4:29 PM, David
method of recovery from catastrophic failure be the use
of frozen vm images.
Keeping your head in the cloud
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue
for things
feature that don't exist yet?
Keeping your head in the cloud
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu
On May 13, 2012, at 2:39 PM, Steven Jones
steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote:
Hi,
I have what I'm told are 6.3 rpms on ipa2 and no its not fixed, the memory leak
kills a server in 48 hours. I also find I have a problem with rebooting, IPA
doesnt survive a reboot, so I
On May 13, 2012, at 2:23 PM, Steven Jones
steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote:
Hi,
From a user perspective such as myself,
If its mission critical and complex need today then you need to also look at
more mature solutions.
Mileage may vary.
I for one have found no
I have been considering looking into using this:
http://cnmonitor.sourceforge.net/
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA
93117x
Also See:
http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring
;)
On May 3, 2012, at 9:26 AM, JR Aquino wrote:
I have been considering looking into using this:
http://cnmonitor.sourceforge.net/
~
Jr Aquino | Sr. Information
of ldap and provided by
the compat / nis plugins.
Hope this helps clear some stuff up about why one would want compat and nis
turned on in FreeIPA.
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration
On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote:
On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino jr.aqu...@citrix.com wrote:
On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
I've seen mention about the compat plug-in causing issues with
replication. In my 2.1.4 installation I notice
On Feb 22, 2012, at 1:24 PM, Marco Pizzoli wrote:
Hi guys,
I see that there's no way to rename a host once created. Same issue with host
groups.
Could you confirm that it is by design and so I never will be able to do that?
Thanks
Marco (wanting to rename everything :-( )
Hi Marco.
If you are really trying to go the route of using the password, the best way to
accomplish that is to procedurally ADD the host ahead of time with the -random
flag to generate a one-time-pass. Then insert that 1 time password dynamically
into the kickstart script.
If you want to approach the
On Jan 30, 2012, at 6:12 PM, Adam Young wrote:
On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote:
On 1/27/2012 4:53 PM, JR Aquino wrote:
On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote:
Has anyone successfully gotten firefox in windows with firefox and mit kerberos?
I've followed several how
Has anyone successfully gotten firefox in windows with firefox and mit kerberos?
I've followed several how to's, but i cant get firefox to take/pass my tgt.
-Jr
___
Freeipa-users mailing list
Freeipa-users@redhat.com
On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote:
I can't really figure out what the proper syntax is for the sudo rules
in IPA. I have a number of options that I would like included by
default, I have put them in place, from ipa sudorule-show:
Sudo Option: env_keep = LESSSECURE,
On Jan 18, 2012, at 1:24 PM, Erinn Looney-Triggs wrote:
On 01/18/2012 11:50 AM, JR Aquino wrote:
On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote:
I can't really figure out what the proper syntax is for the sudo rules
in IPA. I have a number of options that I would like included
On Jan 5, 2012, at 3:14 PM, Stephen Gallagher sgall...@redhat.com wrote:
On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs
erinn.looneytri...@gmail.com wrote:
On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
Yes that look
On Jan 4, 2012, at 2:39 AM, Craig T free...@noboost.org wrote:
Hi,
Server: RHEL6.2
Spec: ipa-server-2.1.3-9
1) After reading the IPA documentation, it seems that HBAC is only available
to SSSD clients. This would suggest that I'm not going to be able to
configure it for Solaris hosts?
On Jan 3, 2012, at 8:37 AM, nasir nasir wrote:
--- On Tue, 1/3/12, Rich Megginson rmegg...@redhat.com wrote:
From: Rich Megginson rmegg...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com,
On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote:
I have been slowly rolling out FreeIPA to my systems, trying to track
differences/changes. One of the most noticeable has been a large slow
down in file access times.
Let me explain as best as I can. I use AIDE to track the file
I have a multimaster infrastructure with 3 core FreeIPA servers and 10
supporting (procedurally read-only) FreeIPA servers.
I notice that occasionally 1 of the systems starts producing errors filling up
/var/log/dirsrv/slapd-DOMAIN-COM/errors:
Replica has a different generation ID than the
On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote:
Thanks Rob for all the great work!
I want to add just one warning that may escape users attention.
Due to the need to address the CSRF attack, our command line tools
(including ipa-client-install) will not work on newer servers until you
adventure down the path of enabling
Basic Auth on my FreeIPA Server.
Thanks!
~
Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aqu...@citrixonline.commailto:jr.aqu
On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:
I have put 3 clients into a netgroup and added a user, however when I remove
the user from the netgroup the user can still login! Even if the user wasnt
ever in teh netgroup they can login
So how do I stop that?
When will we see
but it doesnt tell you how to achieve anything end to endand often its
gives you written instructions on visual tasks so if you are not in the right
bit of the gui you go nowhere.So it needs far more screenshots and
wizards
regards
From: JR
Can you try both of those command with sudo?
sudo service dirsrv status
?
~~
Jr Aquino
Info. Security Specialist
Citrix Online
jr.aqu...@citrixonline.com
805.690.3478
GCIH, CCNA
On May 18, 2011, at 1:38 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
[jonesst1
Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
service dirsrv status
service krb5kdc status
And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?
On May 17, 2011, at 8:23 PM, Steven Jones
steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote:
Im getting,
SASL
On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote:
On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
Hi,
I would like to see the ipa client scripts and possibly the admin tools
in a nice Solaris package. This would make my job a
On May 11, 2011, at 12:25 PM, JR Aquino wrote:
These are all workarounds, I assume having the functionality available
trough the native sssd
would be of an advantage. But this way you would the mentioned extra
functionality of SSSD without
having to do the work of supporting your
On Apr 29, 2011, at 11:45 PM, nasir nasir
kollath...@yahoo.commailto:kollath...@yahoo.com wrote:
Hi All,
First of all, many thanks indeed to the developers and community for making
some great strides in the open source IPA world !
I am planning for a Linux deployment with the following
On Apr 13, 2011, at 5:26 PM, Stephen Ingram wrote:
This question might be better posed on a general directory server
list, however, as ipa obviously contains very sensitive data, I'm
curious as to what ipa users think. Although ipa uses extensive acl's
to shield the most important directory
Is there any way to capture a description associated with the regex - group
mapping?
I was thinking that after time, it would be important to look back on rules and
know why they were put there.
Particularly in the case of regex, since it may not be completely obvious by
looking back at
.
All tools are best used by their intended design. If the only tool you
have is a Hammer, you may approach all of your problems as if they are
nails.
~~
Jr Aquino
Information Security Specialist
Citrix Online
GCIH, CCNA
65 matches
Mail list logo