Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-06-08 Thread James James
:56 GMT+02:00 thierry bordaz tbor...@redhat.com: Hi, Would you update your master to 389-ds-base-1.2.11.15-56.el6, before attempting the upgrade to 7 ? thanks thierry On 06/08/2015 12:30 PM, James James wrote: My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-06-08 Thread James James
machine for the replica ? How can I limit the cpu/memory in the physical machine (with cgroups ??). Any hints will be appreciated .. Regards James 2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com: On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-06-08 Thread James James
. The master is made smarter to adapt its replication flow to the speed of the consumer. The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and 389-ds-base-1.2.11.15-56.el6. What is the current version of your master ? thanks thierry On 06/08/2015 09:49 AM, James James wrote: Hi Thierry, thanks

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-05-15 Thread James James
ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:46 AM, James James wrote: [root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 Ok. Looks like

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-05-15 Thread James James
Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-05-15 Thread James James
[root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-05-15 Thread James James
: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-04-15 Thread James James
The ipareplica-install.log file in attachment ... 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-04-15 Thread James James
Nothing on the replica .. maybye a process on the master. How can I check that ? 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 09:46 AM

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

2015-04-08 Thread James James
...@redhat.com: Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): On 04/07/2015 02:08 PM, James James wrote: I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

2015-04-07 Thread James James
ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? 2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/03/2015 11:39 AM, James James wrote: Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

2015-04-07 Thread James James
to migrate my ipa-master CA system from an external CA to a CA-less or self-signed CA ? Thanks. 2015-04-07 13:48 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/07/2015 01:44 PM, James James wrote: ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? Yes, you

[Freeipa-users] Replica with external ca + custom subject in certificate

2015-04-03 Thread James James
Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com How can I do with the ipa-server-install command ? I have been trying for

[Freeipa-users] ipa and external ca

2015-04-03 Thread James James
Hi everybody, sorry to repost my original question but this time my problem is better described. I want to install a ipa sever on centos 6 with an external ca. My problem is to add emailAddress in the subject field when I type the command : [root@ipa-dev ~]# ipa-server-install --external_ca

[Freeipa-users] Web UI customization

2015-03-07 Thread James James
Hello, I am with a ipa 3.3 server on centos 7. I want to customize the web ui user add page (to include krbprincipalexpiration field with a jquery calendar... ). I have read http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf ,

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden rcrit...@redhat.com: James James wrote: My user : realm-proxy is in a group (Smart Proxy Host

[Freeipa-users] ACI for ipa-getkeytab

2014-09-08 Thread James James
Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. -- Manage your

Re: [Freeipa-users] WebUI krbprincipal expiration calendar widegt

2014-08-11 Thread James James
Thanks a lot for your answer. I will switch to RHEL 7 to use 3.3 .. Best regards. James 2014-08-11 17:05 GMT+02:00 Martin Kosek mko...@redhat.com: On 08/10/2014 01:58 PM, James James wrote: Hello, Is there a way to patch my ipa .3.0.0 with this patch: https://www.mail-archive.com

[Freeipa-users] WebUI krbprincipal expiration calendar widegt

2014-08-10 Thread James James
Hello, Is there a way to patch my ipa .3.0.0 with this patch: https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ? The DateTime data type will be very useful ! Regards -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Account Expiration

2013-03-23 Thread James James
Hi Petr Can you (or somebody else ) give me some hints to use a calendar widget in the UI ? Thanks. 2013/2/7 Petr Vobornik pvobo...@redhat.com On 02/07/2013 08:45 AM, Martin Kosek wrote: On 02/07/2013 08:31 AM, James James wrote: Thanks Rob. I have one more question. Is it possible to add

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread James James
It's a good idea. I will try that. 2013/2/13 Petr Spacek pspa...@redhat.com On 12.2.2013 20:21, John Dennis wrote: On 02/12/2013 01:40 PM, Rob Crittenden wrote: Is it possible to ipa to send a email to user when his account is about to expire (the current date is near

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread James James
What is the IIRC docs ? 2013/2/13 Rob Crittenden rcrit...@redhat.com Petr Spacek wrote: On 12.2.2013 20:21, John Dennis wrote: On 02/12/2013 01:40 PM, Rob Crittenden wrote: Is it possible to ipa to send a email to user when his account is about to expire (the current date is near

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread James James
thanks for your code. :) 2013/2/13 Jan-Frode Myklebust janfr...@tanso.net On Wed, Feb 13, 2013 at 09:29:42AM +0100, Petr Spacek wrote: Yeah, I don't think we want to be in the business of installing and configuring an MTA. However, we should be able to detect if one is available and

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread James James
) ? 2013/2/7 Martin Kosek mko...@redhat.com On 02/07/2013 08:31 AM, James James wrote: Thanks Rob. I have one more question. Is it possible to add a field in the ui, and get the field's value in a custom add user hook script ? James I know that Petr Vobornik is already working

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread James James
Thanks guys for your answers. 2013/2/12 John Dennis jden...@redhat.com On 02/12/2013 01:40 PM, Rob Crittenden wrote: Is it possible to ipa to send a email to user when his account is about to expire (the current date is near krbprincipalexpiration date) ? Not currently. In 3.0+ we will

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-11 Thread James James
Thanks you Rob. My replica is workin now. :) 2013/2/10 Rob Crittenden rcrit...@redhat.com James James wrote: Maybe I am stupid or tired (or both ..) but I have tried many thing to include the ca cert, the ipa key and pem file in a single pkcs12 file but I am still stucked. Can you give

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-09 Thread James James
Maybe I am stupid or tired (or both ..) but I have tried many thing to include the ca cert, the ipa key and pem file in a single pkcs12 file but I am still stucked. Can you give me a more detailled help ? 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: OK .. but I have

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-08 Thread James James
I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. 2013/2/8 James James jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-08 Thread James James
rcrit...@redhat.com James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-08 Thread James James
OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-07 Thread James James
My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used

Re: [Freeipa-users] Account Expiration

2013-02-06 Thread James James
Can somebody gives me some help to set krbPrincipalExpiration from the freeipa ui ? Many thanks 2013/1/28 James James jre...@gmail.com Hi Martin, thanks a lot for your answer. The krbPrincipalExpiration should do the job. Regards. 2013/1/28 Martin Kosek mko...@redhat.com On 01/28/2013

[Freeipa-users] Account Expiration

2013-01-28 Thread James James
Hi, in 389-ds there is a nice plugin I love, it's account policy. You can set account expiration date and the account will be inactive at this day. http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration Is there a way to have this feature with

Re: [Freeipa-users] Account Expiration

2013-01-28 Thread James James
Hi Martin, thanks a lot for your answer. The krbPrincipalExpiration should do the job. Regards. 2013/1/28 Martin Kosek mko...@redhat.com On 01/28/2013 12:14 PM, James James wrote: Hi, in 389-ds there is a nice plugin I love, it's account policy. You can set account expiration date

Re: [Freeipa-users] Easy deployment

2012-09-27 Thread James James
Not yet but can you give me some clues ? 2012/9/27 Dmitri Pal d...@redhat.com On 09/25/2012 04:18 PM, Sigbjorn Lie wrote: On 09/25/2012 12:17 AM, James James wrote: Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from

Re: [Freeipa-users] Apache, autofs and userdir

2012-09-26 Thread James James
Thanks I'll try that and will give you a feedback as soon as possible. 2012/9/26 Anthony Messina amess...@messinet.com On Wednesday, September 26, 2012 12:21:14 AM James James wrote: I have : - a freeipa server + autofs maps - a nfsv4 server - a web server from the webserver I

[Freeipa-users] Apache, autofs and userdir

2012-09-25 Thread James James
Hi, I don't know if this is the right place to ask this question but I will try. I have : - a freeipa server + autofs maps - a nfsv4 server - a web server from the webserver I can mount my nfs4 exported home dir. Everything works well. I want to acces to my public_html directory from the web

[Freeipa-users] Easy deployment

2012-09-24 Thread James James
Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and service), I have to log into the machine, launch kinit and get the

Re: [Freeipa-users] Easy deployment

2012-09-24 Thread James James
-- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of James James [jre...@gmail.com] *Sent:* Tuesday, 25 September 2012 10:17 a.m. *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Easy deployment Hi guys, we

Re: [Freeipa-users] Ipa migration, from ui cannot change password

2012-09-20 Thread James James
Yes config mod is enabled 2012/9/20 Dmitri Pal d...@redhat.com On 09/20/2012 12:30 PM, James James wrote: Hi, I've done a migration from ldap to ipa. Everything works well but when I try to change my password in the ui (https://ipa.example.com/ipa/migration) I have this error message

Re: [Freeipa-users] Ipa migration, from ui cannot change password

2012-09-20 Thread James James
Oups .. migration mode is enable ... 2012/9/20 James James jre...@gmail.com Yes config mod is enabled 2012/9/20 Dmitri Pal d...@redhat.com On 09/20/2012 12:30 PM, James James wrote: Hi, I've done a migration from ldap to ipa. Everything works well but when I try to change my password

Re: [Freeipa-users] Ipa migration, from ui cannot change password

2012-09-20 Thread James James
...@redhat.com On 09/20/2012 12:50 PM, James James wrote: Oups .. migration mode is enable ... The ldap (access, error) and kerberos logs from the server would be helpful to troubleshoot. /var/log/dirsrv/... krb5kdc.log 2012/9/20 James James jre...@gmail.com Yes config mod is enabled

Re: [Freeipa-users] Ipa migration, from ui cannot change password

2012-09-20 Thread James James
result search: 2 result: 0 Success Can you explain me what happens ? Is there a solution ? 2012/9/20 Rob Crittenden rcrit...@redhat.com Dmitri Pal wrote: On 09/20/2012 12:50 PM, James James wrote: Oups .. migration mode is enable ... The ldap (access, error) and kerberos logs from

Re: [Freeipa-users] Ipa migration, from ui cannot change password

2012-09-20 Thread James James
It will be fine to have this info in the doc. 2012/9/20 Rob Crittenden rcrit...@redhat.com Dmitri Pal wrote: On 09/20/2012 01:42 PM, Rob Crittenden wrote: James James wrote: You 're right. The request return : Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=users,cn

Re: [Freeipa-users] Ipa migration, from ui cannot change password

2012-09-20 Thread James James
/ ipa.example@example.com Thanks 2012/9/21 James James jre...@gmail.com Now, I can read the userPassword field (after the migration process) but I still can't change my password from the ui. I just got : kerberos ticket is no longer valid. 2012/9/20 James James jre...@gmail.com

[Freeipa-users] ipa {user-find} ca cert file

2012-09-19 Thread James James
Hi, I have followed this http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CAand everything works well. Now when, from the console, I execute $ ipa user-find I've got [root@ipa ipa]# ipa user-find ipa: ERROR: cert validation failed for

Re: [Freeipa-users] ipa {user-find} ca cert file

2012-09-19 Thread James James
OK Thanks a lot for the solution and for the advice. 2012/9/19 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, I have followed this http://freeipa.org/page/**Certificate_Authority#Using_** Certificates_From_a_Different_**CAhttp://freeipa.org/page/Certificate_Authority

[Freeipa-users] MemberOf plugin and LDAP filter

2012-09-18 Thread James James
Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? Thanks.

Re: [Freeipa-users] MemberOf plugin and LDAP filter

2012-09-18 Thread James James
my memberOf plugin ? 2012/9/18 Rob Crittenden rcrit...@redhat.com James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails

Re: [Freeipa-users] Question about migration and scripts variables

2012-09-10 Thread James James
Back from hollidays... I have just trying --user-ignore-attribute=uidnumber,gidnumber, the server says that the posixAccount attribute requires uid and gid number. I will find another solution to solve my problem. James 2012/8/20 Rob Crittenden rcrit...@redhat.com James James wrote: Hi

[Freeipa-users] Subject for certificate request in ipa-server-install

2012-09-10 Thread James James
Hi Everybody, I want to change the defaut Certifcate Authority automatically added want you want to make a certificate request. There were a thread about something like ( https://www.redhat.com/archives/freeipa-users/2012-April/msg00021.html) that but I don't know if there is the quick and nice

[Freeipa-users] Question about migration and scripts variables

2012-08-17 Thread James James
Hi, my first question is about the migrate process. Is it possible to renumber the users during the migrate process (ipa migrate-ds) in a way that all imported users will have a new UID ? my second question is about ipalib. I wanted to make a hook on the user creation. The hook works fine. I

Re: [Freeipa-users] Add attributes to default user schema

2012-06-23 Thread James James
, James James jre...@gmail.com wrote: Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? That particular attribute is included in the schema (objectclass=mailRecipient) so it is easy to add using the ipa user-mod

[Freeipa-users] Add attributes to default user schema

2012-06-21 Thread James James
Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? Regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users