ave so far?
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
http://abbra.fedorapeople.org/guide.html
CCing Jan for reference.
Martin
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
und.
There were lots of examples of invoking commands, but I never saw anything
about authenticating to the server before running the commands.
Thanks again for the pointers, and if there is documentation I missed, feel
free to point me in that direction.
--
Jan Cholasta
--
Manage your subscription f
e-property/
As for "Issued to" and "Issued by", I guess these are derived from the
subject and issuer name fields of the certificate, which currently can't
be changed for our CA certificate.
We have a ticket to fix this for quite some time:
<https://fedorahosted.o
error is legit, you have to specify the full CA certificate chain
using --ca-cert-file.
CCing JanC, he is the man to help with this one.
Martin
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
, follow the guide I posted a month ago:
<https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html>.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for mor
rams, just not
in IPA.
CCing Jan, but I think you are hitting
https://fedorahosted.org/freeipa/ticket/5603
Actually I think it's #4786, but if that was fixed, you would hit #5603
as well.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.c
and
<https://fedorahosted.org/freeipa/ticket/4785> and
<https://fedorahosted.org/freeipa/ticket/4786> for
ipa-server-certinstall fixes.
If there's anything missing, pleaes file a new ticket.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https:
s://fedorahosted.org/freeipa/ticket/5600>.
Are the above steps correct for installing 3rd party certificates in
FreeIPA 4.2? Should I change anything?
Looks OK to me.
We are planning to move these nodes into production very soon, any help
would be much appreciated!
Honza
--
Jan Cholasta
hoose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:
http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
Thank you, your help is much appreciated!
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.re
restart httpd.
Many thanks in advance.
BTW, I also added a comment describing this problem to the ticket at
https://fedorahosted.org/freeipa/ticket/5496.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-us
On 4.1.2016 14:10, Peter Pakos wrote:
Hi Jan,
On 04/01/2016 12:44, Jan Cholasta wrote:
1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"
2. Run "ipa-certupdate" to update CA certificate related IPA
alias/ or
/etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases.
You can check that with
# certutil -L -d /var/lib/pki/pki-tomcat/alias/
# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
BTW, if you want to see the whole article or other articles from the
large KB, I would suggest getting a subscription :-)
Dne 30.7.2015 v 17:28 Orion Poplawski napsal(a):
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote
-replica-prepare' with a CA-less configuration?
If the chain is complete, there should be a self-signed CA certificate
at the top. For you that would be the Equifax/GeoTrust certificate. If
it's not self-signed, it means the chain is in fact not complete.
Thanks all,
Honza
--
Jan Cholasta
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
Hi,
Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a):
On 07/08/2015 11:31 AM, Orion Poplawski wrote:
But then when I go to make a replica:
# ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12
of the following
commands:
# pk12util -l nwra.com.p12
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX
?
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https
Dne 15.5.2015 v 09:31 Martin Kosek napsal(a):
On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
Hi,
Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
On 05/04/2015 01:19 PM, Harald Dunkel wrote:
Hi folks,
Instead of a self-signed
for the pathlen limitation and have nice error messages around
it when admin attempts to use Sub-CAs.
Final note, there is a related ticket:
https://fedorahosted.org/freeipa/ticket/3466
Martin
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https
or anything like that?
Regards,
D
2015-04-17 15:27 GMT+02:00 Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com:
Hi,
I don't have any new information. I'm trying to reproduce the
problem but had no luck so far.
Honza
Dne 17.4.2015 v 15:23 David Dejaeghere napsal
...@gmail.com
mailto:david.dejaegh...@gmail.com:
Hi Honza,
That gave me the exact same output. Any ideas?
Regards,
D
2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com:
Hi,
Dne 14.4.2015 v 19:47 Rob Crittenden napsal
-bundle.trust.crt
# update-ca-trust
rob
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
to install the CA:
# ipa-ca-install path to replica info file
Any hints will be appreciated...
James
2015-04-08 7:27 GMT+02:00 Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com:
Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
On 04/07/2015 02:08 PM, James James
the definitive answer. However, FreeIPA was
not
very flexible in configuring special subjects for it's CA certificate
(i.e.
cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https
server using:
$ ipa host-mod ipa server fqdn --ok-as-delegate=1
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
, without having to configure anything.
Thanks for your help.
--Prashant
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
by default. This can be fixed by calling
api.Backend.rpcclient.connect() instead.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
.
Without them, I can't really tell what's wrong.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
soon to reflect how renewal should be
handled on 4.0+ servers. The renewal master is now stored in LDAP so
switching it is a lot easier.
rob
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http
Dne 15.1.2015 v 15:29 Bill Peck napsal(a):
On Thu, Jan 15, 2015 at 3:26 AM, Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com wrote:
Hi,
Dne 14.1.2015 v 14:54 Brian Topping napsal(a):
Hi Martin, thanks for your response!
What I realize now
://seven.centos.org/2014/12/freeipa-4-1-2-and-centos? I'm
interested in integrating Shiro or some other RBAC against IPA at some
point in the next few months, but I'd wait if the Docker image is a
prelude to 4.x hitting vendor repos soon.
Cheers, Brian
Honza
--
Jan Cholasta
--
Manage your subscription
MfG
Christoph Kaminski
Von: Jan Cholasta jchol...@redhat.com
An: Christoph Kaminski christoph.kamin...@biotronik.com
Kopie: freeipa-users@redhat.com freeipa-users@redhat.com
Datum: 21.11.2014 11:09
Betreff: Re: Antwort: Re: Antwort: Re: [Freeipa-users] Multiple Domains
and SSH
attribute of the
host entry using ldapmodify.
MfG
Christoph Kaminski
Von: Jan Cholasta jchol...@redhat.com
An: Jakub Hrozek jhro...@redhat.com, d...@redhat.com
Kopie: freeipa-users@redhat.com
Datum: 19.11.2014 07:53
Betreff: Re: [Freeipa-users] Multiple Domains and SSH
Gesendet von: freeipa-users
Honza would have some tips for debugging...
See pages 13-16 of
http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http
these are not inappropriate questions: I'd just like
to ensure this is done correctly. Thank you.
Don't worry, these are very appropriate questions ;-)
---
Dragan Prostran
On Fri, Oct 24, 2014 at 6:12 AM, Jan Cholasta jchol...@redhat.com wrote:
Hi,
Dne 24.10.2014 v 04:36 Dragan Prostran napsal(a):
Hello
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
you add some details?
You can fid more info at
http://www.freeipa.org/page/V4/CA_certificate_renewal
3) am I insane for wanting to introduce FC21 into my environment?
4) has anyone done this, and what was your experience with doing so?
Honza
--
Jan Cholasta
--
Manage your subscription
, or the full certificate chain is not present in the
PKCS#12 file error in ipa-server-certinstall.
Any ideas?
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info
certificates from it and re-run
ipa-replica-prepare, you should be able to successfully install the
replica using ipa-replica-install.
Best regards
Nicklas Björk
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo
provider. With FreeIPA 4.0, you do not need to do anything, you have SUDO
client configuration for free.
HTH,
Martin
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
. If you do that,
everything should work fine.
Regafs
Barry
Honza
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
:
User
... and so on...
Any suggestions from anyone who has gotten an external-ca install to work?
Robert
--
Senior Software Engineer @ Parsons
Honza
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
OK, there is definitely something going on in the client then. Are there
multiple domains configured in sssd.conf?
On 15.1.2014 13:56, Bret Wortman wrote:
The fingerprint does match.
On 01/15/2014 03:33 AM, Jan Cholasta wrote:
On 14.1.2014 12:34, Bret Wortman wrote:
The key in /etc/ssh
and
.foo.com and I'm not sure how to reduce us properly to just foo.com.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote:
OK, there is definitely something going on in the client then. Are there
multiple domains
11:52 AM, Jan Cholasta wrote:
I think you can just comment out the whole [domain/] section in
sssd.conf and restart sssd. Does that solve the problem? If not, could
you please post your sssd.conf here?
On 16.1.2014 11:21, Bret Wortman wrote:
Yes, though there should be only one. We ended up
that, it will just update
/var/lib/sss/pubconf/known_hosts again.
On 01/14/2014 05:43 AM, Jan Cholasta wrote:
On 13.1.2014 22:18, Jakub Hrozek wrote:
On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote:
They're definitely different. I deleted the one in the file, then
tried again
.
Honza
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
of the IPA CA, which it did in this case. I'm not even
entirely sure what it would mean to have the CA certificate itself be
a wildcard cert. Doesn't seem to be a valid use-case though.
Looks like this validation was added in in v3.
rob
Honza
--
Jan Cholasta
and then be able to assign selected set of user attributes (like
SSH public key, home directory, shell...) which could then be leveraged by SSSD?
Martin
I think that if you add proper schema to AD, you can have SSSD directly
use SSH public keys stored in AD.
Honza
--
Jan Cholasta
/profileSelect?profileId=caServerCert,
paste the wildcard CSR in the form and submit it.
Then, navigate your web browser to
https://ipaserver:8443/ca/agent/ca/listRequests.html, find your request
and approve it. This should give you the signed certificate.
Honza
--
Jan Cholasta
luck getting the private key out
from the certdb.
Thanks.
Hi,
you can use pk12util to export it to PKCS#12 file, which contains both
the certificate and the private key:
# pk12util -o file.p12 -n Server-Cert -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt
Honza
--
Jan Cholasta
.
Am I missing something?
No. The documentation is wrong for some reason. This is what you should
have in ssh_config:
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
Honza
--
Jan Cholasta
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
sss_ssh_authorizedkeys
works on the machine with sshd, because that's the one that matters here.
Also, what version of OpenSSH do you have installed?
Honza
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com
mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
://fedorahosted.org/freeipa/ticket/3095:
IMHO DNS configuration on client side is job for DHCP or Puppet. Isn't it?
There is a couple of tickets that are related to this issue:
https://fedorahosted.org/freeipa/ticket/1609
https://fedorahosted.org/freeipa/ticket/2655
Honza
--
Jan Cholasta
that, you need to modify this line in the [sssd] section:
services = nss, pam
to:
services = nss, pam, ssh
and add a new empty [ssh] section at the end of the file.
Honza
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
Victoria University, Wellington, NZ
0064 4 463 6272
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
58 matches
Mail list logo