[Freeipa-users] passwd: Authentication token manipulation error
Hi THis morning I was asked to reset the user password of one of our IPA/LDAP user accounts. After I reset the password I tried to logon to a particular ssh machine . The system asked to cheange the password as expeceted. I entered the NEw Password and the Re enter the the new password after this the system answered with: passwd: Authentication token manipulation error So in order to test this situation I created a new account and I had the same problem with the new account. I try also to reset another user password and I got the same problem. It seems that I'm not be able to reset anybody user password. Any ideas From the krb5kdc.log I get : Nov 19 14:35:31 ldap.webdom.lifesci.ucla.edu krb5kdc[1610](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.65: PREAUTH_FAILED: tacco...@myserver.com for kadmin/chang...@myserver.com, Decrypt integrity check failed from the /var/lib/dirsrv/slapd-server.com/errors file I get: ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! [19/Nov/2012:14:35:40 -0800] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry uid=taccount,cn=users,cn=accounts,dc=myserver,dc=com. Any idea on what's going on? Thank you Marcello___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Restrict user access
Hi, I defined some users that are not members of the ipausers group, for some reason this users are able to login to the server using the ipa client tools and the web interface https://myipaserver/ipa/ui I don't want any users look at other users information, is there a way to deny access to the ipa client tools and Web UI to his non ipausers? Thank you Marcello ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] distribution mailing list
Hi Dimitri Thank you for the suggestions I'll try your solution with the member attribute and see how it goes. Thank you for your prompt answer Marcello On Sep 12, 2012, at 4:44 AM, Dmitri Pal wrote: On 09/12/2012 02:52 AM, Marcello Giannoni UCLA wrote: Hi I'm currently using the free-ipa server on red hat enterprise 6.2. Someone asked me to implement a distribution list on the system. I would like to set up free-ipa in a way that I can create expandable groups that when I connect trough an email client and I type the group defined in the ipa-server the group will expand all the email of user subscribed to that particular group. Do I have to change the dif.ldif schema in order to achieve this ? I have heard that someone resolved this problem using the objectClass=groupOfNames but I couldn't find any explanation on how to implement this. I don't know if the problem lies on the type of group to use or the base search on the ldap client, I need some clue on how to do this. I hope someone can spread some light on this I am not sure but suspect that you need a filter for the mail client to expand the list of users. The attribute that would help with that is member. It is a multi value attribute of the group object that contains the list of all the users that are directly or indirectly (via nested groups) are members of the specific group. If you need more than user DNs but user entries then you might want to go the other way around. Use the entered group to search for all the users who's memberOf attribute contains given group. Thank you in advance Marcello ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users