Hi,
I'm playing around with keycloak and wanted to use an SSL certificate
from IPA. I've looked around but didn't see any howto about using java
keytool with ipa-getcert. Has someone experience with it?
I was not successful adding key/cert created by certmonger into keytool,
and also not
Rob Crittenden writes:
> certmonger doesn't support storing certificates in a java keystore.
That's what I found out :-)
> The tricky bit might be in dealing with the CSR. certmonger needs the
> private key in order do the renewal.
>
> I guess one thing you could do is a
Prasun Gera via FreeIPA-users
writes:
> The only thing I would be interested in knowing is if there is a
> performance penalty to mounting NFS locally. Ideally, it should be smart
> enough to know that, but I'm not sure if it is.
On my NFS server /home is a
saidireddy ranabothu via FreeIPA-users
writes:
> I have enabled password+OTP authentication for a user and able to sync
> tokens and SSH.
>
> While ssh to server using FIPA credentials it's asking authentication in
> two steps as First Factor and Second
Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:
> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
>
>> So theoretically certmonger could for example, track PEM files in the
>> filesystem and upon re
Hello Dagan,
> The VPN is Cisco, we use openconnect to connect to it currently and it
> works without a problem.
I use ocserv on my VPN server and openconnect - normally with GSSAPI,
but I'll try with password/OTP.
> The Yubikeys in the existing configuration are in a static file, which
> does
Marius Bjørnstad via FreeIPA-users
writes:
> After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login
> failed due to an unknown reason" on the web UI, no matter if I use the
> admin user or my personal user.
...
> [Thu Oct 05 11:36:38.505372
I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR
- dblayer_copy_directory - Backend instance "cldb" does not exist; Instance
path
Ludwig Krispenz via FreeIPA-users
writes:
> This is issue: https://pagure.io/389-ds-base/issue/49334
Thanks for the info. I like the documentation and analysis in the
tickets (not only this one) - well done!
Jochen
--
This space is intentionally left
Torsten Harenberg via FreeIPA-users
writes:
> Suddenly, our Linux Mint clients refrain from logging in users and
> throw a system error. I increased the log level and the relevant lines
> seem to be:
>
> (Sun Sep 10 03:19:09 2017)
Mark Haney via FreeIPA-users
writes:
> since these two servers are CentOS 6.9. I'm almost certain I've got
> everything setup correctly, but I'm still unable to login as an IPA
> user either with SSH or with su - . I get ' does
> not exist'. However, I
Aaron Hicks via FreeIPA-users
writes:
> As a workaround for another issue we have with using two-factor
> authentication, we're using pam_krb5 to change expired passwords, so in
> /etc/pam.d/password-auth-ac whe have changed the password section to be:
>
...
Udo Rader via FreeIPA-users
writes:
> Our current setup looks like this:
...
> #4 DHCP is handled by multiple, distributed ISC DHCP servers,
> configured to pull their configuration from OpenLDAP (network
> definitions, routers, NTP servers, MAC addresses
Hi,
Duncan Colhoun via FreeIPA-users
writes:
> Can I get some feedback on the overall experience setting up and
> running Free-IPA. I am looking at implementing Free-IPA to
> enhance/replace an OpenLDAP environment.
I'm running a small FreeIPA (2 servers)
Rob Crittenden via FreeIPA-users
writes:
> I don't know where Keycloak upstream is.
Look at http://www.keycloak.org
Jochen
--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
Kristian Petersen via FreeIPA-users
writes:
> When I recently updated one of my IPA servers (it reports
> 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up
> because pki-tomcatd kept failing. I was able to get it running for now by
Kristian Petersen via FreeIPA-users
writes:
> The dirsrv log just shows a bunch of the following:
> [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error:
> could not bind id [cn=Replication Manager cloneAgreement1-ipa
>
Cody Rathgeber via FreeIPA-users
writes:
> I'm trying to deploy freeipa to an environment running a mix of ubuntu
> 16.04 and 14.04 servers.
> on 16.04 the servers join and can pull down users no problem, on 14.04 when
> joining it'll throw a
>
> "Unable to
Cody Rathgeber writes:
> Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see
> the default ubuntu 14.04 packages i was using were 3.3. Using the repo
> Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below
> errors in the log
Giulio Casella via FreeIPA-users
writes:
> Done, ipactl status report everything running,
That's not correct, see below.
> but certificates don't renew.
> Looking at certmonger (in debug mod) I can see:
>
> "Server at
Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:
> Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
>> Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
>> writes:
>>
>>> Done, ipactl stat
Lukas Slebodnik via FreeIPA-users
writes:
> On (15/01/18 10:53), Rob Crittenden via FreeIPA-users wrote:
>>As I read it he has the reverse problem. He installed with NTP support
>>and now wants to remove it.
>>
>>You need to remove NTP as a managed IPA
Alex Corcoles via FreeIPA-users
writes:
> Is there any official literature about how to monitor FreeIPA?
I'm using https://github.com/peterpakos/checkipaconsistency to monitor
my replicas.
> Is there any plan to provide an official way to monitor FreeIPA?
John Ratliff via FreeIPA-users
writes:
> Okay, so the problem wasn't that it wasn't working; it's that I didn't
> understand the prompts. Debian only prompts for password, but wants
> password + OTP on the same field. CentOS prompts for First Factor /
>
Bret Wortman via FreeIPA-users
writes:
> Sequence of events in trying to stand up a new IPA server to replace
> (wholesale) our old ones.
>
...
> 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders
...
> And now I'm back where I was. IPA is
Winfried de Heiden via FreeIPA-users
writes:
> OTP using IPA 4.5 on CentOS seems to work well. However: I can force a user
> to use OTP and/or a host.
Authentication indicators won't work that way...
> Selecting a user, ALL authentication needs OTP.
Bret Wortman via FreeIPA-users
writes:
> I may be going about this in the hardest way possible, so let me stop
> and roll everything back to my root need:
>
> I have two IPA servers which manage our infrastructure. We used to
> have three, but a catastrophic
Ranbir via FreeIPA-users writes:
> When GSSAPI delegation doesn't work, I see this error:
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server host/ip...@theinside.rnr not found in Kerberos database
You used "ssh ipa01", right? And the host has been enrolleed
hedrick--- via FreeIPA-users
writes:
> We have a number of systems on the internet. They are constantly
> attacked through ssh. A lot of attacks try to guess passwords for a
> user called “admin.”
If you don't need the user admin on the outside facing boxes, you could
try that in
Bret Wortman via FreeIPA-users
writes:
> # kinit admin
> kint: Client's credentials have been revoked while getting initial
> credentials
>
> Then while looking at /var/log/httpd/error_log:
>
> [date] [:error] [pid] [remote 192.168.1.50:96] Database Error:
Randy Morgan via FreeIPA-users
writes:
[BIND as slave on IPA DNS masters]
> Has anyone set this up before and if so, do you have a sample config
> that I could look at to gain a better understanding of what is needed
> here?
I'm running a pair of IPA
William Muriithi via FreeIPA-users
writes:
> I am using autofs to mount home directories. The autofs maps are on IPA
> server. A while back, I adjusted the mount idle timeout from the default 5
> minutes to 2 hours.
>
> I now want to undo the change, essentially bring down the timeout to 5
>
Johan Vermeulen via FreeIPA-users
writes:
> Now it would come in handy if I could field some Debian clients for some
> purposes.
> But on the current stable release there is no freeipa client.
> I have installed some freeipa-clients from unstable, but it's not ideal.
>
> I'm wondering, is anyone
Rob Crittenden via FreeIPA-users
writes:
> Sina Owolabi via FreeIPA-users wrote:
>> Hi List
>>
>> I’ve been struggling with this for a while and I would really appreciate
>> some advice.
>> I have an openvpn server using freeIPA to authenticate users logging
>> into the office VPN.
>>
Sina Owolabi via FreeIPA-users
writes:
> Yes I use PAM with openvpn to authenticate user clients
> "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login"
> I'm also running a HBAC controlled IPA environment but the rule for vpnusers
> is a --servicecat=all:
>
> Rule name:
Albert Szostkiewicz via FreeIPA-users
writes:
> So I do have an user on my laptop with same username as IPA user. I've
> noticed that after installing client, this existing user is still
> being authenticated by it's original password and is with its original
> UID.
> What is the best procedure
Rob Crittenden via FreeIPA-users
writes:
[...]
> I don't think that first entry is a glob. I believe that * just means
> any. & is shorthand for the matching key so
>
> * -fstype=nfs4,soft,intr,rsize=8192,wsize=8192,tcp
> fileserver.chem.byu.edu:/export/home/students/&
>
> Just substitutes
Hello,
today freeipa-client migrated from sid to buster - thanks a lot for
this!
Jochen
--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Karim Bourenane via FreeIPA-users
writes:
> I want to deploy some IPA-client with 2 interfaces, each host interface
> managed by each IPA server.
I think the IPA servers should be replicas.
> Can you confirm me, that its possible to enroll 2 time the ipa-client in
> each servers ?
I manage
Andrew Meyer via FreeIPA-users
writes:
> I am trying to research how to add other 2FA providers to FreeIPA.
> Has anyone added Duo or something else to FreeIPA/IPA in the most
> recent versions?
I'm running Privacyidea (https://www.privacyidea.org/) and FreeRADIUS
and have some users
Hallo,
right now checkipaconsistency reports an error when not all IPA servers
havew AD trust enabled. My first two IPA servers running CentOS 7 do
have KRA enabled, but installing KRA on a new CentOS 8 replica failed.
Would it be useful to check that in checkipaconsistency?
If yes, here's my
Daniel PC via FreeIPA-users
writes:
> Currently, I have 2FA implemented with password + FreeOTP as authentication
> methods.
>
> I wonder if possible to implement ssh pub+priv keys instead of a password as
> the first authentication factor.
>
> Has anyone implemented such thing?
That's
Andrew Meyer via FreeIPA-users
writes:
> [andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start
...
> Starting smb Service
> Failed to start smb Service
> Forced start, ignoring smb Service, continuing normal operation
> Starting winbind Service
> Failed to start winbind Service
43 matches
Mail list logo