Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Simo Sorce
On Thu, 2013-02-07 at 08:31 +0100, James James wrote: Thanks Rob. I have one more question. Is it possible to add a field in the ui, and get the field's value in a custom add user hook script ? It wouldn't be useful as you would not have permission to change it anyways. If you want to

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Petr Vobornik
On 02/07/2013 08:45 AM, Martin Kosek wrote: On 02/07/2013 08:31 AM, James James wrote: Thanks Rob. I have one more question. Is it possible to add a field in the ui, and get the field's value in a custom add user hook script ? James Theoretically it's possible but it requires quite good

[Freeipa-users] Service accounts and groups

2013-02-07 Thread Steven Jones
Hi, I have had little to do with permissions until now so bear with me if the Qs are obviously stupid, probably not really IPA but a linux blind spot I haveanyway, So I have a service account with its group this runs a database. So oracle with uid 2000 and gid 2000. I have some other

Re: [Freeipa-users] Adding an ipa-client behind NAT

2013-02-07 Thread Simo Sorce
On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote: Does IPA server 2.2 supports the ipa clients authentication behind the NAT ? Authentication works, password changes using kpasswd protocol do not. Simo. -- Simo Sorce * Red Hat, Inc * New York

[Freeipa-users] sync / trusts with multiple AD domains

2013-02-07 Thread Brian Cook
I know that syncing w/ AD has a limitation to one domain, or multiple but only if there are no overlapping accounts in the AD domains. Does the current AD trust implementation allow multiple domains, and does it have the same overlapping account issues? Thanks, Brian

Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread KodaK
On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I have had little to do with permissions until now so bear with me if the Qs are obviously stupid, probably not really IPA but a linux blind spot I haveanyway, So I have a service account with its group

Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Steven Jones
All users are IPA only regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of KodaK [sako...@gmail.com] Sent:

[Freeipa-users] SOLVED: Re: Adding an ipa-client behind NAT

2013-02-07 Thread Rajnesh Kumar Siwal
Thanks, Simo. On Fri, Feb 8, 2013 at 1:30 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote: Does IPA server 2.2 supports the ipa clients authentication behind the NAT ? Authentication works, password changes using kpasswd protocol do not.

[Freeipa-users] Does disabling IPA User disables his LDAP Account Also

2013-02-07 Thread Rajnesh Kumar Siwal
We are planning to use the IPA Server in the application that may not support Kerberos. So, we may have to interact with the LDAP Server (389-ds) directly for some applications. I would like to confirm whether disabling the IPA User (I believe it locks Kerberos Account) also disables his LDAP

Re: [Freeipa-users] Does disabling IPA User disables his LDAP Account Also

2013-02-07 Thread Rob Crittenden
Rajnesh Kumar Siwal wrote: We are planning to use the IPA Server in the application that may not support Kerberos. So, we may have to interact with the LDAP Server (389-ds) directly for some applications. I would like to confirm whether disabling the IPA User (I believe it locks Kerberos

[Freeipa-users] SOLVED: Re: Does disabling IPA User disables his LDAP Account Also

2013-02-07 Thread Rajnesh Kumar Siwal
Thanks for the Quick update. On Fri, Feb 8, 2013 at 9:31 AM, Rob Crittenden rcrit...@redhat.com wrote: Rajnesh Kumar Siwal wrote: We are planning to use the IPA Server in the application that may not support Kerberos. So, we may have to interact with the LDAP Server (389-ds) directly for

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-07 Thread James James
My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the

Re: [Freeipa-users] User Migrated from LDAP not able to change the password

2013-02-07 Thread Martin Kosek
On 02/08/2013 07:43 AM, Rajnesh Kumar Siwal wrote: We migrated the users from openldap to IPA. We are getting the following error after the User has been migrated (after he changes the password through https://ipa1/ipa/migration/) and he tries to change passwd :- Account is not locked and

Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Martin Kosek
On 02/07/2013 08:46 PM, Steven Jones wrote: Hi, I have had little to do with permissions until now so bear with me if the Qs are obviously stupid, probably not really IPA but a linux blind spot I haveanyway, So I have a service account with its group this runs a database. So