Re: [Freeipa-users] Enrolling with multiple IPA servers

2014-10-07 Thread Petr Spacek
On 6.10.2014 20:43, Alexander Bokovoy wrote: On Mon, 06 Oct 2014, Nordgren, Bryce L -FS wrote: The hostname put by ipa-client-install corresponds to the server to which this client is enrolled. You enroll with a single server, after all. How would one enroll with multiple IPA servers? For ins

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
Hi Martin and Nathan, Thank you for providing that info. Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'. The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '. Nessus scan had

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Alexander Bokovoy
On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: Hi Martin and Nathan, Thank you for providing that info. Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'. The latest version of 389-DS through YUM is

[Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread Alexander Bokovoy
Hi! As Andrea Veri describes in the blog[1], GNOME Project's infrastructure is now powered by FreeIPA. While GNOME was already using SSSD since very early days of SSSD project, move to FreeIPA on the server side took more time. [1] https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
I edited both ldif files to remove fortezza_null. Looks like this now - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_s

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
Sorry, messed up copy paste, here is the edited section - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha nu

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Alexander Bokovoy
On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I edited both ldif files to remove fortezza_null. Looks like this now - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Ludwig Krispenz
On 10/07/2014 12:16 PM, Murty, Ajeet (US - Arlington) wrote: Sorry, messed up copy paste, here is the edited section - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 _sha,+tls_rsa_e

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread Martin Kosek
On 10/07/2014 11:58 AM, Alexander Bokovoy wrote: > Hi! > > As Andrea Veri describes in the blog[1], GNOME Project's infrastructure > is now powered by FreeIPA. While GNOME was already using SSSD since very > early days of SSSD project, move to FreeIPA on the server side took more > time. > > [1]

[Freeipa-users] FW: IdM failing to install after reconfiguring server.

2014-10-07 Thread Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
Dmitri, Thanks very much.that did it. I'm making a special note of this one and not storing it in the Outlook folders. RE: looking through the various log files didn't seem to help as they are someone confusing to the IM novice like myself. Al From: freeipa-users-boun...@redhat.com

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread James
On 7 October 2014 05:58, Alexander Bokovoy wrote: > Hi! > > As Andrea Veri describes in the blog[1], GNOME Project's infrastructure > is now powered by FreeIPA. While GNOME was already using SSSD since very > early days of SSSD project, move to FreeIPA on the server side took more > time. Yup :)

[Freeipa-users] FW: IdM failing to install after reconfiguring server.

2014-10-07 Thread Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
Let me correct my last entry..in looking at the log files, I did come across this error and the end of the ipaserver-install.log but that was not one of the files or directories that had to be deleted as per the corrective list of actions: 2014-10-07T12:53:04Z DEBUG The ipa-server-install co

Re: [Freeipa-users] Enrolling with multiple IPA servers

2014-10-07 Thread James
On 6 October 2014 14:43, Alexander Bokovoy wrote: > If you have some masters that are accessible by these isolated nodes, > enroll isolated nodes against these masters. Nobody prevents you to > select your deployment strategy and manipulate configuration files > afterwards. Purpleidea's puppet mod

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Rich Megginson
On 10/07/2014 04:16 AM, Murty, Ajeet (US - Arlington) wrote: Sorry, messed up copy paste, here is the edited section - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 _sha,+tls_rsa_ex

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Rob Crittenden
Murty, Ajeet (US - Arlington) wrote: > Sorry, messed up copy paste, here is the edited section - > > nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ > rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 > _sha,+tls_rsa_export1024_with_rc4

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
I was shutting down IPA before making any changes - 1. Shutdown IPA - [root]# /etc/init.d/ipa stop Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd:[ OK ] Stopping MEMCACHE

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Alexander Bokovoy
On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I was shutting down IPA before making any changes - 1. Shutdown IPA - [root]# /etc/init.d/ipa stop Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd:

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
I shutdown IPA and modified both dse ldif files to look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_e

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Alexander Bokovoy
On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I shutdown IPA and modified both dse ldif files to look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
I removed the new lines, looks like this now - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with

Re: [Freeipa-users] domain trust linux to AD server not finding user profiles

2014-10-07 Thread Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
I've been following the steps outlined in section 7.3.5 of the manual entitled Integrating OpenShift Enterprise with Identity Management (IdM) in Red Hat Enterprise Linux OpenShift Enterprise 2.1 IdM in Red Hat Enterprise Linux 7 Windows Server 2012 - Active Directory Integration I now have our

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread Dmitri Pal
On 10/07/2014 09:27 AM, James wrote: On 7 October 2014 05:58, Alexander Bokovoy wrote: Hi! As Andrea Veri describes in the blog[1], GNOME Project's infrastructure is now powered by FreeIPA. While GNOME was already using SSSD since very early days of SSSD project, move to FreeIPA on the server

Re: [Freeipa-users] domain trust linux to AD server not finding user profiles

2014-10-07 Thread Dmitri Pal
On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: I've been following the steps outlined in section 7.3.5 of the manual entitled Integrating OpenShift Enterprise with Identity Management (IdM) in Red Hat Enterprise Linux OpenShift Enterprise 2.1 IdM in

[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

2014-10-07 Thread Genadi Postrilko
Hello. I am attempting to create trust between AD and IPA. I have deployed AD environment as follows: I have created domain RED.COM Then i add new domain tree root - BLUE.COM. Now i would like to establish trust with IPA as a sub domain (LINUX.BLUE.COM) of BLUE.COM. I followed the guide and wh

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread James
On 7 October 2014 19:54, Dmitri Pal wrote: > On 10/07/2014 09:27 AM, James wrote: >> >> On 7 October 2014 05:58, Alexander Bokovoy wrote: >>> >>> Hi! >>> >>> As Andrea Veri describes in the blog[1], GNOME Project's infrastructure >>> is now powered by FreeIPA. While GNOME was already using SSSD s

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread Fraser Tweedale
On Tue, Oct 07, 2014 at 12:58:09PM +0300, Alexander Bokovoy wrote: > Hi! > > As Andrea Veri describes in the blog[1], GNOME Project's infrastructure > is now powered by FreeIPA. While GNOME was already using SSSD since very > early days of SSSD project, move to FreeIPA on the server side took more

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread Dmitri Pal
On 10/07/2014 09:55 PM, Fraser Tweedale wrote: On Tue, Oct 07, 2014 at 12:58:09PM +0300, Alexander Bokovoy wrote: Hi! As Andrea Veri describes in the blog[1], GNOME Project's infrastructure is now powered by FreeIPA. While GNOME was already using SSSD since very early days of SSSD project, move

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

2014-10-07 Thread James
On 7 October 2014 21:55, Fraser Tweedale wrote: > This is great. Can we use the GNOME project's experience as a story > or case study in promoting FreeIPA to other projects/communities? > IMO we need a couple of examples like this on the freeipa.org front > page. I would recommend waiting a lit

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here? Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? Thanks again for all your help. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] O

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Rich Megginson
On 10/07/2014 10:15 PM, Murty, Ajeet (US - Arlington) wrote: Any ideas on what else I can try here? Please file a ticket. Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? Thanks again for all your help. -Original Message

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Murty, Ajeet (US - Arlington)
Done. 'Bug 1150368 -Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif ' https://bugzilla.redhat.com/show_bug.cgi?id=1150368 Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, October 08, 2014 12:37 AM To: Murty

Re: [Freeipa-users] weak and null ciphers detected on ldap ports

2014-10-07 Thread Alexander Bokovoy
On Wed, 08 Oct 2014, Murty, Ajeet (US - Arlington) wrote: Any ideas on what else I can try here? Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? In general, FreeIPA team doesn't do backports to older versions due to tight coopera