Re: [Freeipa-users] replication again :-(

2015-05-19 Thread Ludwig Krispenz
On 05/19/2015 08:58 AM, thierry bordaz wrote: On 05/19/2015 07:47 AM, Martin Kosek wrote: On 05/19/2015 03:23 AM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread thierry bordaz
On 05/19/2015 07:47 AM, Martin Kosek wrote: On 05/19/2015 03:23 AM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread thierry bordaz
On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users changing

Re: [Freeipa-users] Apache htaccess replacement

2015-05-19 Thread Jan Pazdziora
On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote: I have been attempting to use my 4.1.4 FreeIPA server to authenticate folders on a web server as a replacement for the normal htaccess feature. I do require group authentication. I have tried just about online example and have only

Re: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)

2015-05-19 Thread Thibaut Pouzet
Le 13/05/2015 10:15, Thibaut Pouzet a écrit : Le 12/05/2015 20:11, Nalin Dahyabhai a écrit : On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote: After doing what you recommended, the CSR have changed in the debug log : Certificate Request: Data: Version: 0 (0x0)

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Dewangga Bachrul Alam
Hello! On 05/19/2015 12:53 PM, Martin Kosek wrote: On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA server still on development and

Re: [Freeipa-users] Apache htaccess replacement

2015-05-19 Thread thewebbie
My requirements is to replace dozens of htaccess folders on one server. Each folder requiring a user group. So Host based will not work in this case Matthew Feinberg On May 19, 2015 4:03 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote:

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread David Kupka
On 05/19/2015 09:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts

[Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread marcin kowalski
Hi, all. I am trying to integrate certmonger with dogtag instance, and so far i've stumbled on one odd problem. Hopefully this is the right list. I've generated some random cert with getcert request, it has communicated with dogtag, and i approved it there. However, when certmonger retrieves

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread Janelle
On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts

Re: [Freeipa-users] Problem installing external SSL Certificate

2015-05-19 Thread Dewangga Bachrul Alam
This is the verbose log, tried to convert them to p12 format (dont know it's right or not), still no luck. http://fpaste.org/223608/88775143/raw/ Ref: http://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html Any additional hints? On 05/19/2015 08:30 PM, Dewangga Bachrul Alam

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Martin Kosek
On 05/19/2015 03:21 PM, Dewangga Bachrul Alam wrote: Thank you Martin, Yes, the IPA Server was built on CentOS 7.1. But, some client still using CentOS 6.x, but I have plan upgrade them to 7.x. Is it gave a problem if some client still on CentOS 6.x and the IPA Server built on CentOS 7.x

Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

2015-05-19 Thread Sina Owolabi
Thank you very much Martin I will get back to you very soon with what I've found out. On Mon, May 18, 2015 at 3:30 PM, Martin Kosek mko...@redhat.com wrote: On 05/18/2015 02:17 PM, Sina Owolabi wrote: Hi Martin And thanks for getting back, greatly appreciated. I tore down the replica and

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Martin Kosek
On 05/19/2015 10:53 AM, Dewangga Bachrul Alam wrote: Hello! On 05/19/2015 12:53 PM, Martin Kosek wrote: On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it

[Freeipa-users] Problem installing external SSL Certificate

2015-05-19 Thread Dewangga Bachrul Alam
Hello! I was build FreeIPA 4.1.4 on CentOS 7.1, the deployment was done, but could I changes the HTTP and dirsv certificate? I have wildcard certificate (thawte SSL CA - G2). It is compatible for FreeIPA (http and dirsv)? I've tried to follow the instruction

Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread Martin Kosek
On 05/19/2015 12:34 PM, marcin kowalski wrote: Hi, all. I am trying to integrate certmonger with dogtag instance, and so far i've stumbled on one odd problem. Hopefully this is the right list. I've generated some random cert with getcert request, it has communicated with dogtag, and i

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Dewangga Bachrul Alam
Well, thanks Martin for the info :) On 05/19/2015 08:23 PM, Martin Kosek wrote: On 05/19/2015 03:21 PM, Dewangga Bachrul Alam wrote: Thank you Martin, Yes, the IPA Server was built on CentOS 7.1. But, some client still using CentOS 6.x, but I have plan upgrade them to 7.x. Is it gave a

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread Janelle
On 5/19/15 1:21 AM, David Kupka wrote: On 05/19/2015 09:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Dewangga Bachrul Alam
Thank you Martin, Yes, the IPA Server was built on CentOS 7.1. But, some client still using CentOS 6.x, but I have plan upgrade them to 7.x. Is it gave a problem if some client still on CentOS 6.x and the IPA Server built on CentOS 7.x ? On 05/19/2015 08:14 PM, Martin Kosek wrote: On

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread Janelle
On 5/19/15 12:17 AM, Ludwig Krispenz wrote: On 05/19/2015 08:58 AM, thierry bordaz wrote: On 05/19/2015 07:47 AM, Martin Kosek wrote: On 05/19/2015 03:23 AM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and

Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread marcin kowalski
Thanks for the tip, I am using whatever is in current fedora, which is 0.76 or similar version. I'll give an updated version a shot. I had similar results with ubuntu's 0.75.x 2015-05-19 16:30 GMT+02:00 Nalin Dahyabhai na...@redhat.com: On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-19 Thread Rob Crittenden
Sina Owolabi wrote: Hi Rob Ive been to the URL but its a little difficult applying these commands to RHEL6 systems. For instance there is no /etc/pki-tomcat directory in RHEL6, and I cannot find the ipa.crt Im sure as a noob I am overlooking some very obvious stuff, but could you please guide

Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread Nalin Dahyabhai
On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote: Hi, all. I am trying to integrate certmonger with dogtag instance, and so far i've stumbled on one odd problem. Hopefully this is the right list. I've generated some random cert with getcert request, it has communicated with

Re: [Freeipa-users] getting rid of nsds5ReplConflict

2015-05-19 Thread Rich Megginson
On 05/19/2015 10:10 AM, Megan . wrote: I'm struggling with a replication conflict. I had three masters, dir1, dir2, dir3. There were some weird issues with dir2 where I was getting error 49 (Invalid credentials) without any real information. Where did you see this? command line output? Of

Re: [Freeipa-users] getting rid of nsds5ReplConflict

2015-05-19 Thread Megan .
Thank you for the reply. I think I just got frustrated. I uninstalled ipa on the dir2 replica then set it back up again as a replica. Everything seems to be replicating just fine without errors now. I know that this isn't the preferred or documented solution but i needed the server back online

Re: [Freeipa-users] getting rid of nsds5ReplConflict

2015-05-19 Thread Rich Megginson
On 05/19/2015 12:27 PM, Megan . wrote: Thank you for the reply. I think I just got frustrated. I uninstalled ipa on the dir2 replica then set it back up again as a replica. Everything seems to be replicating just fine without errors now. I know that this isn't the preferred or documented

Re: [Freeipa-users] confused by ldapsearch results

2015-05-19 Thread Rob Crittenden
Boyce, George Robert. (GSFC-762.0)[NICS] wrote: I don’t understand what is happening… If I use a compound OR filter to search for “cn” or “uid”, I only get back the match for uid. I expect to get both. If I add a search for a nonexistent attribute like “name”, I get nothing back. I expect to

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-19 Thread Sina Owolabi
Hi Rob Thanks! I noticed that the problematic records have their expiration in the future! And I also do not have pki-tomcatd, it's pki-cad. From getcert list, the troublesome IDs are: Request ID '20130524104828': status: CA_UNREACHABLE ca-error: Server at

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-19 Thread Sina Owolabi
Another key difference I noticed is that the problematic certs have CA:IPA in them, while the working certs have CA: dogtag-ipa-retrieve-agent-submit. getcert list Number of certificates and requests being tracked: 8. Request ID '20130524104636': status: CA_UNREACHABLE

Re: [Freeipa-users] getting rid of nsds5ReplConflict

2015-05-19 Thread Rob Crittenden
Megan . wrote: Thank you for the reply. I think I just got frustrated. I uninstalled ipa on the dir2 replica then set it back up again as a replica. Everything seems to be replicating just fine without errors now. I know that this isn't the preferred or documented solution but i needed the

Re: [Freeipa-users] confused by ldapsearch results

2015-05-19 Thread Rich Megginson
On 05/19/2015 01:53 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote: I don’t understand what is happening… If I use a compound OR filter to search for “cn” or “uid”, I only get back the match for uid. I expect to get both. If I add a search for a nonexistent attribute like “name”, I get

[Freeipa-users] confused by ldapsearch results

2015-05-19 Thread Boyce, George Robert. (GSFC-762.0)[NICS]
I don't understand what is happening... If I use a compound OR filter to search for cn or uid, I only get back the match for uid. I expect to get both. If I add a search for a nonexistent attribute like name, I get nothing back. I expect to get back the entry matched by the other term. # l

Re: [Freeipa-users] External Self Help Suggestions.

2015-05-19 Thread Dmitri Pal
On 05/14/2015 07:09 PM, William Graboyes wrote: Hi Dmitri, No I am sticking to the 90 day, gotta start the change in the right direction somewhere :). So I am trying out LBT Self service password, and I am wondering if there is documentation anywhere on how to create a service style account

Re: [Freeipa-users] Replacing HTTP certs with public CA signed wildcard cert

2015-05-19 Thread Dmitri Pal
On 05/14/2015 10:15 AM, David Little wrote: Hi there, I was reading this document regarding using 3rd party certificates in FreeIPA: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Which includes the information The certificate in mysite.crt must be signed by the CA

[Freeipa-users] getting rid of nsds5ReplConflict

2015-05-19 Thread Megan .
I'm struggling with a replication conflict. I had three masters, dir1, dir2, dir3. There were some weird issues with dir2 where I was getting error 49 (Invalid credentials) without any real information. When i did ipa-replica-manage list-ruv i saw dir2 twice. I couldn't get it straight so i