Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-19 Thread nathan
nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they

Re: [Freeipa-users] Installing replica w/o CA?

2015-06-19 Thread Rob Crittenden
Janelle wrote: Maybe this is an obvious question - but I am missign the simple answer. If you create a master and want to create 3 replicas -- creating the first replica works just fine, but I want the 2nd replica chained off the first, and NOT the master. But unless you install a CA on that

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-19 Thread Rob Crittenden
nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-19 Thread Nathan Peters
-Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

Re: [Freeipa-users] ipa replica failure

2015-06-19 Thread Andrew E. Bruno
On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Questions: 0. Is it likely that after running out of file descriptors the dirsrv slapd database on rep2 was corrupted? That would appear to be the case

Re: [Freeipa-users] question on Active Directory and FreeIPA

2015-06-19 Thread David Fitzgerald
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 19, 2015 3:15 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA On Fri, Jun 19, 2015 at

[Freeipa-users] Installing replica w/o CA?

2015-06-19 Thread Janelle
Maybe this is an obvious question - but I am missign the simple answer. If you create a master and want to create 3 replicas -- creating the first replica works just fine, but I want the 2nd replica chained off the first, and NOT the master. But unless you install a CA on that first replica,

Re: [Freeipa-users] Installing replica w/o CA?

2015-06-19 Thread Simo Sorce
On Fri, 2015-06-19 at 14:20 -0700, Janelle wrote: Maybe this is an obvious question - but I am missign the simple answer. If you create a master and want to create 3 replicas -- creating the first replica works just fine, but I want the 2nd replica chained off the first, and NOT the master.

Re: [Freeipa-users] ipa replica failure

2015-06-19 Thread Andrew E. Bruno
On Fri, Jun 19, 2015 at 09:08:15PM -0700, Janelle wrote: On 6/19/15 11:22 AM, Andrew E. Bruno wrote: Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on

Re: [Freeipa-users] ipa replica failure

2015-06-19 Thread Janelle
On 6/19/15 11:22 AM, Andrew E. Bruno wrote: Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: - ipa-server-4.1.0-18.el7.centos.3.x86_64 -

Re: [Freeipa-users] WG: Re: Haunted servers?

2015-06-19 Thread Ludwig Krispenz
Hi Christoph, bad news. So to summarize, you have a procedure to cleanup your env, but once you restart the master the ghosts are back. I really want to find out where they are coming from, so If you have to restart your server, could you please lookup these data, after the server is

[Freeipa-users] Antwort: Re: Antwort: Re: Antwort: Re: WG: Re: Haunted servers?

2015-06-19 Thread Christoph Kaminski
Ludwig Krispenz lkris...@redhat.com schrieb am 19.06.2015 13:23:43: the first search is for the replication agreements and they keep info about the consumer ruv, used in replication session. you cannot modify these, but they are maintained in the dse.ldif, you could edit the dse.ldif

Re: [Freeipa-users] ipa schema-compat, DIT view and replication

2015-06-19 Thread Alexander Bokovoy
- Original Message - Hello, we migrated to centos7.1 and ipa server 4.1.0. DIT view using schema compat plugin is working on one instance - celebrations. We are using a 4 way cluster of ipa servers. The schema-compat-container does not get replicated. Is there a way - apart

[Freeipa-users] ipa schema-compat, DIT view and replication

2015-06-19 Thread Sandor Juhasz
Hello, we migrated to centos7.1 and ipa server 4.1.0. DIT view using schema compat plugin is working on one instance - celebrations. We are using a 4 way cluster of ipa servers. The schema-compat-container does not get replicated. Is there a way - apart making the change on the replica - to

[Freeipa-users] Antwort: Re: WG: Re: Haunted servers?

2015-06-19 Thread Christoph Kaminski
freeipa-users-boun...@redhat.com schrieb am 19.06.2015 11:34:21: Von: Ludwig Krispenz lkris...@redhat.com An: freeipa-users@redhat.com Datum: 19.06.2015 11:35 Betreff: Re: [Freeipa-users] WG: Re: Haunted servers? Gesendet von: freeipa-users-boun...@redhat.com Hi Christoph, bad news.

[Freeipa-users] Antwort: Re: Antwort: Re: WG: Re: Haunted servers?

2015-06-19 Thread Christoph Kaminski
in the second search I don't see nsds50ruv attributes for dead entries, so the database ruv seems to be ok. these are dead: nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.biotronik-h omemonitoring.int@HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN:

Re: [Freeipa-users] ipa schema-compat, DIT view and replication

2015-06-19 Thread Simo Sorce
On Fri, 2015-06-19 at 08:40 -0400, Alexander Bokovoy wrote: - Original Message - Hello, we migrated to centos7.1 and ipa server 4.1.0. DIT view using schema compat plugin is working on one instance - celebrations. We are using a 4 way cluster of ipa servers. The

Re: [Freeipa-users] Antwort: Re: Antwort: Re: WG: Re: Haunted servers?

2015-06-19 Thread Ludwig Krispenz
Hi, On 06/19/2015 12:32 PM, Christoph Kaminski wrote: in the second search I don't see nsds50ruv attributes for dead entries, so the database ruv seems to be ok. these are dead: nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.biotronik-h

Re: [Freeipa-users] Antwort: Re: Antwort: Re: Antwort: Re: WG: Re: Haunted servers?

2015-06-19 Thread Ludwig Krispenz
from an earlier post it looks like they are from the o=ipaca backend, did you clean the ruvs there ? to know which are the correct current rids for this backend you could do on each active server a search for ... -b cn=config ((objectclass=nsds5replica)(nsDS5ReplicaRoot=o=ipaca))

[Freeipa-users] Antwort: clean-run doesn't work

2015-06-19 Thread Christoph Kaminski
freeipa-users-boun...@redhat.com schrieb am 19.06.2015 11:02:48: Von: Tamas Papp tom...@martos.bme.hu An: freeipa-users@redhat.com Datum: 19.06.2015 11:04 Betreff: [Freeipa-users] clean-run doesn't work Gesendet von: freeipa-users-boun...@redhat.com hi All, $ ipa-replica-manage

Re: [Freeipa-users] Antwort: Re: WG: Re: Haunted servers?

2015-06-19 Thread Ludwig Krispenz
On 06/19/2015 11:48 AM, Christoph Kaminski wrote: freeipa-users-boun...@redhat.com schrieb am 19.06.2015 11:34:21: Von: Ludwig Krispenz lkris...@redhat.com An: freeipa-users@redhat.com Datum: 19.06.2015 11:35 Betreff: Re: [Freeipa-users] WG: Re: Haunted servers? Gesendet von:

[Freeipa-users] clean-run doesn't work

2015-06-19 Thread Tamas Papp
hi All, $ ipa-replica-manage list-ruv unable to decode: {replica 6} 55832e8e00030006 55832e8e00030006 ipa31.bph.cxn:389: 8 ipa12.bpo.cxn:389: 5 ipa32.bph.cxn:389: 7 ipa11.bpo.cxn:389: 3 ipa.cxn.com:389: 4 $ ipa-replica-manage clean-ruv 6 unable to decode: {replica 6}

[Freeipa-users] ipa replica failure

2015-06-19 Thread Andrew E. Bruno
Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: - ipa-server-4.1.0-18.el7.centos.3.x86_64 - 389-ds-base-1.3.3.1-16.el7_1.x86_64 3

[Freeipa-users] question on Active Directory and FreeIPA

2015-06-19 Thread David Fitzgerald
Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it to manage about 200 users and 90 Scientific Linux workstations, and everything works great.

Re: [Freeipa-users] question on Active Directory and FreeIPA

2015-06-19 Thread Simo Sorce
On Fri, 2015-06-19 at 21:15 +0200, Jakub Hrozek wrote: On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-19 Thread Rob Crittenden
nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have

Re: [Freeipa-users] ipa replica failure

2015-06-19 Thread Rich Megginson
On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: - ipa-server-4.1.0-18.el7.centos.3.x86_64 -

Re: [Freeipa-users] question on Active Directory and FreeIPA

2015-06-19 Thread Jakub Hrozek
On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it to manage about 200 users

Re: [Freeipa-users] ipa replica failure

2015-06-19 Thread Rob Crittenden
Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: -

[Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-19 Thread nathan
FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and