Re: [Freeipa-users] FreeIPA, Windows and Kerberos

2015-10-26 Thread Petr Spacek
On 23.10.2015 22:31, Alexander Bokovoy wrote: > On Fri, 23 Oct 2015, Randolph Morgan wrote: >> We are running a mixed environment network. However, all of our >> authentication is performed via LDAP, we do not have an AD on our network, >> nor do we have any Windows servers, all of our servers

Re: [Freeipa-users] FreeNAS Authenticating Against FreeIPA

2015-10-26 Thread Chris Tobey
Hi Youenn, That is very possible. I was looking at the logs for dirsrv and did notice this though: [26/Oct/2015:15:56:51 -0400] - slapd shutting down - signaling operation threads [26/Oct/2015:15:56:51 -0400] - slapd shutting down - closing down internal subsystems and plugins

Re: [Freeipa-users] OTP vs password?

2015-10-26 Thread Jakub Hrozek
On Mon, Oct 26, 2015 at 10:24:06AM -0700, Janelle wrote: > Hello all... > > Seeing something very strange. With OTP enabled for all users - here is the > configuration: > > Some hosts fully "enrolled" with IPA, and some are simply configured with > authconfig to use LDAP backend for

Re: [Freeipa-users] IPA with external CA signed certs

2015-10-26 Thread James Masson
On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used with

Re: [Freeipa-users] SUDO does not always works on first try

2015-10-26 Thread Zoske, Fabian
Hi folks, Unfortunately the fix doesn't work as expected. On the first hosts I tried, there was no sign of the problem anymore, but when a colleage tried the hosts the problem occurs again. And we discovered another side effect: new enrolled IPA clients are not able to communicate with the

Re: [Freeipa-users] SUDO does not always works on first try

2015-10-26 Thread Jakub Hrozek
On Mon, Oct 26, 2015 at 12:34:21PM +, Zoske, Fabian wrote: > Hi folks, > > Unfortunately the fix doesn't work as expected. On the first hosts I tried, > there was no sign of the problem anymore, but when a colleage tried the hosts > the problem occurs again. > And we discovered another side

Re: [Freeipa-users] IPA with external CA signed certs

2015-10-26 Thread Martin Kosek
On 10/26/2015 04:05 PM, James Masson wrote: > > > On 19/10/15 21:06, Rob Crittenden wrote: >> James Masson wrote: >>> >>> Hi list, >>> >>> I successfully have IPA working with CA certs signed by an upstream Dogtag. >>> >>> Now I'm trying to use a CA cert signed by a different type of CA - Vault.

[Freeipa-users] OTP vs password?

2015-10-26 Thread Janelle
Hello all... Seeing something very strange. With OTP enabled for all users - here is the configuration: Some hosts fully "enrolled" with IPA, and some are simply configured with authconfig to use LDAP backend for authentication. RANDOMLY < Keyword here -- all systems use SSSD

[Freeipa-users] How grant access to userPassword for System Accounts

2015-10-26 Thread John Duino
I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA. But it appears that it wants to read-in the userPassword rather than just auth against the ldap. I know Directory Manager is the only account that has the ability to read userPassword, but is there a way to grant that

Re: [Freeipa-users] How grant access to userPassword for System Accounts

2015-10-26 Thread German Parente
Hi John you could add a particular ACI to allow any groupdn or userdn to read/search userPassword under the required tree. Something like: aci: (targetattr = "userPassword") (target = "ldap:///cn=users,cn=accounts,dc=,dc=") (version 3.0;acl "Allow password read";allow