Re: [Freeipa-users] freeipa unsecured ports & MITM

2016-03-29 Thread Alexander Bokovoy
On Tue, 29 Mar 2016, Simo Sorce wrote: On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote: Hello, I am using FreeIPA on the cloud and am worried about MITM attacks. I'm assuming all network traffic can be easily read and possibly manipulated by an attacker. When following

Re: [Freeipa-users] freeipa unsecured ports & MITM

2016-03-29 Thread Master P.
Thanks for the quick responses, you have both answered everything I was looking for! On Tue, Mar 29, 2016 at 9:48 AM, Alexander Bokovoy wrote: > On Tue, 29 Mar 2016, Simo Sorce wrote: > >> On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote: >> >>> Hello, >>> >>> I am using

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

2016-03-29 Thread Timothy Geier
> On Mar 29, 2016, at 2:00 AM, Thorsten Scherf wrote: > > On [Mon, 28.03.2016 18:18], Timothy Geier wrote: >> >>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf wrote: >>> >>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote: To follow up on this

[Freeipa-users] Request for Feedback - Managing FreeIPA accounts with OpenUnison

2016-03-29 Thread Marc Boorshtein
FreeIPAers, We've built an open source integration "provisioning target" that works with the JSON web service to provision users and roles inside of FreeIPA/RH IdM. We also have a prototype of SSO into the IPAWeb console using constrained delegation (both thanks to the help received on this

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

2016-03-29 Thread Thorsten Scherf
On [Mon, 28.03.2016 18:18], Timothy Geier wrote: On Mar 28, 2016, at 12:53 PM, Thorsten Scherf wrote: On [Sat, 26.03.2016 03:26], Timothy Geier wrote: To follow up on this issue, we haven’t been able to get any further since last month due to the missing caServerCert

[Freeipa-users] IPA users central Home Directories

2016-03-29 Thread Shahzad Malik
Hi I have recently configured IPA master and replica server. I am trying to configure IPA users central home directories which means when a user authenticate through IPA on any client, will have same home directory. To achieve this goal, I have configured a NFS server, joined and configured

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-29 Thread Alexander Bokovoy
On Tue, 29 Mar 2016, lejeczek wrote: last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) For Samba and IPA on the same box, this is configured properly with

Re: [Freeipa-users] 7.x replica install from 6.x master fails

2016-03-29 Thread Petr Vobornik
On 03/24/2016 04:29 PM, Ott, Dennis wrote: I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working through and solving a few issues, my current efforts fail when setting up the replica CA. If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-29 Thread lejeczek
On 15/03/16 14:36, Alexander Bokovoy wrote: On Tue, 15 Mar 2016, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base:

[Freeipa-users] Unable to join FreeIPA client to server

2016-03-29 Thread Adam Bishop
Client is running ipa-client-3.0.0-47.el6.centos.1.x86_64 on CentOS 6 Servers are running ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64 on CentOS 7 When I try to join the CentOS 6 client to the CentOS 7 servers, ipa-client-install is unable to access /ipa/xml, throwing the following error: ...

[Freeipa-users] freeipa unsecured ports & MITM

2016-03-29 Thread Master P.
Hello, I am using FreeIPA on the cloud and am worried about MITM attacks. I'm assuming all network traffic can be easily read and possibly manipulated by an attacker. When following https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html, some of the listed ports

Re: [Freeipa-users] Unable to join FreeIPA client to server

2016-03-29 Thread Adam Bishop
On 29 Mar 2016, at 14:29, Adam Bishop wrote: > I could use a bit of help resolving this - full client debug follows. Both > systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure > where to start fixing this. Turns out to be a little easier to