Re: [Freeipa-users] Enforce use of OTP token for all users.

2016-05-16 Thread Prashant Bapat
Thanks for the reply. Yes it will. But my question is a bit different. I want to be able to ensure that each and every user is forced to setup atleast 1 OTP. I have set "Default user authentication types" to "password + OTP". With this users who have OTP, have to use OTP. But if a user does not

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-16 Thread Adam Kaczka
Certmonger cannot communicate with CA; the result of getlist cert shows: RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) After setting time back, from /var/log/pki-ca/debug I get: [30/Dec/2015:08:10:25][main]: CMS:Caught

[Freeipa-users] IPA as subdomain, part of AD ?

2016-05-16 Thread lejeczek
hi users/devel I'm trying to grasp the concepts - can IPA be plugged into AD domain, be part of it as a subdomain? I'm guessing it'd be quite common scenario, I see wiki describes opposite arrangement, but how##SELECTION_END## how to have IPA as ipa.activedir.local whereas activedir.local is top

Re: [Freeipa-users] FreeIPA DNS Module (named.conf)

2016-05-16 Thread Martin Kosek
On 05/16/2016 02:03 PM, Günther J. Niederwimmer wrote: > Hello, > > I have a question about the named.conf, is it possible to change the > named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- > module ? > Hello, FreeIPA indeed replaces default named.conf during

[Freeipa-users] Fedora 24 single sign-on improvements

2016-05-16 Thread Alexander Bokovoy
Hi, my article detailing on Fedora 24 improvements for single sign-on use is published by Fedora Magazine: https://fedoramagazine.org/single-sign-on-improvements-fedora-24/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] otp question to limit brute force vector for web applications

2016-05-16 Thread Martin Kosek
On 05/13/2016 05:24 PM, Thomas Heil wrote: > Hi, > > On 13.05.2016 16:12, Petr Spacek wrote: >> On 13.5.2016 15:25, Thomas Heil wrote: >>> Hi, >>> >>> I would like to reduce the vector of brute force attacks in my web >>> application written in php. Users can login via passord and otp which >>>

Re: [Freeipa-users] FreeIPA DNS Module (named.conf)

2016-05-16 Thread Petr Spacek
On 16.5.2016 15:33, Martin Kosek wrote: > On 05/16/2016 02:03 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> I have a question about the named.conf, is it possible to change the >> named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- >> module ? >> > > Hello, > >

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-16 Thread Martin Kosek
On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > Hola, > > We have an interesting scenario that is hard to find any information on. > > Due to permission restrictions, a NAS that is mounted and visible by both AD > and > 'nix clients, every user belongs to a particular primary group. > >

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-16 Thread Jakub Hrozek
On Mon, May 16, 2016 at 03:27:39PM +0200, Martin Kosek wrote: > On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > > Hola, > > > > We have an interesting scenario that is hard to find any information on. > > > > Due to permission restrictions, a NAS that is mounted and visible by both > > AD and

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-16 Thread Alexander Bokovoy
On Mon, 16 May 2016, Lachlan Musicman wrote: Hola, We have an interesting scenario that is hard to find any information on. Due to permission restrictions, a NAS that is mounted and visible by both AD and 'nix clients, every user belongs to a particular primary group. What scope these primary

[Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login

2016-05-16 Thread Stefan Zecevic
Hello all, I have been testing to see if freeIPA is a workable solution in our mixed CentOS and Macintosh environment. I've been doing all this testing on virtual machines. So far, on my own, everything I need seems to be working with the exception of resetting expired passwords on the Macintosh

[Freeipa-users] IPA and RSA

2016-05-16 Thread Sean Hogan
Hello all, New req coming down the pipe which is RSA 2 factor auth and IPA integration. Does anyone have a good source to start reading up on this? I have been reading the freeipa docs and setting up the otp and what not.. but wondering if anyone has specific RSA integration docs/info?

Re: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login

2016-05-16 Thread Simo Sorce
On Mon, 2016-05-16 at 09:03 -0700, Stefan Zecevic wrote: > Hello all, > > I have been testing to see if freeIPA is a workable solution in our mixed > CentOS and Macintosh environment. I've been doing all this testing on > virtual machines. So far, on my own, everything I need seems to be working

Re: [Freeipa-users] IPA as subdomain, part of AD ?

2016-05-16 Thread Simo Sorce
On Mon, 2016-05-16 at 17:00 +0100, lejeczek wrote: > hi users/devel > > I'm trying to grasp the concepts - can IPA be plugged into AD domain, > be part of it as a subdomain? No, the only trust type we handle is a Forest level trust, so FreeIPA needs to be its own forest in AD terms. > I'm

[Freeipa-users] FreeIPa and Mailserver (LDAP)

2016-05-16 Thread Günther J . Niederwimmer
Hello, In FreeIpa UI it is possible to insert more then one EmailAdresses, but i can't found a way to figure out to have the correct Password / Mailaddresses together (Dovecot) the only way I found is user / password. My search Filter is in the Moment user_filter =

Re: [Freeipa-users] FreeIPa and Mailserver (LDAP)

2016-05-16 Thread Alexander Bokovoy
On Mon, 16 May 2016, Günther J. Niederwimmer wrote: Hello, In FreeIpa UI it is possible to insert more then one EmailAdresses, but i can't found a way to figure out to have the correct Password / Mailaddresses together (Dovecot) the only way I found is user / password. My search Filter is in

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

2016-05-16 Thread Martin Basti
On 16.05.2016 13:44, Günther J. Niederwimmer wrote: Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: On 16.5.2016 08:47, Martin Kosek wrote: On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: Hello, Thanks for answer, Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin

Re: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login

2016-05-16 Thread Stefan Zecevic
Sorry, the second link should be https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html Stefan Zecevic The little commuter in the big red scooter On Mon, May 16, 2016 at 10:56 AM, Simo Sorce wrote: > On Mon, 2016-05-16 at 09:03 -0700, Stefan Zecevic wrote:

Re: [Freeipa-users] How RBAC defined.

2016-05-16 Thread Alexander Bokovoy
On Sat, 14 May 2016, Ben .T.George wrote: Hi List, i have one working setup with HBAC and sudo rules. I would like to know more about RBAC. like what is RBAC and what can be achieved with RBAC. anyone please share some good topics about this as i am getting so many and the information's

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

2016-05-16 Thread lejeczek
On 13/05/16 14:14, Sumit Bose wrote: On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: .. if possible, would you know? hi everybody, I'm trying, and hoping it is possible to realm join an AD but is such a way so I tap my IPA into specific OU within that AD. I'm not exactly sure what

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

2016-05-16 Thread Martin Kosek
On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > Hello, > > Thanks for answer, > > Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: >>> Hello, >>> I have the Problem to find the correct way for NSEC3PARAM ? >>> >>>

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

2016-05-16 Thread Petr Spacek
On 16.5.2016 08:47, Martin Kosek wrote: > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> Thanks for answer, >> >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: Hello, I have the Problem to

[Freeipa-users] Enforce use of OTP token for all users.

2016-05-16 Thread Prashant Bapat
Any suggestions on how to achieve this ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Enforce use of OTP token for all users.

2016-05-16 Thread Petr Vobornik
On 05/16/2016 12:20 PM, Prashant Bapat wrote: > Any suggestions on how to achieve this ? > `ipa config-mod --user-auth-type=otp` will force otp auth for users with an OTP token. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-16 Thread Petr Vobornik
On 05/14/2016 12:01 AM, Adam Kaczka wrote: > Hi all, > > I have inherited a IPA system that has an expired cert and the old admins > have > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > running into errors when I try to renew the CA certs even after time is >

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

2016-05-16 Thread Günther J . Niederwimmer
Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: > On 16.5.2016 08:47, Martin Kosek wrote: > > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > >> Hello, > >> > >> Thanks for answer, > >> > >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > >>> On 05/12/2016

[Freeipa-users] FreeIPA DNS Module (named.conf)

2016-05-16 Thread Günther J . Niederwimmer
Hello, I have a question about the named.conf, is it possible to change the named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- module ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing

Re: [Freeipa-users] How RBAC defined.

2016-05-16 Thread Ben .T.George
HI So basically RBAC cannot apply against system user (ssh) ? On Mon, May 16, 2016 at 11:29 AM, Alexander Bokovoy wrote: > On Sat, 14 May 2016, Ben .T.George wrote: > >> Hi List, >> >> i have one working setup with HBAC and sudo rules. >> >> I would like to know more

Re: [Freeipa-users] How RBAC defined.

2016-05-16 Thread Alexander Bokovoy
On Mon, 16 May 2016, Ben .T.George wrote: HI So basically RBAC cannot apply against system user (ssh) ? For enforcing anything at a client side we have HBAC. For enforcing permission checks in the LDAP database we have RBAC. -- / Alexander Bokovoy -- Manage your subscription for the