Re: [Freeipa-users] 3rd Party http certs breaking Apache

2016-10-12 Thread Joshua Ruybal
Can confirm nss.conf has NSSNickname set to Signing-Cert. I set the nickname of the Root CA issuing the 3rd party Certs to "LetsEncrypt_X1" On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden wrote: > Joshua Ruybal wrote: > >> Hi, >> >> I'm trying to add 3rd party certs for

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-12 Thread John Popowitch
I ran the following on each of my three servers: kinit admin ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "nsds5ReplConflict=*" \* nsds5ReplConflict There are 49, 57, 49 entries returned by that query on the respective server. Here is the one related to 'System: Modify Certificate Profile'

[Freeipa-users] Server unwilling to perform error

2016-10-12 Thread Rakesh Rajasekharan
Hi There, I am running Freeipa version 4.2.0 I have been noticing that frequently I get this error "ipa: ERROR: Server is unwilling to perform: Entry permanently locked." when I try to run any ipa commands like ipa user-find or user-status Finally i see that my admin account has been locked

Re: [Freeipa-users] bind-dyndb-ldap issues

2016-10-12 Thread Petr Spacek
Hello, these are debug messages and are harmless. Apparently you have verbose/debug messages enabled in named.conf: arg "verbose_checks yes"; If you want to get rid of these messages, just remove the line. What version of bind-dyndb-ldap are you using? Sufficiently new versions

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-12 Thread Martin Basti
On 11.10.2016 22:01, John Popowitch wrote: Ah, yes, thank you, Alexander. I agree it would help if I followed the example better. It would also help if I understood the example so a little description of what each command does would be very helpful. Sorry, we don't have time to explain

Re: [Freeipa-users] FreeIPA and Samba

2016-10-12 Thread Aleksey Stepanenko
My Samba server and IPA server are different machines too. I made LDAP replication IPA-SAMBA ( https://www.server-world.info/en/note?os=CentOS_7=ipa=6 ). Unfortunately, it makes full replication (not only ldap-server), but it works. My Windows machine are not joined to a domain. 12.10.2016

[Freeipa-users] Replica has no RUV

2016-10-12 Thread Fil Di Noto
What do you do if a replica has no RUV, it may have been deleted. I've tried disconnecting/connecting it to the other replicas to see if it would re-build it but it doesn't Re-initializing it doesn't seem to fix it either. -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Different Database Generation ID

2016-10-12 Thread Ludwig Krispenz
Hi, you get the "different database generation" if one side is built from scratch or reimported from a plain ldif without repl stat e information. replication will only work if both sides have the same data origin. About initlializing back and forth it depends on your topology if it can

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Florence Blanc-Renaud
On 10/11/2016 07:36 PM, Bennett, Chip wrote: I just joined this list, so if this question has been asked before (and I’ll bet it has), I apologize in advance. A google search was unrevealing, so I’m asking here: we’re running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Bennett, Chip
Flo, Thanks for getting back to me. I had seen this in the documentation. I was just hoping that I was missing something. I guess I'm just surprised that a product designed to manage authentication wouldn't have a way to be more specific in the complexity requirements. Thanks again! Chip

Re: [Freeipa-users] bind-dyndb-ldap issues

2016-10-12 Thread Brendan Kearney
On 10/12/2016 02:35 AM, Petr Spacek wrote: Hello, these are debug messages and are harmless. Apparently you have verbose/debug messages enabled in named.conf: arg "verbose_checks yes"; If you want to get rid of these messages, just remove the line. What version of

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Bennett, Chip > Sent: Thursday, 13 October 2016 7:21 AM > To: Florence Blanc-Renaud; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Password Complexity

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Anon Lister
Unfortunately, policy and regulation often lag behind current theory by several decades. For what it's worth, I'd second being able to set more complicated policies as a useful feature. On Oct 12, 2016 6:38 PM, "Simpson Lachlan" wrote: > > -Original

[Freeipa-users] network ports requirements for a replica

2016-10-12 Thread Karl Forner
Hello, A very simple question, but I could not find the answer. I'd like to setup a replica on another network than my master. Is it possible to setup the replication using only https, or other ports must be available ? Thanks, Karl -- Manage your subscription for the Freeipa-users mailing

Re: [Freeipa-users] network ports requirements for a replica

2016-10-12 Thread Alexander Bokovoy
On ke, 12 loka 2016, Karl Forner wrote: Hello, A very simple question, but I could not find the answer. I'd like to setup a replica on another network than my master. Is it possible to setup the replication using only https, or other ports must be available ? This is all documented, did you

[Freeipa-users] 3rd Party http certs breaking Apache

2016-10-12 Thread Joshua Ruybal
Hi, I'm trying to add 3rd party certs for the webgui and ldap as documented here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I'm able to add the CA cert. Then add the chained cert and key via ipa-server-certinstall tool. However when I try to restart httpd, it fails

Re: [Freeipa-users] 3rd Party http certs breaking Apache

2016-10-12 Thread Rob Crittenden
Joshua Ruybal wrote: Hi, I'm trying to add 3rd party certs for the webgui and ldap as documented here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I'm able to add the CA cert. Then add the chained cert and key via ipa-server-certinstall tool. However when I try to

[Freeipa-users] FreeIPA Server installation on unbuntu 14.0

2016-10-12 Thread Deepak Dimri
Hi All, I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable to locate package freeipa-server" below is what i am trying: apt-get install freeipa-server -y Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to

Re: [Freeipa-users] FreeIPA Server installation on unbuntu 14.0

2016-10-12 Thread Alexander Bokovoy
On ke, 12 loka 2016, Deepak Dimri wrote: Hi All, I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable to locate package freeipa-server" below is what i am trying: apt-get install freeipa-server -y Reading package lists... Done Building dependency tree

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Ernedin Zajko
Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister wrote: >