Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

On 10/20/2016 05:05 AM, beeth beeth wrote: First of all, thanks for the quick response Florence! I have question about your suggested step [1] and [2]: For [1], "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)? For [2],

[Freeipa-users] Getting Minimum SSF not met.

Hi All, I wanted to enable secure LDAP connection on freeIPA but alas after changing cn=config nsslapd-minssf from 0 to 128 i am getting below error: ipactl restart Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: Server is unwilling to

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student

[Freeipa-users] Setting "preserve" as default action when deleting in webUI

Hi everyone, In order to prevent administrators to make mistakes that could have silly consequences, I would like to set "preserve" as the default selected action in freeipa's webui. What do you think would be the best way to achieve this ? Thank you in advance, Sebastien Julliot. --

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52

[Freeipa-users] FreeIPA JSON API does not work behind Load Balancer because Services4User

Hi all, I need advice or help with freeIPA implementation behind F5 bigip loadbalancer. My goal is to have all freeIPA services (including json/xml API) behind loadbalancer for freeIPA clients. >> Because RHEL support says me IPA behind loadbalancer is not supported I was >> coming out of

[Freeipa-users] IPA-AD Trust unable to resolve child domain

Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any

Re: [Freeipa-users] Getting Minimum SSF not met.

Hi Deepak, What you did was disabling unsecure connections to the directory service. As such, use LDAPS to connect and enable unsecure connections again: ldapmodify -D "cn=directory manager" -W -H ldaps://`hostname` dn: cn=config changetype: modify replace: nsslapd-minssf nsslapd-minssf: 0

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

On 10/19/2016 08:18 PM, Bertrand Rétif wrote: *De: *"Bertrand Rétif" *À: *freeipa-users@redhat.com *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 *Objet: *Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy : > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > […] > > However, when I try logging in as a student domain user > > (student.example.au), > > I don't see any of the groups (there should be 8): > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > >

Re: [Freeipa-users] Promote CA-less replica

Hi,Thanks again. Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba compilation choice stopping AD trusts from working (samba isn't using MIT kerberos).  We're now using CentOS 7.2.  While we know the CentOS version will operate correctly, we only get to use 4.2 of