Re: [Freeipa-users] ipa-replica-install failes on setup-ca

Tank you very much for your response. Adding debugging to /etc/ipa/server.conf did not add any additional information, but I discovered that -d flag to ipa-replica-install gives a lot of information. After a lot of weird stuff, problems and son on, I decided to scratch the entire server

Re: [Freeipa-users] Fedora 25 - SSSD: Smart card login is broken

On Tue, Apr 25, 2017 at 12:38:11PM -0500, Michael Rainey (Contractor) wrote: > Hello, > > While using Fedora 25 we noticed smart card login is broken with the latest > update to SSSD. A month or so ago a patch was created to fix the same > issue. Here are some of the details: > > Before

Re: [Freeipa-users] I think I lost my CA...

Using the firefox debugger, I get these errors when trying to pop up the New Certificate dialog: Empty string passed to getElementById(). (5) jquery.js:4:1060 TypeError: u is undefined app.js:1:362059 Empty string passed to getElementById(). (5)

Re: [Freeipa-users] I think I lost my CA...

Good news. One of my servers _does_ have CA installed. So why does "Action -> New Certificate" not do anything on this or any other server? Bret On 04/25/2017 02:52 PM, Bret Wortman wrote: I recently had to upgrade all my Fedora IPA servers to C7. It went well, and we've been up and

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Master IPA Server: - - I install 1 (one) server as master (self-signed) and add/modify using external CA. - - I am using ipa-cacert-manage install then ipa-certupdate on master Hi, I

[Freeipa-users] How to customized freeipa certificate form

Hello Freeipa Team, I am new to freeipa, I have installed freeipa for generate certificate for our products, I have generated certificates, its works fine, but I need to customized freeipa certificate form for add more fields. Suggest me how can I achieve this? Reference: please find the

Re: [Freeipa-users] I think I lost my CA...

So I can see my certs using cert-find, but can't get details using cert-show or add new ones using cert-request. # ipa cert-find : -- Number of entries returned 385 -- # ipa cert-show 895 ipa: ERROR: Certificate

Re: [Freeipa-users] I think I lost my CA...

Digging still deeper: # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (503) Looks like this is an HTTP error; so is it possible that my IPA thinks it has a CA but there's no CMS

Re: [Freeipa-users] I think I lost my CA...

Bret Wortman wrote: > Digging still deeper: > > # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (503) > > Looks like this is an HTTP error; so is it possible that my IPA

Re: [Freeipa-users] I think I lost my CA...

On 04/26/2017 10:22 AM, Rob Crittenden wrote: Bret Wortman wrote: Digging still deeper: # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (503) Looks like this is an HTTP

[Freeipa-users] IPA PKI Questions

Hi all, I’ve been struggling the last few days with rebuilding part of my FreeIPA infrastructure, which has lead me to some questions about how some of the IPA infrastructure works. To give a bit of background, I have two IPA servers (my initially installed IPA server, and a replica) both of

[Freeipa-users] Signed cert/CA and updating certs?

Hi again, Well, Let's Encrypt is working nicely with the httpd cert - but I am wondering if there is a way to use Let's Encrypt or another signed cert to replace the CA to be able to sign all the certs with it, or is the only way to sign our certs with the built in CA? I guess, thinking

[Freeipa-users] Apache group authentication stopped working

Apologies if this is a duplicate. Not sure if posting via Gmane works these days ... Did something change re Apache LDAP group authentication. The following configuration directive was working for me until recently. Require ldap-group cn=sprinklers,cn=groups,cn=accounts,dc=penurio,dc=us

[Freeipa-users] "Purge" scripts?

So twice now I've tried installing freeipa on an Ubuntu 16.04 system. Both times I've gotten an error and followed the instructions to "fix it" and they didn't work so I removed files ( with purge ), cleaned up everything I could find related to freeipa, sssd and kerb but trying to run it again

[Freeipa-users] Apache group authentication stopped working

Did something change re Apache LDAP group authentication. The following configuration directive was working for me until recently. Require ldap-group cn=sprinklers,cn=groups,cn=accounts,dc=penurio,dc=us Today, this is causing authentication failures, even though the users are still in the

Re: [Freeipa-users] New server install failing

On 25.04.2017 23:59, Robert L. Harris wrote: > >I'm trying to install freeipa-server on an ubuntu 16.04 box, fresh > install, but it keeps failing: > > Running ipa-server-upgrade... > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. >

[Freeipa-users] creating an LDAP bind user

I am setting up LDAP authentication with a remote service. On https://www.freeipa.org/page/HowTo/LDAP it says the following: "Do not use the Directory Manager account to authenticate remote services to the IPA LDAP server. Use a system account, created like this:" I followed the steps there to

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

I had to let this sit for a few days, but now that I try again I can remove and re-add the host (using CLI). The web UI still presents an error though IPA Error 4302: CertificateFormatError Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old

Re: [Freeipa-users] I think I lost my CA...

Bret Wortman wrote: > So I can see my certs using cert-find, but can't get details using > cert-show or add new ones using cert-request. > > # ipa cert-find > : > -- > Number of entries returned 385 > -- > # ipa

Re: [Freeipa-users] creating an LDAP bind user

Thanks Jason, that was exactly the issue! It's working now. On Wed, Apr 26, 2017 at 4:11 PM, Jason B. Nance wrote: > Hi Chris, > >> # remoteu, sysaccounts, etc, example.com >> dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com >> objectClass: account >> objectClass:

Re: [Freeipa-users] creating an LDAP bind user

Hi Chris, > # remoteu, sysaccounts, etc, example.com > dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com > objectClass: account > objectClass: simplesecurityobject > objectClass: top > uid: remoteu > userPassword:: [hash value] > > This new user is unable to run LDAP searches though: >

[Freeipa-users] Help needed - CA Server role not adding

Hello. First wanted to thank everyone working hard to bring this awesome bundle of applications to market. This is a great project and I really appreciate the efforts. I need a hand with a new 4.4.3 install that I'm still trying to flesh out fully to support all the services I need. I recently

Re: [Freeipa-users] How to customized freeipa certificate form

On Wed, Apr 26, 2017 at 07:02:08PM +0530, rajkumar wrote: > Hello Freeipa Team, > > I am new to freeipa, I have installed freeipa for generate certificate for > our products, I have generated certificates, its works fine, but I need to > customized freeipa certificate form for add more fields.

Re: [Freeipa-users] Signed cert/CA and updating certs?

On Wed, Apr 26, 2017 at 09:51:34AM -0500, Kat wrote: > Hi again, > > Well, Let's Encrypt is working nicely with the httpd cert - but I am > wondering if there is a way to use Let's Encrypt or another signed cert to > replace the CA to be able to sign all the certs with it, or is the only way > to

Re: [Freeipa-users] IPA PKI Questions

Kendal Montgomery wrote: > Hi all, > > > > I’ve been struggling the last few days with rebuilding part of my > FreeIPA infrastructure, which has lead me to some questions about how > some of the IPA infrastructure works. To give a bit of background, I > have two IPA servers (my initially