Re: [Freeipa-users] Password history based on age, not count?

On ke, 03 touko 2017, Patrick Hemmer wrote: Would it be reasonable to request a feature for FreeIPA to enforce password history reuse based on age, instead of a count? Meaning configure FreeIPA to enforce that a password cannot be reused within the last 1 year? Then we could remove the minimum

Re: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

Florence Blanc-Renaud wrote: the issue looks similar to ticket 6766 [1] Flo. [1] https://pagure.io/freeipa/issue/6766 Thanks Flo, I agree that this looks like the issue I"m hitting in v4.4 much appreciated! I'm gonna be watching this closely, it's nerve wracking knowing that I can't

Re: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

On 05/03/2017 05:16 PM, Chris Dagdigian wrote: Any guidance for this one? Summary - this seems to be the fatal error that causes the CA setup on the replica to fail: May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection: The specified user cn=Replication Manager

Re: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

Standa Laznicka wrote: You can, but you probably won't be able to install a CA replica on them (you have to leave out the --setup-ca option). In the meantime, you can create replicas without CA replication and when the Dogtag/DS guys solve the problem, you can run ipa-ca-install on those to

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

Michael Plemmons wrote: > I realized that I was not very clear in my statement about testing with > ldapsearch. I had initially run it without logging in with a DN. I was > just running the local ldapsearch -x command. I then tested on > ipa12.mgmt and ipa11.mgmt logging in with a full DN for

Re: [Freeipa-users] ipa server-del

On 05/04/2017 12:41 AM, Ian Harding wrote: Is there any way this can be made to work? This server does not exist in real life or seemingly in FreeIPA, but a ghost of it does. ianh@vm-ian-laptop:~$ ipa server-find freeipa-dal.bpt.rocks 1 IPA server matched

Re: [Freeipa-users] I think I lost my CA...

On 04/28/2017 02:57 PM, Bret Wortman wrote: Flo, I did find that issue and made those corrections to our /etc/hosts file, but the problem persists. Thanks for the idea! after the change did you restart pki? Bret On 04/27/2017 03:42 AM, Florence Blanc-Renaud wrote: On 04/26/2017 04:33

Re: [Freeipa-users] ipa server-del

Petr Vobornik wrote: > On 05/04/2017 12:41 AM, Ian Harding wrote: >> Is there any way this can be made to work? This server does not exist >> in real life or seemingly in FreeIPA, but a ghost of it does. >> >> ianh@vm-ian-laptop:~$ ipa server-find freeipa-dal.bpt.rocks >> >>

[Freeipa-users] Getting a certificate for an alias

I'm trying to use certmonger to get an SSL certificate on a web host which has an alias. I added the alias as a principal alias to the host record in FreeIPA, and I added the service as well with the actual hostname and the alias. However every time certmonger contacts the CA, the request is

[Freeipa-users] DNS forwarding issue

Hello, I have a problem with Samba setup that I haven't been able to overcome for months. I am trying to setup samba on RHEL 7 using SSSD instead of winbind Currently, I have a one way trust between the production Active directory and productin IPA. I have users on IPA and Active directory.

Re: [Freeipa-users] LDAP Conflicts

On 05/04/2017 10:20 AM, James Harrison wrote: > Hello All, > According to ipa_check_consistency we have "LDAP Conflicts" > (https://github.com/peterpakos/ipa_check_consistency). > > How do I find and resolve them?

Re: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

On 05/04/2017 02:01 PM, Chris Dagdigian wrote: Florence Blanc-Renaud wrote: the issue looks similar to ticket 6766 [1] Flo. [1] https://pagure.io/freeipa/issue/6766 Thanks Flo, I agree that this looks like the issue I"m hitting in v4.4 much appreciated! I'm gonna be watching this

[Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction

Hi All Is the following statement correct? "If a kerberos client (e.g. a FreeIPA client) holds a service ticket to a service principal in its credentials cache, it no longer needs to interact with the KDC to access the service (assuming the ticket is still valid). i.e. if a kerberos client is

[Freeipa-users] LDAP Conflicts

Hello All,According to ipa_check_consistency we have "LDAP Conflicts" (https://github.com/peterpakos/ipa_check_consistency). How do I find and resolve them? I've seen:Re: [Freeipa-devel] LDAP conflicts resolution API | | | Re: [Freeipa-devel] LDAP conflicts resolution API | | |

Re: [Freeipa-users] Getting a certificate for an alias

On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote: > I'm trying to use certmonger to get an SSL certificate on a web host > which has an alias. I added the alias as a principal alias to the > host record in FreeIPA, and I added the service as well with the > actual hostname and the

Re: [Freeipa-users] Getting a certificate for an alias

On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedale wrote: > The fix for this was released in FreeIPA 4.5. See ticket > https://pagure.io/freeipa/issue/6295. > Excellent! Any chance of that getting backported into the 4.4.x series available on RHEL7? -- Steve Huston - W2SRH

Re: [Freeipa-users] Getting a certificate for an alias

On Thu, May 04, 2017 at 10:30:39PM -0400, Steve Huston wrote: > On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedale wrote: > > The fix for this was released in FreeIPA 4.5. See ticket > > https://pagure.io/freeipa/issue/6295. > > > > Excellent! Any chance of that getting

Re: [Freeipa-users] LDAP Conflicts

you can start here: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts you need first find out which conflict entries you have, which entries need to be preserved, and then can start to