son who setup this
version of FreeIPA went on vacation for 2 weeks, so I have minimal
background with FreeIPA from an admin/install perspective.
TIA,
Ian
--
Ian Stokes-Rees, PhD W: http://hkl.hms.harvard.edu
ijsto...@hkl.hms.harvard.edu
Some more info:
1. certmonger wasn't running, so I started it. Then I can execute
"ipa-getcert list" but it doesn't return anything.
2. /var/log/ipa/default.log (the only log file in that dir)
appears to show the *new* cert being imported
Some good news: turning off security has the Directory Server starting
up properly. If the directory server is only accessible within our
small intranet, can we safely run it without security enabled? If this
is theoretically possible it looks like the trick will be to change the
IPA config for
close right now (as in, the next 4-24 hours) of abandoning
FreeIPA, so some encouraging words on this front could make a difference
and keep us with you.
Ian
--
Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org
ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75
(weeks/months) by non-developers is part of any beta-testing plan.
Regards,
Ian
--
Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org
ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75
NEBioGrid, Harvard Medical School C: +1.617.331.5993
attachment
... as a sysadmin, whenever I read 'alpha|beta', all alarms go off
:-). I do follow the project, but I would never run any kind of
production on it just yet.
Our whole group thinks FreeIPA looks really exciting. We really do
*want* to use it. We want the project to succeed, and we'd be happy
While I can't comment on the final release
schedule for FreeIPA v2, I
would like to point you at
http://fedoraproject.org/wiki/Features/FreeIPAv2
What you should take away from this is that FreeIPA v2 is expected
to be
feature-complete by
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via kerb
token or with password prompt) can fetch the token?
If FreeIPA doesn't make this possible, can anyone suggest a good
mechanism to have, effectively, a user
On 8/2/11 4:27 PM, Dmitri Pal wrote:
On 08/02/2011 02:15 PM, Ian Stokes-Rees wrote:
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via kerb
token or with password prompt) can fetch the token?
If FreeIPA
First,
security specialist would probably rebel about providing the
password or keys in clear. The best practice says do not reveal
the keys/passwords but rather encrypt them with some other
"transport" secret that would be known to the user or destination
On 8/3/11 4:47 AM, Ondrej Valousek wrote:
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you
have IPA server with KDC installed, you can use Kerberos for
authentication as well.
And
On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really dangerous. Most especially if this
private key was being used to
On 8/3/11 12:38 PM, Adam Young wrote:
I think what you are interested in is the Data Recovery Manager
(DRM...hey, we had the acronym first, but we also call it Key
Recovery ) aspect of Certificate Server.
That is awesome. That is exactly what I want.
Do you have experience with this? If
On 8/3/11 1:02 PM, Stephen Gallagher wrote:
So I guess what I'm saying is not Don't use centrally managed key
storage, but rather If you use the key anywhere but in this
administrative domain, do not put it in centrally-managed storage that
anyone but you can ever gain access to it.
Yes, I
On Wed Aug 3 14:05:51 2011, Stephen Gallagher wrote:
No, the way that such a system would work is that the password would
never be passed to the central server. Only the encrypted data would be
sent and received. All decryption would happen locally. The most a
man-in-the-middle attack could
On 8/6/11 4:29 AM, Dmitri Pal wrote:
IPA 2.1 is getting close to its release so it is time to set some
expectations and explain our roadmap moving forward a little bit.
First it is planned to have couple bug fixing iterations on top of 2.1.
That translates into 2.1.1 and 2.1.2 milestones
it happening? If
so, shouldn't that be the default?
Thanks,
Ian
--
Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org
ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75
NEBioGrid, Harvard Medical School C: +1.617.331.5993
attachment
17 matches
Mail list logo