server.
Any thoughts?
Does it fail even if you do not copy-n-paste the key but let shell
expand it as
ipa user-mod demo --sshpubkey $( cat /tmp/demo.pub )
?
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
be updated automatically to reflect those changes. Bug perhaps?
The ticket
https://fedorahosted.org/freeipa/ticket/3569
tracks addition of the WebUI GECOS field. It's been added in upstream
FreeIPA and it should find its way to the next RHEL releases as well.
--
Jan Pazdziora | adelton
to be disabled or it would still allow all
accesses. That might break existing users.
Check
http://www.freeipa.org/page/Howto/HBAC_and_allow_all
about possible solution to that problem.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
that I must first
uninstall the ipa server.
What is the OS version and the exact message that you get?
Has anyone experienced this and how might I get around this problem?
Are you sure you don't have the IPA server installed on both the KVM
guest *and* on the host?
--
Jan Pazdziora
Principal
not move me forward
enrolling the system to another IPA server.
Does anyone have example steps that need to be done to have my system
enrolled to two IPA servers?
Thank you,
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
of its
Any Host (aka Host category: all) manually and then removed it?
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
to change the hostname of the instance to be in the
domain managed by the FreeIPA server?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com
for no password change forced on user
upon their first login from multiple sides, I wonder if the current
behaviour stems from some technical reason or if it's just a security
approach which the FreeIPA admins should be able to override.
--
Jan Pazdziora
Principal Software Engineer, Identity
as the guidelines but you can also try to set things up completely
without the guides, just using mod_authnz_pam's documentation at
http://www.adelton.com/apache/mod_authnz_pam/
And comments and help with the karma would be appreciated.
--
Jan Pazdziora
Principal Software Engineer, Identity
? When I put IPA2's data
to /etc/openldap/ldap.conf.IPA2 and run
LDAPCONF=/etc/openldap/ldap.conf.IPA2 getent passwd user...@realm2.net
I still don't get anything. I assume that it's because it's actually
sssd which does the calls ... but how would I set LDAPCONF for sssd?
--
Jan Pazdziora
not announcing it yet as we try to find ways to make the image
smaller and thus more easily consumable.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
on different hosts (be it containters or true
hosts). That's why the initial effort goes into moving what we have
with ipa-server-install to container as one block.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
https://admin.fedoraproject.org/pkgdb/package/python-qrcode/
python-yubico is already in epel6 but *NOT IN* epel7
https://admin.fedoraproject.org/pkgdb/package/python-yubico/
https://fedoraproject.org/wiki/EPEL/epel7/Requests should help us get
the process started.
--
Jan Pazdziora
to the next page.
Thus, on each screen the number of rows of the default ideal view can
be different, if the content above and below the table is of
different height, or if the height of the rows is different among
pages/tables.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering
/page/Docker
Any comments or improvements are welcome,
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info
?
There are currently 115 users there. Maybe some sort of network slip
and you are connected to the wrong part of the network?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https
of IPA?
I strongly suspect you are hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1117673
Is there a particular reason why you want to go with unreleased
Fedora?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription
?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
nothing if LDAP is not accessible.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
was implemented:
https://bugzilla.redhat.com/show_bug.cgi?id=662930
Feel free to open RFE.
Done: https://fedorahosted.org/bind-dyndb-ldap/ticket/140
Thank you,
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa
it be to Kerberize it?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
-microsoft-dns/
shows how ISC DHCP's execute can be used to send the changes to
an external command, and that command can include the
kinit -kt + nsupdate -g combo.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users
On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote:
endpoints, or their users, should not be trusted to
make updates to DNS zones. TSIG signed updates from servers are still
preferred over authenticated updates from endpoints or users.
Server has identity just like service
.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
is not container
and ntpd not running on the server, I was not able to reproduce the
issue.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
and
proceeding.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
false assumptions.
I'll update the git repo README / image documentation once we know
what exactly the plan with SELinux and situation with Fedora 21
client blocking are. It is something I work on right now.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
, instead of using SSO, be it
Kerberos or SAML? Is that purely the application not supporting it
or are there some other reasons (you say we don't want single sign
on which sounds like a political or compliance issue, not technical
one).
--
Jan Pazdziora
Principal Software Engineer, Identity
On Fri, Feb 20, 2015 at 09:36:17AM +0100, Günther J. Niederwimmer wrote:
have any a functional Link for this Problem.
Can you elaborate what the problem actually is? Specifically, what
setup you try to achieve, how you do it, where it starts to fail.
--
Jan Pazdziora
Principal Software
, it does not set priority for the preferred IPA server which
can be useful if they are in different geos and by default you want
the traffic to go to the local server. In that case
ipa_server = test-freeipa-2.cloud.domain.de, _srv_
might actually be preferred.
--
Jan Pazdziora
Principal
)?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
might be a work around for now.
That's actually not too much trouble with our configuration management
system.
Then
ipa_server = local-geo-replica.example.com, _srv_
in sssd.conf is probably the best approach.
--
Jan Pazdziora
Principal Software Engineer, Identity Management
: Could not load the library.
I see the same bug both on host and in container.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
for the prompt fix!
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Thu, Mar 26, 2015 at 10:49:22AM +0100, Andrew Holway wrote:
From an SELinux standpoint systemd is far superior to initd as it allows
far more graceful domain transitions.
Have you got a link which would demonstrate how systemd helps
with domain transitions?
--
Jan Pazdziora
Principal
was the machine enrolled --
ipa-client-install, realm join, or some other way?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
/pubconf/krb5.include.d/localauth_plugin
exists and configures
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list
machine ...
So that test.osuwmc realm -- is that your IPA server's realm, or AD
realm?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
with
simple sssd/ldap only auth.
You might want to check Foreman and its realm feature:
http://theforeman.org/manuals/1.7/index.html#4.3.9Realm
That way OTP authentication will be used.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your
...@example.test:
#
Is this expected? It's with 4.1.0.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
If hbactest passes, then we need to see the logs, /var/log/secure and
SSSD logs. Also the sssd.conf, please.
Also, how did you configure that tac_plus PAM service should be used?
How do you try to access the machine / service?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management
resolution.
Is there anything we can add to the tool on our side to catch the
errors earlier and/or make the error messages less scary and more
descriptive?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa
in theory force it to work by writing a wrapper PAM module
which would call both pam_sss's pam_sm_authenticate *and*
pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
a hack, possibly with unexpected side effects.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management
On Wed, Apr 08, 2015 at 02:42:38PM +0200, Jan Pazdziora wrote:
The ability to run FreeIPA server in a container was recently
improved by adding support for storing the server configuration and
data in a volume, making it easier to backup the server, upgrade it to
newer versions, as well
mod_authnz_pam:
http://www.adelton.com/apache/mod_authnz_pam/
http://www.freeipa.org/page/Web_App_Authentication
The module is packaged in Fedoras, RHEL, and CentOS.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your
Nice.
One detail -- Red Hat prefers its name to be spelled Red Hat.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
at
https://registry.hub.docker.com/u/adelton/freeipa-server/
README was amended to describe the new usage options.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https
-tomcat/conf/ca/CS.cfg had
the wrong owner (root).
I saw this issue in containers as well, when upgrading from Fedora 21
to 22. Do we have a bugzilla / ticket filed? Do we need one?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your
, by giving you time-constrained
service ticket?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info
]:
ClientResponseFailure: Error status 401 Unauthorized returned
What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64
and pki-server-10.1.2-7.el7.noarch.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa
will
not work -- the session cookie is marked as Secure so the browser will
not store it when it comes via http, plus the UI checks referer to
start with https://.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription
On Thu, Aug 20, 2015 at 02:26:43PM +0200, Jan Pazdziora wrote:
On Tue, Aug 18, 2015 at 02:58:50PM -0700, Janelle wrote:
Tried that -- but it gives a blank screen. I will try playing with it some
more. At least I know we are thinking in the same ballpark
I was able to set this up just fine
the installation today but that should be fairly easy
to workaround by not having krb5-devel installed from updates when
you start the installation, and it does not seem related to the
samba-python issue you see.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering
membership.
Would it make sense to have a way of running the SSSD evaluation from
the WebUI and showing the results there? Clearly distinguished from
the LDAP data, yet exposed in the WebUI ...
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage
On Tue, Jul 14, 2015 at 11:06:20AM +0300, Alexander Bokovoy wrote:
On Tue, 14 Jul 2015, Jan Pazdziora wrote:
Would it make sense to have a way of running the SSSD evaluation from
the WebUI and showing the results there? Clearly distinguished from
the LDAP data, yet exposed in the WebUI
On Fri, Jul 17, 2015 at 10:47:37AM +0200, Petr Spacek wrote:
This rename would remove the inconsistency which drives me crazy when I need
to script something universally for RHEL and Fedora.
Wouldn't rpm Provides solve this particular issue?
--
Jan Pazdziora
Senior Principal Software
ogy,
CNAMEs pointing to that IPA-managed domain can be used to present
flat structure to users:
server.example.com -> server.ipa.example.com
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/.
Are copr builds for RHEL 7 / CentOS 7 planned?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo
packages.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote:
On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote:
The FreeIPA team is proud to announce FreeIPA v4.2.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds
for Fedora 22 and Fedora
.
Am I missing something?
I believe you might be hitting bug
https://fedorahosted.org/freeipa/ticket/4981
The fix will go out with 4.2 release.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa
) way to let users authenticate via Kerberos and create
users authenticated by PAM upon first login?
Create user where -- in the Web application or in FreeIPA?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription
-- with SSSD configured on the machine -- doesn't
require group the-group-name
actually work?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo
confirm things work now, I'm able to install and setup FreeIPA 4.2
server on Fedora 22 with the copr repo.
Thank you!
Any plans for the RHEL/CentOS 7 copr repo?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa
-certificates.html
I guess I should have been more clear. I need to create certificates
for users, not services.
That's new feature in FreeIPA 4.2:
http://www.freeipa.org/page/V4/User_Certificates
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering
On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote:
> On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote:
> > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo <natxo.ase...@gmail.com>
> > wrote:
> >
> > > on a a centos 7.1 host when enroll
ntos 6.7 realm either, same error.
Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed
https://bugzilla.redhat.com/show_bug.cgi?id=1262718
now.
Thank you for bringing this to our attention.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
kdc/DEFAULT.socket, for debugging purposes?
I haven't even been able to sync the token properly, which Duncan says
in
https://github.com/adelton/docker-freeipa/issues/34#issuecomment-123877080
was working for him.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Manageme
and communication with the ipa-otpd daemon?
Also, does the Sync OTP Token operation invoke the ipa-otpd daemon
path (so if Duncan managed to sync the token, it worked for him at
least once) in any way or does it bypass it?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Eng
(data volumes) are supported but
you certainly want to keep backup around in case you need to revert to
the old image. You can also create new replica. The master-systemd
branch is based on Fedora 23.
Thank you,
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering
On Thu, Dec 17, 2015 at 11:30:53AM +0100, Jan Pazdziora wrote:
>
> if you are running FreeIPA servers in containers, you might want to
> be aware of a change that is coming -- in branch master-systemd of
>
> https://github.com/adelton/docker-freeipa
>
> we run the
you try to run FreeIPA 4 on CentOS 6.4 or do you want to IPA-enroll
that CentOS 6 machine to FreeIPA server?
What services / areas are you concerned about from the compatibility
POV?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
n that I failed to see the cause of the issues when
we discussed it with Karl in
https://github.com/adelton/docker-freeipa/issues/40
and at the same time I don't see anything container-specific in what
he attempts to do -- therefore I've asked him to bring the issue
to this forum.
--
Jan Paz
rules. For example, see
http://www.freeipa.org/page/Howto/HBAC_and_allow_all
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
ssh remotely. I am now able to connect to the server.
> It seems that all works fine again once I restart sssd on the server.
Do you restart the sshd service, sssd service, or both?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subsc
containers are like
virtual machines (and people treat them like those especially from
security point of view) when they are not.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
htt
.google.com/forum/#!topic/foreman-users/GlGSM6EAyUs
In that thread you note that the issue was in fact a replication
problem.
Did you manage to resolve it?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the
om/
Note that you will not be able to use SSO (Kerberos) authentication
for the accesses via the ipa.public.company.com proxy but I assume
that's not needed.
Hope this helps. I will likely do another writeup about this setup.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Manage
Anthony as mentioned in the
other thread but we will debug it from here.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
t:9443/
https://ns01.dev.example.net/
-- with the nonstandard port specified.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote:
> On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote:
> > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
> > do this:
> >
> >
> >
> >
he access denied, perhaps also
increase the LogLevel to debug in the FreeIPA's Apache configuration
and check the error_log and ssl_error_log.
I did not observe the access denied before or after logging in and I'd
like to get to the root of this.
Thank you,
--
Jan Pazdziora
Senior Principal Software Engine
value (2.51)
rather than ignoring the difference altogether?
I have verified that the option works on Fedora client against older
Fedora server (but I did not try ipa-server-3.0.0 there).
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your
On Mon, Jan 11, 2016 at 07:05:16PM +0100, Martin Basti wrote:
> On 11.01.2016 16:57, Jan Pazdziora wrote:
> >
> >We try to call the ipa commands against old FreeIPA server version,
> >taking advantage of the
> >
> > -e skip_version_check=1
> &g
likely do not want to give every user a way to run any command,
why not just use sudo, and
docker run -u $SUDO_UID container bash
in the script invoked with the sudo (untested)?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your s
On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote:
> On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com>
> wrote:
>
> > > The goal is to run the
> > > docker container such that when the user calls docker run,
> >
> > Is a
, the resulting sssd.conf had the [domain/default] section
removed. So something in the process seems to care about that section
-- maybe not the installer, maybe authconfig or something else.
On the other hand, I was not able to reproduce the chaneg to the
content of the domain/default section that lej
rent machines (or in different containers).
If you are interested in exploring those areas and helping us develop
them, we'll be happy to hear about your findings.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the F
appen)
> —
> Attached
>
> My main suspect is dbus service unable to start in this container where it
> launches on a plain machine.
Certainly.
What steps did you take to make dbus startable in the container? Do
you have the dbus package installed?
--
Jan Pazdziora
Senior Princi
http://www.freeipa.org/page/Docker and
https://github.com/adelton/docker-freeipa.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to
least one replica -- just create the
FreeIPA server in the container as another replica in your environment.
That way you can test it gradually -- point clients to it, add it to
DNS. I would not recommend attempting to convert existing installation
in one swoop, by replacing it in place.
--
Jan Paz
ike to try FreeIPA 4.3.1 on CentOS 7 in container, use
branch centos-7-upstream of
https://github.com/adelton/docker-freeipa
to built locally, or pull image
adelton/freeipa-server:centos-7-upstream
from Docker hub registry.
--
Jan Pazdziora
Senior Principal Software Engineer, I
PAM service
that pam_sss.so / SSSD will handle.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
or do you need something else?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
root4u IPv4 xx 0t0 TCP *:https (LISTEN)
> ###
>
> Is there something I am missing in the IPA configuration for the WebUI
> please ?
Perhaps
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
could give some hints.
It was tested on FreeIPA 4.* --
role in application-level
session where the cookie is hold by the browser and evaluated by the
application directly.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
rong?
There are some more config tweaks likely needed.
Writeup
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
should help you resolve the issue.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscri
actly is the issue.
> If anyone have some information or done similar integration, i'd appreciate
> if you can share it.
What Spacewalk version and what OS and version is this?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription
e our Websystem on this Server
This server meaning yet another VM, or directly on the host?
> What is the best way to allow a external Webmaster to create or modify the
> websites with joomla, and have the secure from IPA.
Could you be more specific about the
have the secure from IPA
1 - 100 of 109 matches
Mail list logo