Re: [Freeipa-users] deploying FreeIPA

2009-12-14 Thread John Dennis
On 12/12/2009 12:50 AM, jose mora wrote: hello how is everyone doing? I do have a request, can you help me Deploying FreeIPA? I would apreciate any kind of help thank you for your time Jose Mora We would like to help you but first you need to tell us what you need help with. -- John Dennis

Re: [Freeipa-users] Web admin for FreeIPA Directory Server

2010-01-27 Thread John Dennis
in the administration interface we provide we should fix it. Please note that v2 of FreeIPA has been under heavy development and the web GUI has received a lot of attention for the next release and whatever you're missing might have already been taken care of. -- John Dennis jden...@redhat.com

Re: [Freeipa-users] IPA roadmap

2010-04-20 Thread John Dennis
are currently working on version 2.0 of FreeIPA and we've been releasing test releases. IPA 2.0 is due to ship in RHEL 6.1. We are alive, well, and very much kicking :-) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Reports and questions

2010-05-03 Thread John Dennis
NSS entry points. It properly (or so I hope) handles all the variants (which are numerous) including ia5string. We should converge on using NSS for everything, the update will get us a lot closer to that goal. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread John Dennis
haven't fully understood your request. So let me rephrase it and see if I have it correct. You want something on your network which speaks the TACAS+ protocol but whose identity management is backed by our IPA server. Is that correct? -- John Dennis jden...@redhat.com Looking to carve out IT costs

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread John Dennis
to utilize IPA as it's back end. We would be happy to answer any questions for the person(s) who wanted to undertake this and contribute their work. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread John Dennis
. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif

2010-09-24 Thread John Dennis
to fix the use of IA5. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-server-install fails

2011-01-18 Thread John Dennis
updates-devel edit /etc/yum.repos.d/fedora-updates.repo and make sure the enabled value is 1, e.g. enabled=1 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] replica install failure....

2011-03-29 Thread John Dennis
On 03/29/2011 03:54 PM, Steven Jones wrote: Can you double-check that /etc/hosts is set up correctly? The ipv6 wasnt right I guess. I have added the host's name into that line.will retry. Hmm... last I knew the hosts file cannot be used for IPv6 addresses. -- John Dennis jden

Re: [Freeipa-users] Clarification about FreeIPA milestones

2011-08-06 Thread John Dennis
additions. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ETA on the libcurl fix?

2011-08-08 Thread John Dennis
expecting it shortly. I would recommend you install the new curl version from F15 updates and I'll appraise you of the status of xmlrpc-c in the morning. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] ETA on the libcurl fix?

2011-08-09 Thread John Dennis
On 08/09/2011 12:06 AM, John Dennis wrote: I believe the fix was incorporated into this RPM, curl-7.21.3-9.fc15 and was pushed into the stable update at 2011-08-09 01:29:07 xmlrpc-c is dependent on libcurl and is utilized by IPA. I do not believe there is new version of xmlrpc-c built against

Re: [Freeipa-users] freeRADIUS?

2011-10-05 Thread John Dennis
On 10/05/2011 09:44 AM, Dmitri Pal wrote: On 10/04/2011 11:14 AM, John Dennis wrote: On 10/04/2011 10:50 AM, Jimmy wrote: I've been searching and see a few references to freeRADIUS used with FreeIPA, but I don't see any substantial information on the subject. Is there a procedure to use

Re: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)

2011-11-17 Thread John Dennis
are dangling. If so adjust the link to point to it's new location. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)

2011-11-17 Thread John Dennis
://bugzilla.redhat.com/show_bug.cgi?id=728598 It's filed against Red Hat Certificate System in RHEL, not dogtag in Fedora. Adam do you want to clone it into Fedora? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)

2011-11-17 Thread John Dennis
On 11/17/2011 01:40 PM, Alexander Bokovoy wrote: On Thu, 17 Nov 2011, John Dennis wrote: My guess is this is due to the fact these jars changed their location. The symlinks to the jars are established by pkicreate. We have a bug open to enchance pkicreate (or add a new tool) which will adjust

Re: [Freeipa-users] Fwd: manual client join

2011-12-19 Thread John Dennis
(Request for Enhancement) on https://fedorahosted.org/freeipa/ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] PEM and DER certificate formats

2012-01-06 Thread John Dennis
to DER. There should be an existing utility to do it. If not it's as simple as taking the text between the PEM delimiters and base-64 decoding it. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] PEM and DER certificate formats

2012-01-06 Thread John Dennis
that and ran it through a base64 decoder you'd have DER format. You can't get DER directly right now. We could probably add an option to write a file in DER format if you wanted to open an RFE on our trac instance. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com

Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?

2012-02-10 Thread John Dennis
the repo while it's being populated so on occasion you may see some odd failures if you happen to hit it while it's updating. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list

Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?

2012-02-10 Thread John Dennis
yum is somehow confused. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?

2012-02-10 Thread John Dennis
at the moment. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Strange klist output

2012-02-25 Thread John Dennis
an explanation. John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Strange klist output

2012-02-25 Thread John Dennis
these enctypes? Is it to satify forwarding/proxy when you don't know a prori which enctype the foreign endpoint will require? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa

Re: [Freeipa-users] Strange klist output

2012-02-25 Thread John Dennis
) enctype. This is so that a client can use the strongest enctype it has crypto support for. Sure, that makes sense. But this is new behavior, what changed? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] devel repo

2012-02-27 Thread John Dennis
to the ipa-and-samba-team-automation list, you can subscribe if you wish. Archives of the automation list can be found here: http://post-office.corp.redhat.com/archives/ipa-and-samba-team-automation -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Constantly failing ipa-client-install

2012-03-24 Thread John Dennis
/ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] firefox on windows how to get a kerberos ticket?

2012-04-03 Thread John Dennis
What are you trying to accomplish? In IPA 2.2 you can log onto the web UI without a kerberos ticket by using password based auth, thus the web UI no longer requires a kerberos ticket. This applies only to the web UI, not other IPA components (at the moment). John -- John Dennis jden

Re: [Freeipa-users] firefox on windows how to get a kerberos ticket?

2012-04-03 Thread John Dennis
On 04/03/2012 05:58 PM, Steven Jones wrote: So how do I login without a kerberos ticket? See attached screenshot snippets From: John Dennis [jden...@redhat.com] Sent: Wednesday, 4 April 2012 9:52 a.m. To: Steven Jones Cc: Petr Spacek; freeipa-users

Re: [Freeipa-users] 2 things,

2012-04-03 Thread John Dennis
. Click on the logout and you will be logged out and then you can log back in as someone else. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] 2 things,

2012-04-03 Thread John Dennis
On 04/03/2012 09:17 PM, Steven Jones wrote: My gui doesnt have the logout button. :( It will :-) It's a new feature, currently in beta. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa

Re: [Freeipa-users] IPv6

2012-04-27 Thread John Dennis
if getaddrinfo is not available) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPv6

2012-04-30 Thread John Dennis
On 04/30/2012 03:54 AM, Petr Spacek wrote: On 04/27/2012 02:43 PM, John Dennis wrote: On 04/27/2012 04:45 AM, Petr Spacek wrote: On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA

Re: [Freeipa-users] FreeIPA and others

2012-05-11 Thread John Dennis
but make it vastly more powerful by layering a lot of sophisticated functionality on top it which is fully integrated and easy to use. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing

Re: [Freeipa-users] FreeIPA and others

2012-05-11 Thread John Dennis
needs to be setup separately with lot of pain. Absolutely, the pain threshold of setting those component up and getting them to play together is high. One of the primary design goals of FreeIPA is to eliminate those pain points so you can focus on administrating your user base. -- John Dennis

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-17 Thread John Dennis
for managing session timeouts. It wouldn't be too hard to expand this to time how long it takes a command to execute because it's evaluated for every command. Combined with timestamping in the UI code we could get a reasonable idea of where some bottlenecks lie (or don't). -- John Dennis jden

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-18 Thread John Dennis
200 Success application/json jquery.js:7365 Script 46.93KB 46.38KB 1.52s 1.51s (1.40s waiting) Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- John Dennis jden...@redhat.com

Re: [Freeipa-users] unable to logout of IPA

2012-07-27 Thread John Dennis
process will be applied the next time you visit the web UI. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] whats the recommended way to change OU structures in IPA?

2012-08-06 Thread John Dennis
, hosts, etc. to groups. Then use group membership to control how a particular group of users behaves. It's easy to automate group membership via automember. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] IPA over the Internet - Security Implications

2012-08-17 Thread John Dennis
protocols. IPA also makes sure strong encryption is utilized for those tunnels. Strong authentication is also required at the endpoints of those tunnels. It really wouldn't make much sense to design an authentication and security manager that itself wasn't secure :-) -- John Dennis jden

Re: [Freeipa-users] KISS: DHCP from IPA

2012-08-29 Thread John Dennis
Thanks for the contribution Chris! Just as an aside if you know Python you can call the IPA commands directly and use Python to extract and reformat the data, it might be a lot simpler than doing the bash/awk dance. -- John Dennis jden...@redhat.com Looking to carve out IT costs

Re: [Freeipa-users] ipa host-del

2012-09-04 Thread John Dennis
is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. -- John Dennis jden...@redhat.com Looking to carve out

Re: [Freeipa-users] ipa host-del

2012-09-04 Thread John Dennis
/httpd/error_log which may have more detailed messages indicating where things might be going wrong. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] ipa host-del

2012-09-04 Thread John Dennis
. Do you see any errors in the log files found under /var/log/pki-ca? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread John Dennis
? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread John Dennis
a bug at this point, but perhaps we need to pay attention and see if anyone else gets bitten by this. John *From:* John Dennis jden...@redhat.com *To:* a...@redhat.com *Cc:* george he george_...@yahoo.com

Re: [Freeipa-users] Failed installation

2012-10-17 Thread John Dennis
the versions of the relevant packages, that would have been helpful. In any event I would make sure all your packages are up to date. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list

Re: [Freeipa-users] adding group fails with Type or value exists

2012-11-15 Thread John Dennis
)? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18

2012-12-06 Thread John Dennis
sure F18 is fully updated via yum 2) reboot 3) reboot Yes, that's right, reboot twice! (Apparently that's needed to get systemd updates installed and working) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-18 Thread John Dennis
2012 18:32:05' Sorry, someone else will have to help you with the below: ipa: ERROR: Cannot perform join operation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA but I have the server-trust-ad installed:-- John

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-18 Thread John Dennis
On 12/18/2012 03:30 PM, Sumit Bose wrote: On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: On 12/18/2012 01:26 PM, Andre Rodrigues wrote: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set ipa dnszone-add I get

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-19 Thread John Dennis
On 12/19/2012 05:50 AM, Sumit Bose wrote: On Wed, Dec 19, 2012 at 09:13:21AM +0100, Petr Spacek wrote: On 12/18/2012 09:56 PM, John Dennis wrote: ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-19 Thread John Dennis
On 12/19/2012 01:10 PM, Andre Rodrigues wrote: Thank you all for the answers.. I noticed that I had installed freeipa with incorrect parameters, so I reinstalled freeipa and I think now default.conf is correct. answering some questions: On 12/18/2012, John Dennis wrote: Please provide

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-10 Thread John Dennis
-rec=6 --txt-rec=7 --txt-rec=8 --txt-rec=9 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] how do i apply patch?

2013-01-11 Thread John Dennis
a patched RPM. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-11 Thread John Dennis
On 01/11/2013 03:10 PM, Dmitri Pal wrote: On 01/10/2013 11:00 AM, John Dennis wrote: On 01/10/2013 08:15 AM, Petr Spacek wrote: Hello, is there any user of CSV support built-in to IPA administration tools (ipa command)? Do you consider it sane or even useful? Please reply. I've always

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-11 Thread John Dennis
On 01/11/2013 03:52 PM, Dmitri Pal wrote: On 01/11/2013 03:27 PM, John Dennis wrote: On 01/11/2013 03:10 PM, Dmitri Pal wrote: On 01/10/2013 11:00 AM, John Dennis wrote: On 01/10/2013 08:15 AM, Petr Spacek wrote: Hello, is there any user of CSV support built-in to IPA administration tools

Re: [Freeipa-users] how do i apply patch?

2013-01-12 Thread John Dennis
On 01/12/2013 06:52 AM, Umarzuki Mochlis wrote: 2013/1/12 John Dennis jden...@redhat.com: 1) Download the source rpm matching the version you have installed, add the patch, rebuild the rpm locally, install the locally built rpm. how do i 'add the patch' to source rpm? any documentation that i

Re: [Freeipa-users] freeipa radius cisco

2013-01-16 Thread John Dennis
. This is configured in /etc/raddb/modules/krb5, by default it's krb5 { keytab = /path/to/keytab service_principal = name_of_principle } How did you configure these? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] freeipa radius cisco

2013-01-18 Thread John Dennis
only in a very constrained scenario, it is not a general solution. The FreeRADIUS list is filled with folks attempts to force an Auth-Type in the users file only to discover their woes. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] freeipa radius cisco

2013-01-18 Thread John Dennis
On 01/18/2013 10:13 AM, John Dennis wrote: On 01/18/2013 09:31 AM, Han Boetes wrote: In the users file DEFAULT Auth-Type = Kerberos Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 Be careful! It's almost never a good idea to set the Auth-Type in the user config

Re: [Freeipa-users] IPA Create User

2013-02-01 Thread John Dennis
and it completes within a few seconds is that real time? John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Create User

2013-02-04 Thread John Dennis
, etc. Things like adding a user, or adding a user to a group are not compute intensive and should execute quickly. For your intended use I don't see any issues with the elapsed time for command execution. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com

Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works

2013-02-05 Thread John Dennis
it. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works

2013-02-05 Thread John Dennis
to read. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works

2013-02-05 Thread John Dennis
On 02/05/2013 01:40 PM, Thomas Sailer wrote: On 02/05/2013 06:32 PM, John Dennis wrote: % ipactl status # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING pki-cad Service: RUNNING ipa: INFO: The ipactl

Re: [Freeipa-users] Python Client

2013-02-09 Thread John Dennis
everything you've said so far you imply it does provide such hooks. Perhaps if you could be more specific we could be more helpful. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread John Dennis
this). Then our config would have a LMTP domain socket pathname, if that pathname exists and we can connect to it we use, if not we fallback to not generating any mail. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
are automatically created when you install the package. Thus there is little point in trying to manage them. If you find yourself with a need to manage them step back and ask yourself why. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system users not bound to a daemon than state that rather than confusing the issue. -- John Dennis jden...@redhat.com Looking to carve out

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 01:35 PM, Rob Crittenden wrote: John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system users not bound to a daemon than state that rather than confusing

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 01:39 PM, Orion Poplawski wrote: On 02/15/2013 11:38 AM, John Dennis wrote: On 02/15/2013 01:35 PM, Rob Crittenden wrote: John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
users groups managed via some other mechanism (puppet?). I'm not sure this issue has come up before, it does present some interesting issues. John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
. But the part of the requirement is not to have non-humans show up in every client (e.g. mail clients) that support LDAP directory lookups. That means they have to modify the filter on every client. That's a tall order :-( -- John Dennis jden...@redhat.com Looking to carve out IT costs

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users marked as 'non-person' so

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 04:16 PM, Orion Poplawski wrote: On 02/15/2013 02:02 PM, John Dennis wrote: On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH base=ou=people,dc=nwra,dc=com scope=2 filter=(|(mail

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread John Dennis
install interactively? Is the realm EXAMPLE.COM really correct? Are you able to do a kinit for ipa-b...@example.com on the client successfully? Are your kerberos ports open? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] Trouble creating replica

2013-02-20 Thread John Dennis
for obvious problems. HTH, I forget the exact version you're running on which OS. If the above is not specific enough we can get the dogtag folks to jump in. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread John Dennis
. This FAQ entry from cacert will help clarify: http://wiki.cacert.org/SubRoot -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] What does the u mean in IPA messages?

2013-02-28 Thread John Dennis
were not consistent with whether we used str's or unicode objects and it was handy to know the difference, it's not so much of an issue any more. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts

Re: [Freeipa-users] What does the u mean in IPA messages?

2013-02-28 Thread John Dennis
On 02/28/2013 05:34 PM, KodaK wrote: On Thu, Feb 28, 2013 at 3:27 PM, John Dennis jden...@redhat.com wrote: On 02/28/2013 04:18 PM, KodaK wrote: When performing an operation with the IPA tools, I get a message every time similar to this: ipa: INFO: Forwarding 'hbactest' to server u'https

Re: [Freeipa-users] What does the u mean in IPA messages?

2013-03-01 Thread John Dennis
On 03/01/2013 03:17 PM, KodaK wrote: On Thu, Feb 28, 2013 at 5:01 PM, John Dennis jden...@redhat.com wrote: On 02/28/2013 05:34 PM, KodaK wrote: BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my bearings. I was going to wrap the commands

Re: [Freeipa-users] What does the u mean in IPA messages?

2013-03-01 Thread John Dennis
On 03/01/2013 04:01 PM, John Dennis wrote: On 03/01/2013 03:17 PM, KodaK wrote: On Thu, Feb 28, 2013 at 5:01 PM, John Dennis jden...@redhat.com wrote: On 02/28/2013 05:34 PM, KodaK wrote: BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-11 Thread John Dennis
restarted httpd on aurora? What are the contents of /etc/httpd/conf.d/ipa.conf? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] LDAP authentication for 3rd party

2013-04-11 Thread John Dennis
. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa

Re: [Freeipa-users] FreeIPA dual stacked

2013-04-15 Thread John Dennis
should just work. Please let us know if it doesn't. I'm not surprised we still have some IPv6 bumps to smooth out, it doesn't get exercised as much as IPv4. FWIW we fully expect IPv6 enabled systems to be dual stack. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com

Re: [Freeipa-users] users account functionality

2013-05-02 Thread John Dennis
from a shell script or you can write your own Python scripts and invoke the IPA API directly. Be careful though, the type of operations you've described all require administrator privileges, it's not something a general user can do. -- John Dennis jden...@redhat.com Looking to carve out

Re: [Freeipa-users] free radiuse

2013-09-03 Thread John Dennis
On 09/03/2013 12:51 AM, Jason Prouty wrote: I have IPA-server installed and working for my linux servers I have several cisco Routers 2821 and juniper FW that I would like to authenticate against IPA. I have a free radius .schema file. First you have to tell us what authentication

Re: [Freeipa-users] Ldap schema

2013-09-04 Thread John Dennis
On 09/04/2013 05:41 PM, Jason Prouty wrote: I have the radius.schema file how do I add that into my ldap schema on IPA server. I see several ldif files /etc/dirsrv/instance/schema but they are ldif files If I can extend my schema integration to free radius should be easy. Is there a

Re: [Freeipa-users] Ldap schema

2013-09-05 Thread John Dennis
On 09/05/2013 02:29 AM, Dmitri Pal wrote: On 09/05/2013 12:38 AM, Jason Prouty wrote: This is the AV-Pair I would like to implement to pass back to radius. dn: cn=priv-15,ou=cisco,ou=radius,dc=example,dc=com objectClass: radiusObjectProfile objectClass: radiusprofile cn: priv-15

Re: [Freeipa-users] Elliptic curves with the CA

2013-09-18 Thread John Dennis
On 09/18/2013 01:53 PM, mees virk wrote: I do not have a valid support contract, or other contracts with RedHat. Doesn't that stop me from opening proper RFE ticket? In any case, my interest was this time solely for evaluation purposes. If I were actively choosing an integrated identity

Re: [Freeipa-users] Changing the WebUI idiom

2013-09-23 Thread John Dennis
On 09/23/2013 07:19 AM, Arturo Borrero wrote: Hi there! FreeIPA WebUI in spanish has some annoyances in how the text is showed. http://img545.imageshack.us/img545/9016/9eur.png We would like to switch from spanish to standar english in the WebUI. Could anyone please point me in the

Re: [Freeipa-users] Changing the WebUI idiom

2013-09-23 Thread John Dennis
On 09/23/2013 07:55 AM, John Dennis wrote: On 09/23/2013 07:19 AM, Arturo Borrero wrote: Hi there! FreeIPA WebUI in spanish has some annoyances in how the text is showed. http://img545.imageshack.us/img545/9016/9eur.png We would like to switch from spanish to standar english in the WebUI

Re: [Freeipa-users] External CA

2013-11-08 Thread John Dennis
On 11/08/2013 04:56 AM, Petr Viktorin wrote: On 11/08/2013 09:01 AM, Martin Kosek wrote: Thanks for heads up. You mean by the difference between O=MW and O=MELTWATER.COM? Petr, is this possible? Can it be validated in the the installer if this is the root cause? Thats a good question.

Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-12 Thread John Dennis
On 11/12/2013 11:36 AM, Rob Crittenden wrote: This is basically what I saw too. I'm waiting on someone from the NSS team to get back to me. This must have something to do with the way that OpenSSL validates certs vs NSS. Apparently NSS is being more picky but I don't know why yet. FWIW the

Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-14 Thread John Dennis
On 11/14/2013 03:29 AM, Andrea Bontempi wrote: I did some tests: The error occurs when I use a CA managed by EJBCA, if I use a CA generated by openssl or nss everything works properly. The problem is that i can't reproduce the bug in an external nss db... but maybe I don't follow the same

Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-14 Thread John Dennis
On 11/14/2013 08:56 AM, Rob Crittenden wrote: Andrea Bontempi wrote: This is incorrect. To validate a certificate you only need the CA public keys, not the private ones. Only having the ipa-ca-agent key is right. This is a temporary database, not the CA database. We are using this cert to