[Freeipa-users] FreeIPA 3 to FreeIPA 4 migration and Kerberos realm is a forwarded zone

Hello, My existing FreeIPA 3.0 (CentOS 6) setup is as follows: Kerberos Realm: test.com I have several DNS zones test.com dev.test.com stage.test.com qa.test.com prod.test.com mgmt.test.com ipa01.mgmt.test.com - FreeIPA 3.0 Master ipa02.mgmt.test.com - FreeIPA 3.0 Replica The FreeIPA servers ac

Re: [Freeipa-users] Host with Multiple hostnames

The error is telling you that a DNS entry already exists for the hostname you want the CNAME. A DNS record can only have one record type. Meaning is you have 1.2.3.4 points to test.example.com you cannot have test.example.com also be a CNAME for foo.example.com. *Mike Plemmons | Senior DevOps

[Freeipa-users] LDAP - Load Balancer - SSL cert with SAN

I am trying to get FreeIPA LDAP to work when behind a load balancer and using SSL and I do not understand how I am supposed to get the server to use a certificate I created that has a SAN created. FreeIPA 4.4.0 on CentOS 7 Here is what I have: ipa-master.dev.crosschx.com - master ipa-replica.dev.

Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN

main > service and this creates a signed SAN cert that you can upload later to > your LB. > > In simple words the service is assigned to all hosts but those hosts have > also a service added(this is a hack). > > Hope that makes sense and helps solving your problem. >

[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

I have a three node IPA cluster. ipa11.mgmt - was a master over 6 months ago ipa13.mgmt - current master ipa12.mgmt ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have agreements between each other. It appears that either ipa12.mgmt lost some level of its replication agreemen

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

neer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > I have a three node IPA cluster. > > ipa11.mgmt - was a master over 6 months ago > ipa13.mgmt - current master > ipa12.m

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > I realized that I was not very clear in my statement about testing with > ldapsearch. I had initially run it without log

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

9560051000 *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Wed, May 3, 2017 at 10:52 PM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > I ran another test. I started IPA with the ignore service failure

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

I just realized that I sent the reply directly to Rob and not to the list. My response is inline *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons < michael.plemm...@crosschx.com>

Re: [Freeipa-users] qradar UBA to IPA

>From the server running Qradar can you ping the IPA server? Are you able to telnet to port 389 or 636 of the IPA server. The error says it can't contact the LDAP server which usually means you have not gotten to the point of authentication yet. *Mike Plemmons | Senior DevOps Engineer | CROS

Re: [Freeipa-users] qradar UBA to IPA

> > > > Sean Hogan > > > > > > > > [image: Inactive hide details for Michael Plemmons ---05/08/2017 01:21:17 > PM--->From the server running Qradar can you ping the IPA ser]Michael > Plemmons ---05/08/2017 01:21:17 PM--->From the server running Qradar c

[Freeipa-users] Domain Levels

I am currently running 4.4.0 on a three node cluster. My domain level is currently 0 on all three nodes. Is there a reason to keep the domain level at 0? I do not plan on adding any older versions of IPA into the cluster. Is there anything I need to worry about if I elevate the domain level to 1

Re: [Freeipa-users] Domain Levels

...@crosschx.com www.crosschx.com On Thu, May 11, 2017 at 4:13 AM, Martin Bašti wrote: > > > On 10.05.2017 22:42, Michael Plemmons wrote: > > I am currently running 4.4.0 on a three node cluster. My domain level is > currently 0 on all three nodes. Is there a reason to keep the domain level

Re: [Freeipa-users] Domain Levels

mike.plemm...@crosschx.com www.crosschx.com On Thu, May 11, 2017 at 8:35 AM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > Thank you for the reply. Is there a specific order I should perform the > DL upgrade? Should I upgrade the master first then the replicas? Do

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

*Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud wrote: > On 05/15/2017 08:33 PM, Michael Plemmons wrote: > >> I have done more searching in my logs and I see the foll

Re: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:

, May 18, 2017 at 10:28 AM, Florence Blanc-Renaud wrote: > On 05/18/2017 03:49 PM, Michael Plemmons wrote: > >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemm...@crosschx.com <mai