[Freeipa-users] Read Only LDAP Replicas

Hi All, I'm trying to implement FreeIPA for Users and SSH pub keys management in our infra. We have a setup that spans multiple geographies. What we are thinking is something like below. 1. Have 2 full FreeIPA servers with multi master replicas in one region. 2. In other regions just have a LDAP

Re: [Freeipa-users] Client configuration to point to Replica server once master service failed

You could use DNS based failover for this. Configure DNS with a low TTL value like 60 secs. When the primary fails, update the dns with the secondary. Services like dynect offer tihs. On 1 January 2015 at 11:05, Sanju A sanj...@tcs.com wrote: Hi All, I have configured Master - Master

[Freeipa-users] freeipa behind a load balancer

Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription

[Freeipa-users] nsAccountLock attribute

Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried

Re: [Freeipa-users] freeipa behind a load balancer

, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just

Re: [Freeipa-users] nsAccountLock attribute

command to lookup the keys. Thanks. --Prashant On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying

Re: [Freeipa-users] Adding a custom attribute to user object

Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif

Re: [Freeipa-users] Adding a custom attribute to user object

Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com wrote: Martin, Thanks! Let me

Re: [Freeipa-users] Adding a custom attribute to user object

Hi Rob, Yes I did restart it. Ok another problem. I'm not able to add this attr to existing users. Only the new ones. Any pointers ? Thanks. --Prashant On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote: Prashant Bapat wrote: Ok the command you gave me worked. But I

Re: [Freeipa-users] Adding a custom attribute to user object

to existing modified users. There is an example of such plugin in the PDF I mentioned. On 03/23/2015 05:22 PM, Prashant Bapat wrote: Hi Rob, Yes I did restart it. Ok another problem. I'm not able to add this attr to existing users. Only the new ones. Any pointers ? Thanks

Re: [Freeipa-users] Replication issues

not replicated), would you enable replication and plugin logging ( http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting) and provide the access/errors logs ? thanks thierry On 04/06/2015 04:38 PM, Prashant Bapat wrote: Hi, Seems like there is an issue with replication

[Freeipa-users] Replication issues

Hi, Seems like there is an issue with replication that I have encountered. I'm using a custom attribute and a slapi-plugin. Below is the attribute added. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

of the UI to handle SSL. On 18 June 2015 at 19:03, Rob Crittenden rcrit...@redhat.com wrote: Prashant Bapat wrote: Hi All, There is a way to change the certificate for the web UI. I went with a standard install with a self signed CA etc. Now I want to install a cert from a commercial CA

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

Aah ok ! Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended up using nss-pam-ldap, nscd and nslcd. However this looks promising. Only for the servers exposed to Internet I could use CentOS/Fedora and this method of authentication. Let me try this and come back to you.

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

! --Prashant On 21 June 2015 at 01:51, Rob Crittenden rcrit...@redhat.com wrote: Prashant Bapat wrote: I tried the steps documented on a test VM. Looks like I ended up in the situation described here https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html. Please be careful

Re: [Freeipa-users] blank user screen? (web UI)

Can you share the steps to reproduce this and the error message? On 21 June 2015 at 02:33, Janelle janellenicol...@gmail.com wrote: Just wondering if others have run into the user login to the web-UI and with the exception of the top part of the screen and menu, all the user details go blank.

[Freeipa-users] Using FreeIPA OTP in a PAM module

Hi , I'm exploring implementing a 2FA solution to my servers exposed to public. Mainly to secure SSH with 2FA. The SSH keys and users are already in FreeIPA. Is there a way to utilize the OTP inside FreeIPA during a user login to these servers ? A user will have to enter the TOTP code bases on

Re: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode

, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote: Simo is right! This issue is same as https://fedorahosted.org/freeipa/ticket/5047 If I change the algorithm in the otp url to uppercase it scans in Google authenticator/iPhone. Further more I manually edited the /usr/lib/python2.7/site

[Freeipa-users] Firefox issue with web ui certificate

Hi, I have gotten into a strange situation. I'm running FreeIPA for 2 different environments, dev/production. By mistake, the domain for both are configured same. Say EXAMPLE.COM. Now the problem users are facing when using the web UI using Firefox. It complains that the secure connection failed

Re: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode

' to 'SHA' in a test VM and it works as expected. I hate to do this in the production server though. On 12 June 2015 at 23:32, Prashant Bapat prash...@apigee.com wrote: Hi, Has anyone seen this ? When a user tries to scan the QR code he gets a message saying invalid barcode. This happens only

[Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode

Hi, Has anyone seen this ? When a user tries to scan the QR code he gets a message saying invalid barcode. This happens only with iPhone + Google Authenticator. Thanks for your help. --Prashant -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

: On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However

Re: [Freeipa-users] 3rd party certificate for WebUI only

I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web UI. The communication between ELB and the IPA server is using the IPA CA cert. On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote:

Re: [Freeipa-users] 3rd party certificate for WebUI only

it's own auto-renewal, does it leave the webui alone if set up this way ? On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com wrote: I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? Thanks. --Prashant On 27 June 2015 at 13:06, Prashant Bapat prash...@apigee.com wrote: Aah ok

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

Making attributes anonymously readable is very simple. You need to look into RBAC and define the permissions/privileges you need. On 28 October 2015 at 08:02, wrote: > Hi, > > We have recently updated from IPA 3 to IPA 4.1 and one of the changes in > security is

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

​Refer this doc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls ​ On 28 October 2015 at 11:11, Prashant Bapat <prash...@apigee.com> wrote: > Making attributes an

Re: [Freeipa-users] 389DS segfaults after upgrade FC 21 -> 22

Is there a way for you to try F23. Its the latest anyway if thats the reason you're upgrading. I recently did this couple of times in a test setup (aws and virtualbox). I have 4.1.4 (F21) in production. Was trying upgrade from F21->F22 and F22->F23 this would give me freeipa 4.2.3.​ Things went

Re: [Freeipa-users] Upgrade from 4.1.4

Great idea! Is that possible ? Any documentation on how to do this would be very helpful. Thanks. On 4 November 2015 at 19:17, Rob Crittenden <rcrit...@redhat.com> wrote: > Martin Kosek wrote: > > On 11/04/2015 10:27 AM, Prashant Bapat wrote: > >> Ack. But in a li

Re: [Freeipa-users] Upgrade from 4.1.4

Looks like there are issues with dogtag and tomcat8. http://pki.fedoraproject.org/wiki/Tomcat_8 On 5 November 2015 at 11:32, Prashant Bapat <prash...@apigee.com> wrote: > New issue with upgrade. > > I setup a test IPA server. Its on AWS EC2 instance in a VPC. Fedora 21.

Re: [Freeipa-users] Upgrade from 4.1.4

Please ignore my mails about tomcat/pki. An update fixed the issue. On 5 November 2015 at 12:58, Prashant Bapat <prash...@apigee.com> wrote: > Looks like there are issues with dogtag and tomcat8. > http://pki.fedoraproject.org/wiki/Tomcat_8 > > On 5 November 2015 at 11:32, Pra

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

I just upgraded a test env from 4.1.4 (F21) to 4.2.3 (F23) without issues. I had to run a dnf upgrade freeipa-server AFTER upgrading to F23 and then run ipa-server-upgrade. On 5 November 2015 at 16:20, John Obaterspok wrote: > Hi, > > I waited a couple of days and

[Freeipa-users] Upgrade from 4.1.4

Hi All, We rolled out freeipa in our setup somewhere in beginning of 2015. Since then there have been couple of new releases. Latest being 4.2.3. The FreeIPA servers are installed on Fedora 21 hosts and at this point there is no direct way of upgrading to 4.2.3 unless we also upgrade the OS. The

Re: [Freeipa-users] Upgrade from 4.1.4

k <mko...@redhat.com> wrote: > On 11/04/2015 10:15 AM, Lukas Slebodnik wrote: > > On (04/11/15 14:37), Prashant Bapat wrote: > >> Hi All, > >> > >> We rolled out freeipa in our setup somewhere in beginning of 2015. Since > >> then there have been couple o

Re: [Freeipa-users] ipa-client on aws (amazon linux)

Lukas, ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this rpm cannot be installed. This is the basic issue. Thanks. On 2 September 2015 at 12:43, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (02/09/15 11:22), Prashant Bapat wrote: > >Hi, > >

Re: [Freeipa-users] ipa-client on aws (amazon linux)

Hi, Running a freeipa-client on Amazon Linux is a huge challenge. This is because the client depends on SSSD which in turn uses Samba libraries which Amazon Linux does not support. I tried this sometime back and gave up. Instead we went with pam-nss-ldap route which works great with compat ldap

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

One way to do it is write a small script which will fetch the keys from LDAP. As for authentication, I make the SSH public key anonymously readable for everyone. On 11 September 2015 at 05:00, Gustavo Mateus wrote: > Hi, > > I'm trying to setup my Amazon Linux

Re: [Freeipa-users] Restricting access to unencrypted LDAP connections

equiring-secure-connections > > > On 11/18/2015 07:24 AM, Prashant Bapat wrote: > > Hi, > > We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients > configured to talk to them thru pam-nss-ldapd (no sssd). I want to ensure > that these clients only talk to freeip

[Freeipa-users] Restricting access to unencrypted LDAP connections

Hi, We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients configured to talk to them thru pam-nss-ldapd (no sssd). I want to ensure that these clients only talk to freeipa's LDAP server either via ldaps or ldap+starttls. Plain ldap should not be allowed. I can always switch to

Re: [Freeipa-users] FreeOTP

​If this is TOTP (time based) you want to double check the time is properly set in both the server (NTP) and the device that is generating the OTP tokens. I have had issues with this with my users couple of times. ​ On 7 June 2016 at 19:43, Alexander Bokovoy wrote: > On

Re: [Freeipa-users] FreeOTP

> > > Forgot to mention; this IPA-server is running on Fedora ARM on a Bananapi. > non-otp logins go well. > > > Winny > > > > > Op 07-06-16 om 16:56 schreef Prashant Bapat: > > ​If this is TOTP (time based) you want to double check the time is > pr

[Freeipa-users] Read-only access to enforce OTP

Hi, I'm writing a small script which will scan all the users and check if each one has setup an OTP. It will send out an email to the user if OTP is missing. I added a new entry * uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com*. Problem is I'm able to read all the users attributes but

Re: [Freeipa-users] Kerberos process coredump | authentication fails

Sure. Attached the stack trace with debuginfo installed. Thanks much! On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote: > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote: > > gdb stacktrace attached. > > Can you install the debuginfo with &

Re: [Freeipa-users] Kerberos process coredump | authentication fails

wrote: > On Thu, Jan 28, 2016 at 09:36:55PM +0530, Prashant Bapat wrote: > > Sure. Attached the stack trace with debuginfo installed. > > > > Thanks much! > > This looks very much like the issue Simo fixed recently, but > unfortunately I think it is so recent that

[Freeipa-users] Kerberos process coredump | authentication fails

Hi, We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7 replicas in different regions. Earlier there was only 1 replica. Since I added new replicas, on the master node, once in a while the kerberos process dumps core and everything stops working - authentication, replication

Re: [Freeipa-users] Kerberos process coredump | authentication fails

at 13:54, Sumit Bose <sb...@redhat.com> wrote: > On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote: > > Hi, > > > > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7 > > replicas in different regions. Earlier there was only

Re: [Freeipa-users] Kerberos process coredump | authentication fails

gdb stacktrace attached. On 28 January 2016 at 16:27, Prashant Bapat <prash...@apigee.com> wrote: > Thanks Sumit. > > From the logs there is nothing unusual around the time of core dump. I > found this one line odd though. > > *Jan 26 03:15:58 ipa.example.net <http:/

Re: [Freeipa-users] Kerberos process coredump | authentication fails

Thanks Lukas. I'm exploring moving to CentOS for our setup so that I get the advantage of longer release cycles. On 28 January 2016 at 16:41, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (28/01/16 16:27), Prashant Bapat wrote: > >Thanks Sumit. > > > >>From the

[Freeipa-users] Wildcards in sudo external hostnames

Hi, I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema. I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and sudo-ldap this works. In our setup we have lot of rules with wildcard matching for sudo hostnames. For ex webserver*, dbserver* etc. In the IPA UI, when I

Re: [Freeipa-users] Wildcards in sudo external hostnames

Not using SSSD because Amazon Linux does not support samba libraries required to compile it. On 19 February 2016 at 14:28, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Feb 19, 2016 at 11:27:16AM +0530, Prashant Bapat wrote: > > Hi, > > > > I'm using FreeI

Re: [Freeipa-users] Wildcards in sudo external hostnames

voy <aboko...@redhat.com> wrote: > On Mon, 22 Feb 2016, Prashant Bapat wrote: > >> SSSD on Amazon linux is a dead end! I have tried since a year without any >> definitive answer. >> >> Any other suggestions ? >> > Switch to CentOS AMIs. >

Re: [Freeipa-users] Wildcards in sudo external hostnames

SSSD on Amazon linux is a dead end! I have tried since a year without any definitive answer. Any other suggestions ? Thanks. --Prashant On 19 February 2016 at 21:32, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Feb 19, 2016 at 09:10:19PM +0530, Prashant Bapat wrote: > >

Re: [Freeipa-users] Kerberos process coredump | authentication fails

agreements each. This seems to have resolved the core-dump of kerberos. No upgrade was done. Hope this helps someone. On 29 January 2016 at 15:13, Prashant Bapat <prash...@apigee.com> wrote: > We will have to run with F21 for now. There are plans for moving to CentOS > 7.x in the near f

[Freeipa-users] read-only service account - aci

Hi, I'm trying to use IPA's LDAP server as the user data base for an external application. I have created a service account from ldif below. dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword:

Re: [Freeipa-users] Zombie Replica !

cationPlugin - Abort CleanAllRUV Task (rid 6): Retrying in 14400 seconds It will never be able to connect to ipa2 as its gone permanently. Also the ipa-replica-manage list `hostname` command still shows the ipa2 as replica. How to remove this permanently ??? Thanks. --Prashant On 6 April 2016 at 22:17, P

Re: [Freeipa-users] Zombie Replica !

# ipa-replica-manage list `hostname` ipa2.example.net: replica ipa3.example.net: replica ipa4.example.net: replica ipa2.example.net should not be there. How do I remove it? On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com> wrote: > Prashant Bapat wrote: > >> Hi,

Re: [Freeipa-users] Zombie Replica !

Thank you very much! That does it. On 7 April 2016 at 13:12, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 04/07/2016 07:23 AM, Prashant Bapat wrote: > > What I have done now was to add a new server, ipa02 and configured > replication again and things are fine. > &

Re: [Freeipa-users] Users directory Browsing -

A user will be able to list all other users and be able to read their attributes. But will not be able to change anything. Is that an issue ? I mean on a Linux box you can read /etc/passwd file which has info about all users on that box. This doesn't cause issues. On 8 March 2016 at 03:03, Matt

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

I guess I was looking at this wrongly! Simo, you're right! Java and Kerberos wont work ! However password+OTP against LDAP server directly works! I can use that! Thanks for your help! On 3 March 2016 at 14:40, Prashant Bapat <prash...@apigee.com> wrote: > Thanks. > > Le

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Thanks. Let me figure out possible alternatives. On 3 March 2016 at 00:20, Simo Sorce <s...@redhat.com> wrote: > > > On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote: > > Thanks. But my problem is not OTP per se but Kerberos thru Java. > > Specifica

[Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Hi, I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. I've installed ipa-client on a server and connected it to ipa. Shibboleth is installed on this server and I'm able to get the Kerberos

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

(KDCRep.java:140) Any pointers ? On 1 March 2016 at 21:01, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 01 Mar 2016, Prashant Bapat wrote: > >> Hi, >> >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. >> I'm aware of I

[Freeipa-users] OTP and time step size

Hi, We have been using the OTP feature of FreeIPA extensively for users to login to the web UI. Now we are rolling out an external service using the LDAP authentication based on FreeIPA and OTP. End users typically login rarely to the web UI. Only to update their SSH keys once in 90 days.

Re: [Freeipa-users] OTP and time step size

in making FreeIPA's OTP implementation much more usable. Thanks. --Prashant On 25 April 2016 at 21:48, Petr Vobornik <pvobo...@redhat.com> wrote: > On 04/22/2016 08:55 AM, Prashant Bapat wrote: > > Hi, > > > > We have been using the OTP feature of FreeIPA exten

Re: [Freeipa-users] Advice sought on monitoring freeipa status

For the replication issues please see http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmonitoring.html This has a perl script that you can use. As for the authentication of the user monitoring replication, we thought about it and ended up allowing anonymous reads on the

Re: [Freeipa-users] Enforce use of OTP token for all users.

. But if a user does not have OTP they can login with just password. Can they be forced to setup an OTP ? On 16 May 2016 at 16:03, Petr Vobornik <pvobo...@redhat.com> wrote: > On 05/16/2016 12:20 PM, Prashant Bapat wrote: > > Any suggestions on how to achieve this ? > >

[Freeipa-users] Enforce use of OTP token for all users.

Any suggestions on how to achieve this ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP token policies.

+1 For enforcing OTP in web UI. When the user logs in for the first time he should be taken to a page to create a OTP token. Users should be able to login only using passwd+OTP. Are there any ideas for ensuring that all users are using OTP tokens ? On 4 May 2016 at 05:12, Peter Bisroev

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

at.com> wrote: > Prashant Bapat wrote: > >> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 >> and compiled the ipa-pwd-extop slapi plugin. >> >> Now the user is denied bind. But unable to reset the password. >> > > Right, it's a tr

Re: [Freeipa-users] who did what on IPAv3 - auditing

What we have done this as follows. 1. For all the changes, happening thru IPA APIs (either cmd line of WebUI) you can capture these in the httpd error logs. We trigger alert emails on important events such as new user addition etc. 2. For everything including the above, you can always enable the

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

Tough luck! If its tricky for you (FreeIPA core developers) then its pretty much impossible to solve it for mere mortals like me ! On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com> wrote: > Prashant Bapat wrote: > >> I cherrypi

Re: [Freeipa-users] OS migration from Fedora to CentOS?

I was in the exact same situation. Had to upgraded from FC21 (4.1.4) to CentOS 7.2 (4.2.0). Upgrade went thru fine thanks to this thread :-) For migrating the DNA ranges, I used this link https://blog-rcritten.rhcloud.com/?p=50 Is this fine? Thanks. On 10 February 2016 at 15:02, Martin Kosek

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

Anyone ?! On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com> wrote: > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have created a sysaccount which does the > lookup etc for a user and things are wor

[Freeipa-users] Deny bind for external LDAP if password is expired

Hi, We are using FreeIPA's LDAP as the base for user authentication in a different application. So far I have created a sysaccount which does the lookup etc for a user and things are working as expected. I'm even able to use OTP from the external app. One problem I'm struggling to fix is the

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 and compiled the ipa-pwd-extop slapi plugin. Now the user is denied bind. But unable to reset the password. On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com> wrote: > On 07/07/2016 05:19 PM, Prashant Ba

[Freeipa-users] RBAC - User Administrator - OTP tokens

RBAC Role "User Administrator" should have access to all users OTP tokens. Specifically to remove if some one has lost their token. We get this a lot. I found no permissions that give this access. Can someone explain if this can be added easily either from the WebUI or CLI. Thanks. --Prashant

Re: [Freeipa-users] Lots of error messages in logs after upgrade

this ? These messages are seen every 5 mins. On 18 October 2016 at 22:38, Prashant Bapat <prash...@apigee.com> wrote: > Hi, > > I'm seeing lots of error messages like this in the DS logs. > > [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-pr

Re: [Freeipa-users] Lots of error messages in logs after upgrade

wrote: > On 19.10.2016 10:14, Ludwig Krispenz wrote: > > > > On 10/19/2016 09:39 AM, Prashant Bapat wrote: > >> Some more info. > >> > >> This is happening on one of the hosts for which replica-info file was > >> generated but for some reason the repl

[Freeipa-users] Lots of error messages in logs after upgrade

Hi, I'm seeing lots of error messages like this in the DS logs. [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace (nsslapd-referral,