Re: [Freeipa-users] IPA to AD sync, certificate verify failed

2009-11-17 Thread Rich Megginson
Sam Hartsfield wrote: On Mon, Nov 16, 2009 at 10:16 AM, Rich Megginson rmegg...@redhat.com wrote: Sam Hartsfield wrote: On Thu, Nov 12, 2009 at 3:38 PM, Rich Megginson rmegg...@redhat.com wrote: Sam Hartsfield wrote: I am using FreeIPA 1.2.2 and trying

Re: [Freeipa-users] freeIPA replication

2009-12-11 Thread Rich Megginson
?? ? wrote: Hello! I'am using freeIPA on fedora 9 - Master server, on replica fedora 11. after ipa-replica-install on fedora 11 I'm try to start dirsrv and see next message: KBTM-SPB-RU...[11/Dec/2009:16:30:56 +0300] dse - The entry cn=schema in file

Re: [Freeipa-users] freeIPA replication

2009-12-11 Thread Rich Megginson
1dc5c758d22e77f2 Packager: Fedora Project URL : http://port389.org/ Summary : 389 Directory Server (base) Was this an upgrade from an earlier installation? В Птн, 11/12/2009 в 08:23 -0700, Rich Megginson пишет: ?? ? wrote: Hello! I'am using freeIPA on fedora

Re: [Freeipa-users] freeIPA replication

2009-12-11 Thread Rich Megginson
Rob Crittenden wrote: Виктор Сергеевич wrote: On fedora 11: Name: 389-ds-base Relocations: (not relocatable) Version : 1.2.2 Vendor: Fedora Project Release : 1.fc11Build Date: Wed 26 Aug 2009 12:07:44 AM MSD

Re: [Freeipa-users] AD Sync Error

2010-02-24 Thread Rich Megginson
Shan Kumaraswamy wrote: Dear All, I am facing the AD Sync issue with FreeIPA to Active Directory, and as per the redhat-ds doc I have done all the settings from AD front. please help me to resolve this issue. And find the below error message: [r...@sbttipa001 ~]# ipa-replica-manage add

Re: [Freeipa-users] AD Sync Error

2010-03-09 Thread Rich Megginson
reset by peer.) This usually indicates some low level error. Let's try this: /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com -D CN=administrator,CN=users,DC=bmitest,DC=com -w secretpw -s base -b objectclass=* Does that work? On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson rmegg

Re: [Freeipa-users] AD Sync Error

2010-03-09 Thread Rich Megginson
: Invalid credentials ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1771 You are not providing the correct password. On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote

Re: [Freeipa-users] AD Sync Error

2010-03-09 Thread Rich Megginson
, and the password should be the password for that user. On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: When I try to run this command I am getting this error: [r...@sbttipa001 ~]# /usr/lib64/mozldap

Re: [Freeipa-users] AD Sync Error

2010-03-09 Thread Rich Megginson
://sbtaddc001.bmitest.com -D CN=administrator,CN=users,DC=bmitest,DC=com -w secretpw -s base -b objectclass=* On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: Rich, Your mean the AD Administrator

Re: [Freeipa-users] AD Sync Error

2010-03-09 Thread Rich Megginson
-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com http://sbtaddc001.bmitest.com -p 636 -D CN=administrator,CN=users,DC=bmitest,DC=com -w secretpw -s base -b objectclass=* On Tue, Mar 9, 2010 at 7:03 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan

Re: [Freeipa-users] AD Sync Error

2010-03-09 Thread Rich Megginson
to provide a password for this On Tue, Mar 9, 2010 at 7:38 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: Yes I can get the output when I ran this step: Command: /usr/lib64/mozldap/ldapsearch -ZZ -P /etc/dirsrv

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-11 Thread Rich Megginson
Shan Kumaraswamy wrote: Rob, I am using RHDS (redhat-ds-base-devel = 8.1.0) It will definitely not work with RHDS. On Wed, Aug 11, 2010 at 5:31 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Shan Kumaraswamy wrote: Hi Rob, I am trying

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-11 Thread Rich Megginson
Shan Kumaraswamy wrote: Rob, How about RHDS 8.2? or I have to rebuild 389-ds against RHEL 6.0 beta? RHDS 8.2 won't work either. You'll have to use 389-ds-base 1.2.6 or later. On Wed, Aug 11, 2010 at 5:38 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan

Re: [Freeipa-users] Upgraded replication slave server - dirsrv process dying

2010-08-12 Thread Rich Megginson
Dan Scott wrote: On Wed, Aug 11, 2010 at 16:47, Rich Megginson rmegg...@redhat.com wrote: Hopefully there will be an update soon, and this will resolve the problem. The update is in updates-testing now, and we would really appreciate some testing and some feedback (hint, hint

Re: [Freeipa-users] IPA+AD sync error

2010-08-16 Thread Rich Megginson
Shan Kumaraswamy wrote: Hi, I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync with Active Directory (windows 2008 R2). Can please anyone have step-by-step configuration doc and share to me? Previously I have done the same exercise, but now that is not working for me and I am

Re: [Freeipa-users] IPA+AD sync error

2010-08-16 Thread Rich Megginson
the IPA CA and server cert? The other part is that you have to install the AD CA cert in IPA so that IPA can be the SSL client to the AD SSL server. On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote

Re: [Freeipa-users] IPA+AD sync error

2010-08-17 Thread Rich Megginson
password On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: Rich, While installing IPA its creates its won CA cert right? (cacert.p12), Right

Re: [Freeipa-users] IPA+AD sync error

2010-08-17 Thread Rich Megginson
-COM -L -n Imported CA On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: After this error, I have triyed your the following steps: /usr/lib64/mozldap/ldapsearch -h windows.test.ad http

Re: [Freeipa-users] IPA+AD sync error

2010-08-17 Thread Rich Megginson
...@gmail.com wrote: done, and it came the output also, can plz let me know the next step. On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: Rich, Please find the below out put

Re: [Freeipa-users] IPA+AD sync error

2010-08-18 Thread Rich Megginson
Or are you asking because you don't know how it got in there in the first place, or forgot? On Wed, Aug 18, 2010 at 4:44 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: Rich, Can I know command to trust IPA genearated CA cert

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Rich Megginson
Brian LaMere wrote: The ACIs are defined inside the underlaying Directory Server. See details and syntax are here http://directory.fedoraproject.org/wiki/Howto:AccessControl The ACIs as you see can be group based. One does not need a hierarchical ou user structure in the

Re: [Freeipa-users] IPA AD Sync error

2010-09-20 Thread Rich Megginson
Shan Kumaraswamy wrote: Rich, I am again facing some issue with IPA+AD Sync and I tested all the levels: Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 81

Re: [Freeipa-users] IPA AD Sync error

2010-09-21 Thread Rich Megginson
this issue. On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Shan Kumaraswamy wrote: Rich, I am again facing some issue with IPA+AD Sync and I tested all the levels: Windows PassSync entry exists

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rich Megginson
Steven Jones wrote: Hi, Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... What exactly do you see in the error log? Can you provide excerpts? Can you also provide excerpts of the access log from around the time of the shutdown? So

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rich Megginson
. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, 22 September 2010 2:45 p.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rich Megginson
-Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, 22 September 2010 2:45 p.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: Hi, Ok, it isnt crashing the LDAP server/service

Re: [Freeipa-users] Fedora 11 master replication problems

2010-09-22 Thread Rich Megginson
Dan Scott wrote: Hi, Recently I have been seeing a constant stream of entries in my dirsrv logs for my Fedora 11 FreeIPA master: Replica has a different generation ID than the local data. I'm also seeing issues which appear to be related to incorrect replication. e.g. User changes password

Re: [Freeipa-users] probems installin freeipa v2

2010-09-22 Thread Rich Megginson
Steven Jones wrote: 8--- Can you reliably reproduce this behavior after restarting directory server? Please file a bug with the necessary steps to reproduce the issue. 8 Yes it appears so.. =error [22/Sep/2010:15:58:16 +1200] - slapd shutting down -

Re: [Freeipa-users] Fedora 11 master replication problems

2010-09-22 Thread Rich Megginson
Dan Scott wrote: Hi, Thanks for the reply. On Wed, Sep 22, 2010 at 11:56, Rich Megginson rmegg...@redhat.com wrote: Recently I have been seeing a constant stream of entries in my dirsrv logs for my Fedora 11 FreeIPA master: Replica has a different generation ID than the local data. I'm

Re: [Freeipa-users] Fedora 11 master replication problems

2010-09-22 Thread Rich Megginson
Dan Scott wrote: Hi, Sorry, I just checked the manpage myself and I see that there's an init option to ipa-replica-manage. On Wed, Sep 22, 2010 at 12:08, Rich Megginson rmegg...@redhat.com wrote: Initialization is the initial copy of data from the master - The slave server (curie) has been

Re: [Freeipa-users] bug 634561

2010-09-23 Thread Rich Megginson
Steven Jones wrote: Hi, Bug 634561 has been fixed... How do I get this into/onto my setup please? We're working on a 389-ds-base 1.2.6.1 release. Should be in testing very soon. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New

Re: [Freeipa-users] bug 634561

2010-09-29 Thread Rich Megginson
-Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Friday, 24 September 2010 8:20 a.m. To: Steven Jones Cc: freeipa-users Subject: Re: [Freeipa-users] bug 634561 Steven Jones wrote: Hi, Bug 634561 has been fixed... How do I get this into/onto my setup please

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-06 Thread Rich Megginson
Dan Scott wrote: Hi, ohm_admins.ldif and curie_admins.ldif attached. I added a '-h $hostname' to the command to ensure that I queried both servers. The results look identical to me, apart from the ordering. Thanks, Dan On Wed, Oct 6, 2010 at 15:34, Rob Crittenden rcrit...@redhat.com wrote:

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-06 Thread Rich Megginson
Dan Scott wrote: Hi, On Wed, Oct 6, 2010 at 18:30, Rich Megginson rmegg...@redhat.com wrote: Dan Scott wrote: I'm not sure which group this is referring to. Admins only contains 3 users, no nested groups. The problem appears to be related to the users, rather than the groups. None

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-06 Thread Rich Megginson
Dan Scott wrote: Hi, On Wed, Oct 6, 2010 at 19:29, Nathan Kinder nkin...@redhat.com wrote: On 10/06/2010 03:08 PM, Dan Scott wrote: I'm not sure which group this is referring to. Admins only contains 3 users, no nested groups. Do any other groups have a member attribute that

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-07 Thread Rich Megginson
Dan Scott wrote: On Wed, Oct 6, 2010 at 22:02, Rich Megginson rmegg...@redhat.com wrote: Dan Scott wrote: Hi, On Wed, Oct 6, 2010 at 18:30, Rich Megginson rmegg...@redhat.com wrote: Dan Scott wrote: I'm not sure which group this is referring to. Admins only

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-07 Thread Rich Megginson
Dan Scott wrote: On Thu, Oct 7, 2010 at 10:58, Rob Crittenden rcrit...@redhat.com wrote: Dan Scott wrote: On Thu, Oct 7, 2010 at 10:20, Rich Megginsonrmegg...@redhat.com wrote: Dan Scott wrote: On Wed, Oct 6, 2010 at 22:02, Rich Megginsonrmegg...@redhat.com wrote:

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-08 Thread Rich Megginson
Dan Scott wrote: On Fri, Oct 8, 2010 at 13:18, Rich Megginson rmegg...@redhat.com wrote: Dan Scott wrote: On Fri, Oct 8, 2010 at 11:39, James Roman james.ro...@ssaihq.com wrote: So does anyone have any more suggestions? Or should I just configure a new replica with new

Re: [Freeipa-users] update procedure failed fedora-ds-base-1.1.3 - 389-ds-base-1.2.6.1

2010-10-22 Thread Rich Megginson
Kambiz Aghaiepour wrote: Currently running ipa-server-1.2.1-4 with fedora-ds-base-1.1.3-6. I attempted to upgrade to 389-ds-base-1.2.6.1-2 (and supporting packages) and the procedure took an extremely long time (at least 2 hours). There appears to be an upgrade script that runs as part of

Re: [Freeipa-users] update procedure failed fedora-ds-base-1.1.3 - 389-ds-base-1.2.6.1

2010-10-25 Thread Rich Megginson
Kambiz Aghaiepour wrote: Would there be any way to identify what causes this during replication creation (versions ipa-server-1.2.1-4 and fedora-ds-base-1.1.3, on centos-5.4): 389-ds-base-1.2.6.1 cannot replicate to previous versions of 389/fedora ds 389-ds-base-1.2.7.a3 fixes this problem

Re: [Freeipa-users] update procedure failed fedora-ds-base-1.1.3 - 389-ds-base-1.2.6.1

2010-10-25 Thread Rich Megginson
the directory, including several test accounts used by our nagios, as well as the company CEO's account. :( We believe this is also a bug that has been fixed by 1.2.7.a3 So I reverted to fedora-ds-1.1.3. But I really need to get the remote replica up and running. Kambiz Rich Megginson wrote

Re: [Freeipa-users] replica creation failure with ipa-server-1.2.1 and fedora-ds-base-1.1.3

2010-10-27 Thread Rich Megginson
Kambiz Aghaiepour wrote: Still struggling to create a replica. Here's what the debug output is showing in the consumer error log: [---snip---] [27/Oct/2010:12:53:30 -0400] - activity on 64r [27/Oct/2010:12:53:30 -0400] - read activity on 64 [27/Oct/2010:12:53:30 -0400] - listener got signaled

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-25 Thread Rich Megginson
On 01/25/2011 01:58 PM, James Roman wrote: On 1/25/11 2:44 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 14:33:14 -0500 James Romanjames.ro...@ssaihq.com wrote: On 01/25/2011 12:42 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 12:04:25 -0500 James Romanjames.ro...@ssaihq.com wrote: I noticed

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-26 Thread Rich Megginson
On 01/26/2011 09:32 AM, James Roman wrote: Simo Sorce wrote: On Tue, 25 Jan 2011 15:58:35 -0500 James Romanjames.ro...@ssaihq.com wrote: On 1/25/11 2:44 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 14:33:14 -0500 James Romanjames.ro...@ssaihq.com wrote: On 01/25/2011

Re: [Freeipa-users] Fedora 14 dirsrv service problems

2011-01-27 Thread Rich Megginson
On 01/27/2011 07:47 AM, Dan Scott wrote: Hi, I have a FreeIPA server running on Fedora 14 [root@ohm ~]# rpm -qa|grep ipa-server ipa-server-selinux-1.2.2-5.fc14.x86_64 ipa-server-1.2.2-5.fc14.x86_64 For the past few weeks, the dirsrv service has been 'crashing'. Randomly, as far as I can

Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host

2011-02-01 Thread Rich Megginson
On 02/01/2011 12:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I

Re: [Freeipa-users] Problem with replication after restore

2011-03-09 Thread Rich Megginson
On 03/09/2011 06:20 AM, tomasz.napier...@allegro.pl wrote: Hi, Recently we had to move our freeipa master into separate infrastructure. Because we use KVM, server was shutdown, gzipped, scped nad restored on other KVM host. It looks like since then replication stopped completely. On the slave

Re: [Freeipa-users] Problem with replication after restore

2011-03-09 Thread Rich Megginson
On 03/09/2011 09:15 AM, tomasz.napier...@allegro.pl wrote: On 2011-03-09, at 15:09, Rich Megginson wrote: 8- [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Missing data encountered [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt

Re: [Freeipa-users] AD setup failure

2011-03-29 Thread Rich Megginson
On 03/29/2011 02:02 PM, Steven Jones wrote: Hi, My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it? can you paste the output of openssl x509 -in /home/jonesst1/domaincert.cer -text ? regards Steven

Re: [Freeipa-users] AD setup failure

2011-03-29 Thread Rich Megginson
On 03/29/2011 02:14 PM, Steven Jones wrote: So I need 2 certificates? No. and I have to manually add the root CA with certutil? No. to the IPA master as a separate process? No. You only need the CA certificate for the CA that issued the MS AD server certificate. ipa-replica-manage ...

Re: [Freeipa-users] AD setup failure

2011-03-29 Thread Rich Megginson
. You need the CA cert From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:04 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:02 PM, Steven Jones wrote

Re: [Freeipa-users] AD setup failure

2011-03-29 Thread Rich Megginson
cert is possible? regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:27 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:14 PM, Steven Jones wrote

Re: [Freeipa-users] AD setup failure

2011-03-29 Thread Rich Megginson
From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:36 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:32 PM, Steven Jones wrote: Hi, Yes its a intermediate CA In the real

Re: [Freeipa-users] register ipa directory server with register-ds-admin.pl

2011-04-07 Thread Rich Megginson
On 04/07/2011 05:13 PM, Stephen Ingram wrote: I'm trying to register the ipa directory server with register-ds-admin.pl so that I may use the ds-console to view the directory. As I see that the ipa portion of the directory is meant to be managed by ipa, I don't intend on touching that part of

Re: [Freeipa-users] /var/log/dirsrv/slapd-* permissions

2011-05-13 Thread Rich Megginson
On 05/13/2011 09:37 AM, Adam Young wrote: On 05/13/2011 06:11 AM, Charlie Derwent wrote: Hi First time posting on the mailing list so go easy on me :-) I've installed freeipa on our network and noticed that no real user owns the folders /var/log/dirsrv/slapd-PKI-IPA and

Re: [Freeipa-users] IPA Startup issues

2011-05-16 Thread Rich Megginson
On 05/16/2011 08:43 AM, Sigbjorn Lie wrote: On 05/16/2011 03:52 PM, Simo Sorce wrote: On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy at startup, the IPA services will not be online when the machine is started. I noticed this is

Re: [Freeipa-users] IPA Startup issues

2011-05-17 Thread Rich Megginson
On 05/17/2011 06:40 AM, Sigbjorn Lie wrote: On 05/16/2011 04:56 PM, Rich Megginson wrote: On 05/16/2011 08:43 AM, Sigbjorn Lie wrote: On 05/16/2011 03:52 PM, Simo Sorce wrote: On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy

Re: [Freeipa-users] RHEL client to IPA

2011-05-18 Thread Rich Megginson
On 05/17/2011 09:36 PM, Steven Jones wrote: the dirsrv isnt running... its giving me line 50: ulimit: open files: cannot modify limit: operation not permitted dirsrv unix-vuw-ac-nz is stopped... What is the number of files that ulimit is attempting to use? What does grep file-max

Re: [Freeipa-users] RHEL client to IPA

2011-05-18 Thread Rich Megginson
@vuwunicoipamt01 ipa]$ From: Rich Megginson [rmegg...@redhat.com] Sent: Thursday, 19 May 2011 1:22 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL client to IPA On 05/17/2011 09:36 PM, Steven Jones wrote: the dirsrv isnt running

Re: [Freeipa-users] IPA Startup issues

2011-05-23 Thread Rich Megginson
On 05/22/2011 04:16 AM, Sigbjorn Lie wrote: On 05/17/2011 07:24 PM, Rich Megginson wrote: On 05/17/2011 06:40 AM, Sigbjorn Lie wrote: On 05/16/2011 04:56 PM, Rich Megginson wrote: On 05/16/2011 08:43 AM, Sigbjorn Lie wrote: On 05/16/2011 03:52 PM, Simo Sorce wrote: On Sat, 2011-05-14 at 16

Re: [Freeipa-users] sync passwords with AD or not per user

2011-06-07 Thread Rich Megginson
On 06/07/2011 03:03 PM, Steven Jones wrote: Hi, Is it possible to set some users so they will not psswoard sync with AD while most do? Do you want the user data to sync, just not the passwords? regards ___ Freeipa-users mailing list

Re: [Freeipa-users] sync passwords with AD or not per user

2011-06-07 Thread Rich Megginson
classes? Password history checking? regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:20 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03

Re: [Freeipa-users] sync passwords with AD or not per user

2011-06-07 Thread Rich Megginson
On 06/07/2011 03:36 PM, Steven Jones wrote: What sort of password control? Minimum length? Character classes? Password history checking? yes, yes and yes... regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly.

Re: [Freeipa-users] sync passwords with AD or not per user

2011-06-07 Thread Rich Megginson
policy. regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:36 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:36 PM, Steven Jones wrote

Re: [Freeipa-users] Insufficient access during winsync agreement

2011-06-20 Thread Rich Megginson
On 06/20/2011 09:37 AM, Attila Bogár wrote: Hi, I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync

Re: [Freeipa-users] syncing custom attributes from AD

2011-06-21 Thread Rich Megginson
On 06/21/2011 07:24 AM, Attila Bogár wrote: Dear List, I'd like to sync extra attributes from AD - FreeIPA. These are namely: employeeNumber and employeeType. The following .ldif is always adding value unknown instead of syncing the value in AD. -- 8 -- dn:

Re: [Freeipa-users] ipa-winsync account disable

2011-06-21 Thread Rich Megginson
On 06/21/2011 09:17 AM, Attila Bogár wrote: Dear List, winsync is working between AD and FreeIPA. If I disable a user in FreeIPA, it automatically disables on the AD side. Though, if I disable on the AD side, nothing happens on the FreeIPA side. Sounds like a bug. Moreover, if I get a

Re: [Freeipa-users] 389-DS crashed

2011-06-23 Thread Rich Megginson
On 06/23/2011 08:02 AM, Attila Bogár wrote: Hi, I deleted more than 50 users from AD and expected IPA to do the same. However the EXAMPLE-COM 389-ds instance just crashed and I can't start it anymore. Could you please help with this issue? The error logging is set to REPL|PLUGIN. I can see

Re: [Freeipa-users] 389-DS crashed

2011-06-23 Thread Rich Megginson
On 06/23/2011 09:06 AM, Rich Megginson wrote: On 06/23/2011 08:02 AM, Attila Bogár wrote: Hi, I deleted more than 50 users from AD and expected IPA to do the same. However the EXAMPLE-COM 389-ds instance just crashed and I can't start it anymore. Could you please help with this issue

Re: [Freeipa-users] Install problems with 2.0.1 on F15

2011-07-25 Thread Rich Megginson
On 07/25/2011 07:38 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 07/25/2011 09:12 AM, Rob Crittenden wrote: 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC (@INC contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl

Re: [Freeipa-users] Dead Freeipa

2011-07-27 Thread Rich Megginson
On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. Steven Jones Technical

Re: [Freeipa-users] Dead Freeipa

2011-08-01 Thread Rich Megginson
On 07/28/2011 05:30 AM, Simo Sorce wrote: On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what

Re: [Freeipa-users] Unknown user pkisrv

2011-08-02 Thread Rich Megginson
On 08/02/2011 10:20 AM, Robert M. Albrecht wrote: Hi, from /var/log/messages Aug 2 18:03:14 zerberus systemd-tmpfiles[2148]: [/etc/tmpfiles.d/dirsrv-PKI-IPA.conf:1] Unknown user 'pkisrv'. Aug 2 18:03:14 zerberus systemd-tmpfiles[2148]: [/etc/tmpfiles.d/dirsrv-PKI-IPA.conf:2] Unknown user

Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys

2011-08-04 Thread Rich Megginson
On 08/04/2011 02:05 PM, Ian Stokes-Rees wrote: On 8/3/11 6:13 PM, Dmitri Pal wrote: On 08/03/2011 10:10 AM, Ian Stokes-Rees wrote: If there were some way to securely embed an arbitrary string in the user profile, that would go a long way to solving this problem. At least 4KB to cover a 2048

Re: [Freeipa-users] backing up and restoring the backend

2011-09-29 Thread Rich Megginson
On 09/29/2011 03:35 PM, Steven Jones wrote: 4.3.1.2. Backing up All Databases from the Command Line To avoid shutting down the server when running a backup, use the db2bak.pl Perl script instead of the bd2bak tool. These are both located in the /usr/lib[64]/dirsrv/slapd-example directory.

Re: [Freeipa-users] backing up and restoring the backend

2011-09-29 Thread Rich Megginson
From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 30 September 2011 10:40 a.m. To: Steven Jones Cc: Deon Lackey; freeipa-users@redhat.com Subject: Re: [Freeipa-users] backing up and restoring the backend On 09/29/2011 03:35 PM, Steven Jones wrote: 4.3.1.2

Re: [Freeipa-users] LDAP search for email address of user in a particular group

2011-11-04 Thread Rich Megginson
On 11/04/2011 04:51 PM, Dan Scott wrote: Hi, On Fri, Nov 4, 2011 at 18:13, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: Hi, On Fri, Nov 4, 2011 at 17:38, Stephen Ingramsbing...@gmail.comwrote: On Fri, Nov 4, 2011 at 2:12 PM, Dan Scottdanieljamessc...@gmail.com wrote:

Re: [Freeipa-users] LDAP search for email address of user in a particular group

2011-11-04 Thread Rich Megginson
On 11/04/2011 05:12 PM, Dan Scott wrote: On Fri, Nov 4, 2011 at 19:07, Rich Megginsonrmegg...@redhat.com wrote: On 11/04/2011 04:51 PM, Dan Scott wrote: Hi, On Fri, Nov 4, 2011 at 18:13, Rob Crittendenrcrit...@redhat.comwrote: Dan Scott wrote: Hi, On Fri, Nov 4, 2011 at 17:38, Stephen

Re: [Freeipa-users] FreeIPA 2.1.3 Replication Install Failure

2011-11-09 Thread Rich Megginson
On 11/09/2011 05:11 PM, JR Aquino wrote: Upon a FreeIPA Replica install, I am failing at: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the

Re: [Freeipa-users] synchronizing with AD

2011-11-11 Thread Rich Megginson
into Windows AD certificate store. On Fri, Nov 11, 2011 at 3:33 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 11/11/2011 01:11 PM, Jimmy wrote: I am trying to get FreeIPA synchronizing with AD. The instructions I have found on the web go through

Re: [Freeipa-users] Fedora 16 failing to start dirsrv process

2011-11-14 Thread Rich Megginson
On 11/14/2011 01:08 PM, Dan Scott wrote: Hi, On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoyaboko...@redhat.com wrote: On Mon, 14 Nov 2011, Dan Scott wrote: In any case, the process is still failing to start. Do I need to create a link in dirsrv.target.wants to somewhere? You need to do

Re: [Freeipa-users] fixing port numbers associated with the NIS

2011-11-15 Thread Rich Megginson
On 11/15/2011 07:44 AM, Boris Epstein wrote: On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai na...@redhat.com mailto:na...@redhat.com wrote: On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: Hello all, I am using the FreeIPA to run NIS via a plugin.

Re: [Freeipa-users] synchronizing with AD

2011-12-08 Thread Rich Megginson
/index.html#Configuring_Windows_Sync-Install_the_Password_Sync_Service On Fri, Nov 11, 2011 at 4:55 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Rich Megginson wrote: On 11/11/2011 02:23 PM, Jimmy wrote: I do have the AD SSL cert installed

Re: [Freeipa-users] ns-slapd hang/segfault

2011-12-15 Thread Rich Megginson
On 12/15/2011 08:41 AM, Dan Scott wrote: Hi, On my Fedora 15 FreeIPA server, I'm having some problems with stability. The server appears to 'hang' and stops responding to LDAP lookups. When I restart the dirsrv service, I get: Dec 15 09:40:02 ohm kernel: [254566.011404] ns-slapd[28910]:

Re: [Freeipa-users] ns-slapd hang/segfault

2011-12-19 Thread Rich Megginson
On 12/19/2011 09:01 AM, Dan Scott wrote: On Thu, Dec 15, 2011 at 11:51, Rich Megginsonrmegg...@redhat.com wrote: On 12/15/2011 09:48 AM, Dan Scott wrote: Hi, On Thu, Dec 15, 2011 at 10:58, Rich Megginsonrmegg...@redhat.comwrote: On 12/15/2011 08:41 AM, Dan Scott wrote: Hi, On my

Re: [Freeipa-users] ns-slapd hang/segfault

2011-12-19 Thread Rich Megginson
On 12/19/2011 09:13 AM, Dan Scott wrote: On Mon, Dec 19, 2011 at 11:03, Rich Megginsonrmegg...@redhat.com wrote: On 12/19/2011 09:01 AM, Dan Scott wrote: On Thu, Dec 15, 2011 at 11:51, Rich Megginsonrmegg...@redhat.comwrote: On 12/15/2011 09:48 AM, Dan Scott wrote: Hi, On Thu, Dec 15,

Re: [Freeipa-users] ns-slapd hang/segfault

2011-12-22 Thread Rich Megginson
On 12/22/2011 08:42 AM, Dan Scott wrote: On Thu, Dec 22, 2011 at 10:12, Simo Sorces...@redhat.com wrote: On Wed, 2011-12-21 at 17:39 -0500, Dan Scott wrote: This is possible... oops. I tried a few times to add another replica (fileserver3) which failed as I mentioned above. The replication

Re: [Freeipa-users] FreeIPA 2.1.4 replication

2012-01-04 Thread Rich Megginson
On 01/04/2012 11:35 AM, Dan Scott wrote: Hi, Recently I've had some crash/hang problems with my FreeIPA 2 installation which appear solved using the updates-testing version of freeipa-server (2.1.4-2.fc16.x86_64) which I'm currently running on both servers (as a quick aside, does anyone know

Re: [Freeipa-users] consulting?

2012-01-11 Thread Rich Megginson
On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are

Re: [Freeipa-users] consulting?

2012-01-19 Thread Rich Megginson
://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson
the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson
: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 12:46 PM

Re: [Freeipa-users] consulting?

2012-01-23 Thread Rich Megginson
nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=sync user,cn=config nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS winSyncInterval: 1200 On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 01:08

Re: [Freeipa-users] consulting?

2012-01-25 Thread Rich Megginson
On 01/25/2012 08:13 AM, Jimmy wrote: Here is the showcerts output: http://fpaste.org/AkOC/ Looks like pcap output, not openssl s_client output - I have no idea if there is a showcerts option for pcap, or how it works, but it looks like it didn't work I'll do the ldapsearch commands in a

Re: [Freeipa-users] consulting?

2012-01-25 Thread Rich Megginson
still be working on this issue some. I'll take VM's of the servers on my laptop to be able to keep working. -Jimmy On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch

Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rich Megginson
On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread

Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rich Megginson
On 02/10/2012 11:41 AM, Dmitri Pal wrote: On 02/10/2012 10:28 AM, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where

Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rich Megginson
On 02/10/2012 12:18 PM, Dmitri Pal wrote: On 02/10/2012 01:46 PM, Rich Megginson wrote: On 02/10/2012 11:41 AM, Dmitri Pal wrote: On 02/10/2012 10:28 AM, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more

Re: [Freeipa-users] Questions about AD Synchronization

2012-02-13 Thread Rich Megginson
On 02/12/2012 04:01 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 02/12/2012 03:49 PM, Marco Pizzoli wrote: Hi guys, a couple of questions about AD synchronization. I read in the guide these points: - A synchronization operation runs every five minutes. -- I read that it can be triggered on

Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-14 Thread Rich Megginson
On 02/14/2012 07:18 AM, David Juran wrote: Hello! On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large

  1   2   3   4   5   6   >