Re: [Freeipa-users] Error on Setting up Multi-Master Replication

2009-08-19 Thread Rob Crittenden
Fu-Jyh Luo wrote: Dear All, I am having some trouble to Setting up Multi-Master Replication. ipa-replica-install complains about CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpCwijw4 -f /usr/share/ipa/indices.ldif'

Re: [Freeipa-users] ipa-replica-prepare clarification

2009-09-12 Thread Rob Crittenden
James Roman wrote: Can anyone elaborate on the options for the ipa-replica-prepare command? I have a third party signed certificate for both my master and replica server. Am I supposed to provide the PKCS12 file for the master server or the replica? If it is looking for the master server, I

Re: [Freeipa-users] ipa-replica-prepare clarification

2009-09-17 Thread Rob Crittenden
James Roman wrote: In case any one runs into this error while trying to create a replica: Starting dirsrv: REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in file /etc/dirsrv/slapd-REALM-COM/schema/##xx.ldif is invalid, error code 21 (Invalid syntax) - object class

Re: Fwd: [Freeipa-users] Problem with Kerberos Authentication

2009-09-25 Thread Rob Crittenden
Michael Kang wrote: -- Forwarded message -- From: *Michael Kang* wxi...@gmail.com mailto:wxi...@gmail.com Date: Fri, Sep 25, 2009 at 4:09 PM Subject: Re: [Freeipa-users] Problem with Kerberos Authentication To: Jenny Galipeau jgali...@redhat.com mailto:jgali...@redhat.com

Re: [Freeipa-users] Library to change expired password

2009-10-30 Thread Rob Crittenden
Jason Gerard DeRose wrote: On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine. However, I have a problem with the initial user setup. New accounts are created

Re: [Freeipa-users] freeIPA replication

2009-12-14 Thread Rob Crittenden
such as these will not be copied to 99user.ldif, and setup-ds.pl -u in 389-ds-base 1.2.3 and later will clean up 99user.ldif of these and other bogus schema. Rich Megginson wrote: Rob Crittenden wrote: Виктор Сергеевич wrote: On fedora 11: Name: 389-ds-base Relocations

Re: [Freeipa-users] freeIPA replication

2009-12-14 Thread Rob Crittenden
James Roman wrote: Rob Crittenden wrote: Виктор Сергеевич wrote: Hi! Thanks! It works!, but In master-server I'm see users in groups, but in replica I'm see only group, without users. If search users - i'm can find it. And one more: Strange, that shouldn't happen. I'd search for them

[Freeipa-users] freeIPA wiki status

2009-12-15 Thread Rob Crittenden
The machine hosting the freeIPA wiki was moved to a new datacenter this weekend. The move was successful and the machine is up and operating, the problem is that DNS hasn't been updated to reflect the new IP address. We are working on resolving this but at this time have no ETA on when that

Re: [Freeipa-users] freeipa replication

2010-01-04 Thread Rob Crittenden
John Robert Mendoza --- On *Tue, 12/15/09, John Robert Mendoza /jrober...@yahoo.com/* wrote: From: John Robert Mendoza jrober...@yahoo.com Subject: Re: [Freeipa-users] freeipa replication To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com Date: Tuesday, 15

Re: [Freeipa-users] freeipa master server disaster recovery

2010-01-12 Thread Rob Crittenden
root wrote: Greetings FreeIPA mailing list: I have an FC11 environment setup for testing the FreeIPA implementation of kerberos+ldap w/admin utils. Our primary purpose for kerberos right now is to provide auth services for coda. However, once that gnat is squished, we'll of course be using

Re: [Freeipa-users] FreeIPA master replica generation divorce?

2010-01-12 Thread Rob Crittenden
root wrote: Greetings FreeIPA mailing list: Thinking outside of the box for a moment, is it possible to divorce the FreeIPA master feature of deploying FreeIPA servers from the FreeIPA cluster which handles everything else? Keeps it safe and out of harms way, especially considering it has

Re: [Freeipa-users] HA/DR

2010-01-26 Thread Rob Crittenden
Dmitri Pal wrote: Scott Kaminski wrote: Just wondering if you setup 4 servers using MMR what would happen if your first ipa server died and was unrecoverable? Would it be possible to recover from this scenario? The replicas are mostly symmetric. The difference is the that the first IPA has

Re: [Freeipa-users] Web admin for FreeIPA Directory Server

2010-01-27 Thread Rob Crittenden
Michael Kang wrote: Nobody answers my question: Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? Is it technically possible? Sure, assuming it works with 389-ds. Is it a good idea? Depends on what exactly you're going to do. If you don't try to manage any objects used by IPA

Re: [Freeipa-users] Error Installing FreeIPA build 1.2.2

2010-01-28 Thread Rob Crittenden
Shan Kumaraswamy wrote: Dear All, I am try to install FreeIPA build 1.2.2 with RHDS 8.0, while installing I am facing some serious issue. Please find the blow steps which I followed and error message which got during the installation 1. I successfully installed RHDS 8.0 2. Installed

Re: [Freeipa-users] DNS replica setup problem

2010-02-01 Thread Rob Crittenden
Scott Kaminski wrote: I'm not sure what I'm doing wrong here. I'm trying to setup a replica server and this is the output i'm getting: [r...@ldap-4 tmp]# ipa-replica-install -d replica-info-ldap-4.quadrant.local.gpg Directory Manager (existing master) password: root: INFO root

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-05 Thread Rob Crittenden
-Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 03 February 2010 17:34 To: Andy Singleton; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: Hi Rob, Neither of the commands give any results. /me smacks

[Freeipa-users] Announcing FreeIPA v2 Server Alpha 2 Release

2010-02-18 Thread Rob Crittenden
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 2 release of the long-awaited freeIPA 2.0 server [1]. This version of the server includes: * Draft UI pages for all plugins that fit into a

Re: [Freeipa-users] MultiHomed Server SSH login issue

2010-02-22 Thread Rob Crittenden
David Christensen wrote: I have my ipa 1.2.2 setup in an environment where my servers have two NICs each in a different VLAN. With the multi NIC setup I have two different DNS names for a single host to control which interface is is used when accessing the host e.g. host.example.com and

Re: [Freeipa-users] Alpha 2 Bugs or Misconfigurations?

2010-02-22 Thread Rob Crittenden
Steven Whately wrote: On Fedora 12, I un-installed 1.2 and then installed 1.9. My clients could not log in. The server was logging the following message: sssd_be: GSSAPI Error: The referenced context has expired (Unknown error) Hmm, is the time on the client close to the time on the IPA

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-26 Thread Rob Crittenden
://bugzilla.redhat.com/show_bug.cgi?id=568104 rob Cheers Andy -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 24 February 2010 14:47 To: Andy Singleton Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: Hi

Re: [Freeipa-users] Unable to connect to IPA server: File Not Found

2010-03-04 Thread Rob Crittenden
root wrote: Greetings all: I'm thinking I just have to bounce something (or maybe it's been long enough that I'm running the command wrong, but I don't think so). Note that I show the error when not authenticated, and that I can authenticate without error: [r...@sandbox1 ~]# ipa-finduser

Re: [Freeipa-users] Unable to connect to IPA server: File Not Found

2010-03-08 Thread Rob Crittenden
Dmitri Pal wrote: Don, Sorry, I accidentally deleted your post. I am resending it. === Greetings all: Turned out to be webservice getting reconfigured out from under me. We didn't know that the management interface website was necessary for the command-line

Re: [Freeipa-users] Installing on Centos

2010-03-17 Thread Rob Crittenden
Gerrard Geldenhuis wrote: Hi I was wondering if anyone has had any luck in getting FreeIPA compiled and installed on Centos. I am struggling a bit at the moment. I have downloaded a fedora source package which I have tried to compile but can’t even get the package to install at the moment. I

Re: [Freeipa-users] MemberOf plugin keeps disabling account

2010-03-18 Thread Rob Crittenden
James Roman wrote: Just for posterity. The issue ended up being that the AD and FreeIPA were out of sync. One of the sub-containers in the Active Directory containing disabled accounts was moved outside of the scope of the sync agreement. We never ran a replica init, so a number of scheduled

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-18 Thread Rob Crittenden
Walter Meyer wrote: I am testing out FreeIPA and am wondering if FreeIPA is compatible with the Google Apps password sync utility. Specifically my question in relation to FreeIPA is how the password attribute is stored in the DS? Is it in any of these Google Apps supported formats: MD5, SHA1,

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Rob Crittenden
all communication with SSL (it may very well work today, I didn't dive too deeply into the documentation). regards rob Thanks Dmitri On Thu, Mar 18, 2010 at 6:10 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Walter Meyer wrote: I am testing out

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Rob Crittenden
Dmitri Pal wrote: Walter Meyer wrote: We would be using Google Apps for our email system (and other services included with GA like Google Docs etc.) I'd like to have one password for users when they access their email via Google Apps, ideally the users and passwords would be centralized in IPA.

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Rob Crittenden
Walter Meyer wrote: I will see if Salted SHA1 is supported and maybe Google hasn't documented it yet. If not, the sync is done with the Google Servers over SSL. And if only the Directory Manager can read the userPassword attribute, would storing the userPassword attribute in SHA1 be that

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-22 Thread Rob Crittenden
, the default. rob On Mar 19, 2010, at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Walter Meyer wrote: I will see if Salted SHA1 is supported and maybe Google hasn't documented it yet. If not, the sync is done with the Google Servers over SSL. And if only the Directory Manager can read

Re: [Freeipa-users] FreeIPA - Replicate Setup fails with SSL Error

2010-03-22 Thread Rob Crittenden
Harshavardhana wrote: Hi Everyone, I have been recently configuring Freeipa server and client which i have achieved successfully. But i have hit a roadblock when i tried to replicate ipa server configuration from one already working node to another node. This is on Fedora 11. I have

Re: [Freeipa-users] freeipa master server disaster recovery

2010-04-07 Thread Rob Crittenden
root wrote: Greetings FreeIPA mailing list: I have an FC11 environment setup for testing the FreeIPA implementation of kerberos+ldap w/admin utils. Our primary purpose for kerberos right now is to provide auth services for coda. However, once that gnat is squished, we'll of course be using

Re: [Freeipa-users] freeipa master server disaster recovery

2010-04-08 Thread Rob Crittenden
James Roman wrote: The bug outlines how to promote a replica to be the primary master. You basically just need to import the CA and setup the serial number file. So lets say you had a master and 2 replicas. In reality the only thing that differentiates the first master is that it was

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-09 Thread Rob Crittenden
Oliver Burtchen wrote: Hi @all, is it possible to use an already configured und running dogtag-instance for freeipa V2 in the installation process? I would like to give ipa-server- install just the params for the dogtag-instance/server to use, and skip its own creation-process (pkisilence

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-13 Thread Rob Crittenden
. It is probably possible to do what you want given time and patience but we are unlikely to do this in the near future. rob Best regards, Oli Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi @all, is it possible to use an already configured und running dogtag

Re: [Freeipa-users] ipa-useradd - setting gid using cli

2010-04-15 Thread Rob Crittenden
Tom Brown wrote: Hi I need to bulk insert a bunch of users, and i need to create them with certain gid's but i dont see where i can do that using the cli. Are there any pointers here? There is currently not a way to directly set the user's gidnumber other than the default group for all

Re: [Freeipa-users] freeipa - f12 - web gui logon issues

2010-04-15 Thread Rob Crittenden
Tom Brown wrote: Not sure which howto you referred to but this covers it pretty well http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Your_Browser.html For troubleshooting the client side see

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-16 Thread Rob Crittenden
this capability we would want to take advantage of it. Okay, hope it was not to much for one posting, best regards, Oli This is great feedback, thanks! rob Am Dienstag, 13. April 2010 19:58:23 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi Rob, thanks for the answer. I know about

Re: [Freeipa-users] Unable to join a client

2010-04-19 Thread Rob Crittenden
Oliver Burtchen wrote: Hi, using clean F12 installtion with all updates and ipa 1.91-0.2010041617git671bb9c.fc12 on server and client: Currently I'm unable to join a client, debug of ipa-client-install attached. Seems, there was a change in the protocol, and ipa-join gives to many

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-21 Thread Rob Crittenden
ALAHYANE Rachid wrote: Any ideas ? I can provide further explanations if it is not clear ;) I think that will be needed. You are doing server-server communication if you are running within Apache. It would be helpful if you would describe what your end goal is. rob Sorry for this mail

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-22 Thread Rob Crittenden
mailto:jder...@redhat.com On Wed, 2010-04-21 at 15:21 -0400, Rob Crittenden wrote: ALAHYANE Rachid wrote: Here is my apache logs : == /var/log

Re: [Freeipa-users] ERROR: unable to set Cipher List

2010-05-03 Thread Rob Crittenden
Oliver Burtchen wrote: Hi @all, I did a clean, minimum F-12 install with all updates, and used freeipa and sssd12 from http://jdennis.fedorapeople.org/ Everything seems to work fine when I do a ipa-server-install --setup-dns But what does it mean what I see in ipaserver-install.log

Re: [Freeipa-users] Reports and questions

2010-05-03 Thread Rob Crittenden
Marc Schlinger wrote: Le 03/05/2010 17:38, Rob Crittenden a écrit : Marc Schlinger wrote: Hello, I tried to install freeipa with certs management. I did manage after a problem. 1°) The installation was unable to finished on a french localized system. The error at stage [3/15

Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?

2010-05-03 Thread Rob Crittenden
Oliver Burtchen wrote: Am Montag, 3. Mai 2010 09:14:26 schrieb Sumit Bose: On Sun, May 02, 2010 at 08:41:14PM +0200, Oliver Burtchen wrote: Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi Stephen, I nailed the problem now a little bit down. I think it's

Re: [Freeipa-users] User Private Groups

2010-05-06 Thread Rob Crittenden
Ryan Thomson wrote: Wow, I need to improve my search skills: http://freeipa.org/page/IPAv2_alpha2 My answer is at the bottom of the page! My apologies, everyone. No worries. We're going to build this on a new feature in 389-ds, Managed Entries

Re: [Freeipa-users] Modify the mail forgot in the aci Modify Users

2010-06-10 Thread Rob Crittenden
ALAHYANE Rachid wrote: Hi, I am working with ACIs and I noticed that you forgot to add mail in the set of attribute that it can be modified : ipa aci-find Modify Users - aci-find: - (targetattr = givenName || sn || cn ||

Re: [Freeipa-users] Modify the mail forgot in the aci Modify Users

2010-06-10 Thread Rob Crittenden
ALAHYANE Rachid wrote: I execute this command hoping it'll work but I get some errors : on my client == ipa -v aci-mod --taskgroup=modifyusers --permissions=write --attrs=mail --type=user Modify Users ipa: INFO: skipping plugin module ipalib.plugins.cert:

Re: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join

2010-06-11 Thread Rob Crittenden
Marc Schlinger wrote: hello all, I'm doing bulk enrollment, with ipa-client-install -w mypassword . But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails. This is because the host principal has

Re: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join

2010-06-11 Thread Rob Crittenden
Rob Crittenden wrote: Marc Schlinger wrote: hello all, I'm doing bulk enrollment, with ipa-client-install -w mypassword . But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails. This is because

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-11 Thread Rob Crittenden
Shan Kumaraswamy wrote: Hi Rob, I am trying to rebuild the free IPA V2 against RHEL 6.0 beta and I installed all the build requirements as per the ipa.spec file. When I start the build it ends with bad error: ipa_repl_version.o ipa_repl_version.c:39:33: error: repl-session-plugin.h: No such file

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-11 Thread Rob Crittenden
Shan Kumaraswamy wrote: Rob, I have installed 389-ds and again I started FreeIPA build, but again some error: Provides: config(ipa-python) = 1.9.0.pre4-0.el6 Requires(rpmlib): rpmlib(CompressedFileNames) = 3.0.4-1 rpmlib(FileDigests) = 4.6.0-1 rpmlib(PartialHardlinkSets) = 4.0.4-1

Re: [Freeipa-users] Upgraded replication slave server - dirsrv process dying

2010-08-11 Thread Rob Crittenden
Dan Scott wrote: Hi, I have a FreeIPA slave server which used to be running Fedora 11 and has recently been upgraded to Fedora 13. It is replicating from a server which is still running Fedora 11. Twice over the last week, the process providing LDAP (dirsrv?) has died. I receive these errors

[Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems

2010-08-16 Thread Rob Crittenden
I fat-fingered this moderated message and it went into the bit bucket, here it is revived. Subject: FreeIPA v2.0 alpha4 replica installation problems From: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] heco0...@stcloudstate.edu Date: Mon, 16 Aug 2010 10:32:14 -0500 To:

Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems

2010-08-16 Thread Rob Crittenden
Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters

Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems

2010-08-17 Thread Rob Crittenden
install should proceed. I've opened a ticket to add this functionality to ipa-replica-install: https://fedorahosted.org/freeipa/ticket/146 rob Corey- From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 2:49 PM To: Hemminger, Corey

[Freeipa-users] fine-grained access control feedback

2010-08-24 Thread Rob Crittenden
In v2 we are adding more fine-grained access control per the many requests we had in v1. v1 only provided the ability to grant permission to write a fixed set of user attributes from group A to group B. We're looking for feedback on the types of access control that the IPA users require in

Re: [Freeipa-users] updated FreeIPA documentation?

2010-09-07 Thread Rob Crittenden
Brian LaMere wrote: Let me start by saying I work at a software development co; I get it - so this isn't a harsh at all. However, the latest docs I could find ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) seem a bit outdated already. For example, this section:

Re: [Freeipa-users] updated FreeIPA documentation?

2010-09-08 Thread Rob Crittenden
Brian LaMere wrote: What version of IPA are you looking at? I have both options in mine. Note that if you want to use magic-private groups only set uidstart. We made this configurable for those installations that may have limited UIDs. The lastest in the fedora repo; just

Re: [Freeipa-users] freeipa and postgresql

2010-09-15 Thread Rob Crittenden
Fereyre Jerome wrote: Hi all I am trying to connect postgresql to freeipa/kerberos to ensure user authentication... but i did not find a lot of information concerning this type of configuration. currently the messages i encounter arewhen i'm using the psql command: psql: FATAL: accepting GSS

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rob Crittenden
Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 22 September 2010 1:57 p.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems

Re: [Freeipa-users] ldap.so problem after --setup-dns

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: I have the following error in the log after named refuses to start: named[1736]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory At first I thought it was simply a bah, they require the i686 library

Re: [Freeipa-users] changing primary GID for a user?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: The primary GID for a user isn't in the web interface for the user to be able to change it. /usr/sbin/ipa-moduser (what the document references) doesn't exist, nor does ipa user-mod have an options for changing the GID. How is this done? I'll assume you're using IPA v2.

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: I know about --user-container and --group-container, but that's not sufficient; the domain is different, so I want to completely change the search base for migration. Is this possible? Thanks! Brian It looks like it tries to auto-detect the remote search base using the

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
going to do the right thing? rob Thanks :) Brian On Wed, Sep 22, 2010 at 12:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Brian LaMere wrote: I know about --user-container and --group-container, but that's not sufficient; the domain

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: On Wed, Sep 22, 2010 at 1:14 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: And this request came from newserver? I don't see where we would query namingContexts with this search base. Seems strange that something knew about the new

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: It looks like we have a bug when setting an empty base_dn. We try to set it blank but it ends up getting set to the IPA base. so if I just change base_dn from '' to 'dc=briandomain,dc=com' then my selfish desire to complete the migration might complete? ; )

Re: [Freeipa-users] IPA Webgui error

2010-09-23 Thread Rob Crittenden
Shan Kumaraswamy wrote: Hi All, I have installed IPA Replica server and the installation is succeed, after configured Firefox browser setting, I could not able to access ipa webui, and I couple of time I restarted IPA replica server as well, but no luck and I found this error message view in

Re: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif

2010-09-24 Thread Rob Crittenden
Brian LaMere wrote: On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: Brian LaMere wrote: ah, odd - I'm used to IPs being IA5. then the equality match should be changed? Can't have caseIgnoreIA5Match on a directory string :) Yes.

Re: [Freeipa-users] bug 634561

2010-09-29 Thread Rob Crittenden
Steven Jones wrote: Hi, Sorry if this sounds pushy but any chance of an ETA please? Looks like it is in updates-testing: https://admin.fedoraproject.org/updates/search/389-ds-base?_csrf_token=02164f85ca5037bd97fa8deacbd13fda7ea300f0 # yum update --enablerepo=updates-testing 389-ds-base rob

Re: [Freeipa-users] Kerberos Password change limitation while behind a NAT

2010-09-30 Thread Rob Crittenden
Marc Schlinger wrote: Le 30/09/2010 18:30, Simo Sorce a écrit : You can use ldappasswd too, either with GSSAPI auth or eventually even with plaintext auth (require using SSL) in that case though you will neeed to know the user DN. Simo. So if a user logs in when his password is expired,

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-06 Thread Rob Crittenden
Dan Scott wrote: Hi, On Wed, Oct 6, 2010 at 11:32, Simo Sorcesso...@redhat.com wrote: On Wed, 6 Oct 2010 10:26:48 -0400 Dan Scottdanieljamessc...@gmail.com wrote: Hi, I have master and slave FreeIPA servers. I recently upgraded the slave by wiping, re-installing Fedora 13 and re-creating

Re: [Freeipa-users] Problem with FreeIPA v2 and kpasswd on Solaris 10

2010-10-14 Thread Rob Crittenden
Rob Crittenden wrote: Miljan Karadzic wrote: Hi, I am having problems configuring Solaris 10 client to work with FreeIPA v2 server. Everything seems to be working fine except for password change. When I try to change the password I get this error: $ kpasswd kpasswd: Changing password for u

Re: [Freeipa-users] certmonger selinux issue and freeipa dns database error problem

2010-11-09 Thread Rob Crittenden
Rob Crittenden wrote: Uzor Ide wrote: We have a network that relies on kerberos, 389-ds, bind and nfs4. I am currently testing out the freeipa version 2 to see if we can use it to consolidate the various configuration into one interface. For the most part it works great apart from the obvious

Re: [Freeipa-users] FreeIPA 1.2.2 Fedora 14 ldap problem

2010-12-22 Thread Rob Crittenden
luis lugo wrote: Hi all, I have problem with freeipa 1.2.2 on fedora 14, when I add new users and use id command to view the numeric user and group ID get id: No such user, the same thing with getent passwd no info about new users, but with ipa-finduser commando get the user information . Help

Re: [Freeipa-users] ipa-server-install fails

2011-01-12 Thread Rob Crittenden
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get

Re: [Freeipa-users] IPA server certificate update and Directory Manager password

2011-01-20 Thread Rob Crittenden
Ian Stokes-Rees wrote: Hello, We have a deployment of IPA that we have been using successfully for 185 days. We are 3 days past the half year mark, and the self-signed cert that was created with the original IPA install (FreeIPA v2 alpha) has expired. I have created a new self-signed cert,

Re: [Freeipa-users] IPA server certificate update and Directory Manager password

2011-01-20 Thread Rob Crittenden
Ian Stokes-Rees wrote: Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from? I have to plead ignorance, since it was our regular

Re: [Freeipa-users] IPA server certificate update and Directory Manager password

2011-01-20 Thread Rob Crittenden
Ian Stokes-Rees wrote: Some more info: 1. certmonger wasn't running, so I started it. Then I can execute ipa-getcert list but it doesn't return anything. Ok, your install must have pre-dated our implementation of it. 2. /var/log/ipa/default.log (the only log file in that dir) appears to

Re: [Freeipa-users] IPA server certificate update and Directory Manager password

2011-01-21 Thread Rob Crittenden
Ian Stokes-Rees wrote: Rob, Thanks for your most recent comments. I'm not sure if I should try these *before* or *after* the steps described in the 5:32 EST email. Ian I think roll back the time to the 15th, disable SSL in 389-ds and bring the servers back up. Then follow the instructions

Re: [Freeipa-users] Invalid Credentials error on migrate-ds

2011-01-24 Thread Rob Crittenden
Jeff B wrote: I'm trying to test out migration from an Apple Open Directory Server to FreeIPA (unstable) The command I'm running is: ipa config-mod --enable-migration=true ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=,dc=com' --group-container='cn=groups,dc=xxx,dc=,dc=com'

Re: [Freeipa-users] Invalid Credentials error on migrate-ds

2011-01-24 Thread Rob Crittenden
Jeff B wrote: The Apple Open Directory uses kerberos so they aren't readable as the rood dn either. the password fields all have the same token: KioqKioqKio= I wasn't expecting to be able to import passwords so I thought I could run an import as an anonymous bind. I'll try again with a bind

[Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release

2011-02-14 Thread Rob Crittenden
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 1 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback,

Re: [Freeipa-users] limit access to a specific CN

2011-02-15 Thread Rob Crittenden
Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, but can't edit the other ones (ie: accounts, groups...)? Any pointers to documentation

Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release

2011-02-16 Thread Rob Crittenden
Steven Jones wrote: Is there a series of RPMS I can download? ie can someone tell which ones I need for the server and which ones I need for the client and in what order I install? I can get the rpms off the store, just not via yum as the repo is dead for meeither its a remote issue, or our

Re: [Freeipa-users] 389 DS server closing connection after upgrade from Fedora 12 to 13

2011-02-21 Thread Rob Crittenden
tomasz.napier...@allegro.pl wrote: Hi, Although I was very happy with FreeIPA on F12, due to compliance issues I had to upgrade our master server from F12 to F13. I tried several methods, and only yum upgrade was semi succesful. After upgrade 389 seems to be running fine, with one exception:

Re: [Freeipa-users] Changing IP address of master server

2011-02-21 Thread Rob Crittenden
tomasz.napier...@allegro.pl wrote: On 2011-02-21, at 15:36, Rob Crittenden wrote: tomasz.napier...@allegro.pl wrote: Hi, Im sure I read about it somwhere, but I can't find any references now. Is it possible to change IP addres of master server? If so, is ot matter of changing system IP

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

2011-02-28 Thread Rob Crittenden
Steven Jones wrote: I have just built these 2 fed14 to act as a server and client and run yum updateso they should be as closely sync'd as possible... =client=== [root@fed14-64-ipacl01 ~]# ipa-client-install Discovery was successful! Realm: IPA.AC.NZ DNS Domain:

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

2011-02-28 Thread Rob Crittenden
-0500, Rob Crittenden wrote: Steven Jones wrote: I have just built these 2 fed14 to act as a server and client and run yum updateso they should be as closely sync'd as possible... =client=== [root@fed14-64-ipacl01 ~]# ipa-client-install Discovery was successful! Realm

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

2011-02-28 Thread Rob Crittenden
Steven Jones wrote: Hi, How do I tell? ie what are the package names? but apart from that both are yum updated from the same repo, so this means your repo is probably the problem On the client: rpm -q freeipa-client On the server: rpm -q freeipa-server regards On Mon, 2011-02-28 at

[Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-02-28 Thread Rob Crittenden
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 2 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback,

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-03-01 Thread Rob Crittenden
Steven Jones wrote: Im getting a pycurl error 6so every few hours the errors change I don't know if the pycurl errors are equivalent to the curl errors but in curl error 6 means couldn’t resolve host. You might try: yum clean all I tried the repo myself and was able to install rc2

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-03-01 Thread Rob Crittenden
? $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn $ hostname $ cat /etc/sysconfig/network (there should be only one HOSTNAME) thanks rob regards On Tue, 2011-03-01 at 16:10 -0500, Rob Crittenden wrote: Steven Jones wrote: Im getting a pycurl error 6so every few

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-03-01 Thread Rob Crittenden
Steven Jones wrote: I think it is a mismatch between what we've stored as the hostname and the hostname of the machine. Can you look at the output of these commands and see if the hostname is the same between them all? $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-03-02 Thread Rob Crittenden
Steven Jones wrote: Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way

Re: [Freeipa-users] Setup windows AD Sync Failure

2011-03-02 Thread Rob Crittenden
Sayid Munawar wrote: Dear, I have successfully installed freeipa-server 2 rc2. and create some test user and tested machine enrollment. now, what i want to do next is sync all my windows 2008r2 AD accounts. i've got already get the cert needed, and tested it with ldapsearch tools in the same

Re: [Freeipa-users] replication setup failure

2011-03-02 Thread Rob Crittenden
Steven Jones wrote: 8 starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Rob Crittenden
Steven Jones wrote: I appear to have IPA running, I have run the install client on a fed14 KVM guest and that guest is in the IPA system, however the users in IPA cannot authenticate via IPA and get onto the client. There appears to be traffic to port 389, so I assume its almost workingbut

Re: [Freeipa-users] Time bug

2011-03-04 Thread Rob Crittenden
Simo Sorce wrote: On Fri, 4 Mar 2011 15:16:36 +1300 Steven Jonessteven.jo...@vuw.ac.nz wrote: Hi, Americans are funny ppl they put the date format as month then day.the problem is in the real world, its day then month So I have registered 1 client and 2 ipa masters as of 4th march

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-04 Thread Rob Crittenden
Dmitri Pal wrote: On 03/03/2011 02:53 PM, Steven Jones wrote: 8 I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something wellit doesnt get done as I cant mind read. What I want is encrypted

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Rob Crittenden
Steven Jones wrote: Hi, Log, The error is Host is already joined so no keytab is requested. The enrollment failed. ipa-client-install --uninstall should unenroll the client (you can verify that Keytab is False in ipa host-show client_fqdn on the IPA server. If so running

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Rob Crittenden
Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). As part of ipa-client-install sssd

  1   2   3   4   5   6   7   8   9   10   >