Re: [Freeipa-users] Error on Setting up Multi-Master Replication

2009-08-19 Thread Rob Crittenden
Fu-Jyh Luo wrote: Dear All, I am having some trouble to Setting up Multi-Master Replication. ipa-replica-install complains about CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpCwijw4 -f /usr/share/ipa/indices.ldif'

Re: [Freeipa-users] Error on Setting up Multi-Master Replication

2009-08-19 Thread Rob Crittenden
Fu-Jyh Luo wrote: What version of IPA are you using and what Linux distribution? IPA 1.2.1 and CentOS 5.3 64Bits Can you attach /var/log/ipareplica-install.log? You might want to check that log real quick before sending to ensure it doesn't have any private information you might not want to

Re: [Freeipa-users] ipa-replica-prepare clarification

2009-09-12 Thread Rob Crittenden
James Roman wrote: Can anyone elaborate on the options for the ipa-replica-prepare command? I have a third party signed certificate for both my master and replica server. Am I supposed to provide the PKCS12 file for the master server or the replica? If it is looking for the master server, I

Re: [Freeipa-users] ipa-replica-prepare clarification

2009-09-17 Thread Rob Crittenden
James Roman wrote: In case any one runs into this error while trying to create a replica: Starting dirsrv: REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in file /etc/dirsrv/slapd-REALM-COM/schema/##xx.ldif is invalid, error code 21 (Invalid syntax) - object class

Re: Fwd: [Freeipa-users] Problem with Kerberos Authentication

2009-09-25 Thread Rob Crittenden
Michael Kang wrote: -- Forwarded message -- From: *Michael Kang* wxi...@gmail.com mailto:wxi...@gmail.com Date: Fri, Sep 25, 2009 at 4:09 PM Subject: Re: [Freeipa-users] Problem with Kerberos Authentication To: Jenny Galipeau jgali...@redhat.com mailto:jgali...@redhat.com

Re: [Freeipa-users] Import LDIF file to FreeIPA

2009-10-20 Thread Rob Crittenden
Michael Kang wrote: Dear all, I got a LDIF file which is exported from Fedora 389 Directory Server. I want to import those user info into FreeIPA. What should I do? I just need the group,username and passwd information which is exported from another Fedora 389 Directory Server. You won't

Re: [Freeipa-users] Library to change expired password

2009-10-30 Thread Rob Crittenden
Jason Gerard DeRose wrote: On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine. However, I have a problem with the initial user setup. New accounts are created

Re: [Freeipa-users] Library to change expired password

2009-10-30 Thread Rob Crittenden
Dmitri Pal wrote: As Sumit said, the self-service page currently requires kerberos so you'd have to get a TGT first which means you need a valid password. This may not be too difficult to do in a web form (SSL protected, of course). You should be able to create a non-kerberos auth page that

Re: [Freeipa-users] Library to change expired password

2009-10-30 Thread Rob Crittenden
Dan Scott wrote: This may not be too difficult to do in a web form (SSL protected, of course). You should be able to create a non-kerberos auth page that prompts for username, old and new password and a submit button. You could pass this onto a a simple backend that does an LDAP bind as the user

Re: [Freeipa-users] freeIPA replication

2009-12-14 Thread Rob Crittenden
such as these will not be copied to 99user.ldif, and setup-ds.pl -u in 389-ds-base 1.2.3 and later will clean up 99user.ldif of these and other bogus schema. Rich Megginson wrote: Rob Crittenden wrote: Виктор Сергеевич wrote: On fedora 11: Name: 389-ds-base Relocations

Re: [Freeipa-users] freeIPA replication

2009-12-14 Thread Rob Crittenden
James Roman wrote: Rob Crittenden wrote: Виктор Сергеевич wrote: Hi! Thanks! It works!, but In master-server I'm see users in groups, but in replica I'm see only group, without users. If search users - i'm can find it. And one more: Strange, that shouldn't happen. I'd search for them

[Freeipa-users] freeIPA wiki status

2009-12-15 Thread Rob Crittenden
The machine hosting the freeIPA wiki was moved to a new datacenter this weekend. The move was successful and the machine is up and operating, the problem is that DNS hasn't been updated to reflect the new IP address. We are working on resolving this but at this time have no ETA on when that

Re: [Freeipa-users] freeipa replication

2010-01-04 Thread Rob Crittenden
John Robert Mendoza --- On *Tue, 12/15/09, John Robert Mendoza /jrober...@yahoo.com/* wrote: From: John Robert Mendoza jrober...@yahoo.com Subject: Re: [Freeipa-users] freeipa replication To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com Date: Tuesday, 15

Re: [Freeipa-users] freeipa master server disaster recovery

2010-01-12 Thread Rob Crittenden
root wrote: Greetings FreeIPA mailing list: I have an FC11 environment setup for testing the FreeIPA implementation of kerberos+ldap w/admin utils. Our primary purpose for kerberos right now is to provide auth services for coda. However, once that gnat is squished, we'll of course be using

Re: [Freeipa-users] FreeIPA master replica generation divorce?

2010-01-12 Thread Rob Crittenden
root wrote: Greetings FreeIPA mailing list: Thinking outside of the box for a moment, is it possible to divorce the FreeIPA master feature of deploying FreeIPA servers from the FreeIPA cluster which handles everything else? Keeps it safe and out of harms way, especially considering it has

Re: [Freeipa-users] HA/DR

2010-01-26 Thread Rob Crittenden
Dmitri Pal wrote: Scott Kaminski wrote: Just wondering if you setup 4 servers using MMR what would happen if your first ipa server died and was unrecoverable? Would it be possible to recover from this scenario? The replicas are mostly symmetric. The difference is the that the first IPA has

Re: [Freeipa-users] Web admin for FreeIPA Directory Server

2010-01-27 Thread Rob Crittenden
Michael Kang wrote: Nobody answers my question: Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? Is it technically possible? Sure, assuming it works with 389-ds. Is it a good idea? Depends on what exactly you're going to do. If you don't try to manage any objects used by IPA

Re: [Freeipa-users] Error Installing FreeIPA build 1.2.2

2010-01-28 Thread Rob Crittenden
Shan Kumaraswamy wrote: Dear All, I am try to install FreeIPA build 1.2.2 with RHDS 8.0, while installing I am facing some serious issue. Please find the blow steps which I followed and error message which got during the installation 1. I successfully installed RHDS 8.0 2. Installed

Re: [Freeipa-users] DNS replica setup problem

2010-02-01 Thread Rob Crittenden
Scott Kaminski wrote: I'm not sure what I'm doing wrong here. I'm trying to setup a replica server and this is the output i'm getting: [r...@ldap-4 tmp]# ipa-replica-install -d replica-info-ldap-4.quadrant.local.gpg Directory Manager (existing master) password: root: INFO root

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-02 Thread Rob Crittenden
Andy Singleton wrote: Hi guys, I am installing IPA 1.2.2 client installation on one of our Solaris servers, and I cant seem to get the system to see the IPA users. “getent passwd” only returns local users, and no traffic is leaving the client for the IPA server for ldap. I have

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-03 Thread Rob Crittenden
get a specific user and group: getent passwd admin getent group ipausers rob Cheers Andy - Original Message - From: Rob Crittenden rcrit...@redhat.com To: Andy Singleton Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tue Feb 02 21:01:33 2010 Subject: Re: [Freeipa-users

Re: [Freeipa-users] FreeIPA 1.2.2 Server

2010-02-03 Thread Rob Crittenden
Shan Kumaraswamy wrote: Dear All, Greetings, I am planning to deploy FreeIPA (stable version 1.2.2) under RHEL 5 server (not a client) using RHDS 8.1, please clarify me, whether the FreeIPA 1.2.2 will complie and install in RHEL 5 Server using RHDS 8.1 version? Sure. % cd

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-03 Thread Rob Crittenden
for anything then you want to use it for EVERYTHING, so you'll want to fix up /etc/nsswitch.conf, at least setting files and ipnodes back to dns from ldap. rob Andy -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 03 February 2010 16:11 To: Andy Singleton Cc

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-05 Thread Rob Crittenden
-Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 03 February 2010 17:34 To: Andy Singleton; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: Hi Rob, Neither of the commands give any results. /me smacks

[Freeipa-users] Announcing FreeIPA v2 Server Alpha 2 Release

2010-02-18 Thread Rob Crittenden
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 2 release of the long-awaited freeIPA 2.0 server [1]. This version of the server includes: * Draft UI pages for all plugins that fit into a

Re: [Freeipa-users] Alpha 2 Bugs or Misconfigurations?

2010-02-18 Thread Rob Crittenden
Ryan Thomson wrote: Hi, First off, thanks to the freeIPA team for releasing the next iteration of v2! I eagerly follow this project despite my limited deployment goals. As such, I've already downloaded the source code and built it on my Fedora 12 PPC server (IBM p505) for testing. Wow,

Re: [Freeipa-users] MultiHomed Server SSH login issue

2010-02-22 Thread Rob Crittenden
David Christensen wrote: I have my ipa 1.2.2 setup in an environment where my servers have two NICs each in a different VLAN. With the multi NIC setup I have two different DNS names for a single host to control which interface is is used when accessing the host e.g. host.example.com and

Re: [Freeipa-users] Alpha 2 Bugs or Misconfigurations?

2010-02-22 Thread Rob Crittenden
Steven Whately wrote: On Fedora 12, I un-installed 1.2 and then installed 1.9. My clients could not log in. The server was logging the following message: sssd_be: GSSAPI Error: The referenced context has expired (Unknown error) Hmm, is the time on the client close to the time on the IPA

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-24 Thread Rob Crittenden
Clients attempt to connect and fail right? Are you saying this is the only thing logged in that case? rob Any comments/advice would be appreciated. Thanks Andy -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 05 February 2010 16:58 To: Andy Singleton Cc

Re: [Freeipa-users] Installing IPA on Solaris 10

2010-02-26 Thread Rob Crittenden
://bugzilla.redhat.com/show_bug.cgi?id=568104 rob Cheers Andy -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 24 February 2010 14:47 To: Andy Singleton Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: Hi

Re: [Freeipa-users] Unable to connect to IPA server: File Not Found

2010-03-04 Thread Rob Crittenden
root wrote: Greetings all: I'm thinking I just have to bounce something (or maybe it's been long enough that I'm running the command wrong, but I don't think so). Note that I show the error when not authenticated, and that I can authenticate without error: [r...@sandbox1 ~]# ipa-finduser

Re: [Freeipa-users] Unable to connect to IPA server: File Not Found

2010-03-08 Thread Rob Crittenden
Dmitri Pal wrote: Don, Sorry, I accidentally deleted your post. I am resending it. === Greetings all: Turned out to be webservice getting reconfigured out from under me. We didn't know that the management interface website was necessary for the command-line

Re: [Freeipa-users] Installing on Centos

2010-03-17 Thread Rob Crittenden
Gerrard Geldenhuis wrote: Hi I was wondering if anyone has had any luck in getting FreeIPA compiled and installed on Centos. I am struggling a bit at the moment. I have downloaded a fedora source package which I have tried to compile but can’t even get the package to install at the moment. I

Re: [Freeipa-users] MemberOf plugin keeps disabling account

2010-03-18 Thread Rob Crittenden
James Roman wrote: Just for posterity. The issue ended up being that the AD and FreeIPA were out of sync. One of the sub-containers in the Active Directory containing disabled accounts was moved outside of the scope of the sync agreement. We never ran a replica init, so a number of scheduled

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-18 Thread Rob Crittenden
Walter Meyer wrote: I am testing out FreeIPA and am wondering if FreeIPA is compatible with the Google Apps password sync utility. Specifically my question in relation to FreeIPA is how the password attribute is stored in the DS? Is it in any of these Google Apps supported formats: MD5, SHA1,

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Rob Crittenden
all communication with SSL (it may very well work today, I didn't dive too deeply into the documentation). regards rob Thanks Dmitri On Thu, Mar 18, 2010 at 6:10 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Walter Meyer wrote: I am testing out

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Rob Crittenden
Dmitri Pal wrote: Walter Meyer wrote: We would be using Google Apps for our email system (and other services included with GA like Google Docs etc.) I'd like to have one password for users when they access their email via Google Apps, ideally the users and passwords would be centralized in IPA.

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Rob Crittenden
Walter Meyer wrote: I will see if Salted SHA1 is supported and maybe Google hasn't documented it yet. If not, the sync is done with the Google Servers over SSL. And if only the Directory Manager can read the userPassword attribute, would storing the userPassword attribute in SHA1 be that

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-22 Thread Rob Crittenden
, the default. rob On Mar 19, 2010, at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Walter Meyer wrote: I will see if Salted SHA1 is supported and maybe Google hasn't documented it yet. If not, the sync is done with the Google Servers over SSL. And if only the Directory Manager can read

Re: [Freeipa-users] FreeIPA - Replicate Setup fails with SSL Error

2010-03-22 Thread Rob Crittenden
Harshavardhana wrote: Hi Everyone, I have been recently configuring Freeipa server and client which i have achieved successfully. But i have hit a roadblock when i tried to replicate ipa server configuration from one already working node to another node. This is on Fedora 11. I have

Re: [Freeipa-users] freeipa master server disaster recovery

2010-04-07 Thread Rob Crittenden
root wrote: Greetings FreeIPA mailing list: I have an FC11 environment setup for testing the FreeIPA implementation of kerberos+ldap w/admin utils. Our primary purpose for kerberos right now is to provide auth services for coda. However, once that gnat is squished, we'll of course be using

Re: [Freeipa-users] freeipa master server disaster recovery

2010-04-08 Thread Rob Crittenden
James Roman wrote: The bug outlines how to promote a replica to be the primary master. You basically just need to import the CA and setup the serial number file. So lets say you had a master and 2 replicas. In reality the only thing that differentiates the first master is that it was

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-09 Thread Rob Crittenden
Oliver Burtchen wrote: Hi @all, is it possible to use an already configured und running dogtag-instance for freeipa V2 in the installation process? I would like to give ipa-server- install just the params for the dogtag-instance/server to use, and skip its own creation-process (pkisilence

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-13 Thread Rob Crittenden
. It is probably possible to do what you want given time and patience but we are unlikely to do this in the near future. rob Best regards, Oli Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi @all, is it possible to use an already configured und running dogtag

Re: [Freeipa-users] ipa-useradd - setting gid using cli

2010-04-15 Thread Rob Crittenden
Tom Brown wrote: Hi I need to bulk insert a bunch of users, and i need to create them with certain gid's but i dont see where i can do that using the cli. Are there any pointers here? There is currently not a way to directly set the user's gidnumber other than the default group for all

Re: [Freeipa-users] freeipa - f12 - web gui logon issues

2010-04-15 Thread Rob Crittenden
Tom Brown wrote: Not sure which howto you referred to but this covers it pretty well http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Your_Browser.html For troubleshooting the client side see

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-16 Thread Rob Crittenden
this capability we would want to take advantage of it. Okay, hope it was not to much for one posting, best regards, Oli This is great feedback, thanks! rob Am Dienstag, 13. April 2010 19:58:23 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi Rob, thanks for the answer. I know about

Re: [Freeipa-users] Using already running dogtag-instance possible?

2010-04-16 Thread Rob Crittenden
Oliver Burtchen wrote: Am Freitag, 16. April 2010 15:43:52 schrieb Rob Crittenden: ... Just to remember, I'm using the latest IPA V2 from the repository http://jdennis.fedorapeople.org/ipa-devel/fedora/12/... I found that in the docs and hope its the best source. And I'm using a clean F12

Re: [Freeipa-users] Unable to join a client

2010-04-19 Thread Rob Crittenden
Oliver Burtchen wrote: Hi, using clean F12 installtion with all updates and ipa 1.91-0.2010041617git671bb9c.fc12 on server and client: Currently I'm unable to join a client, debug of ipa-client-install attached. Seems, there was a change in the protocol, and ipa-join gives to many

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-21 Thread Rob Crittenden
ALAHYANE Rachid wrote: Any ideas ? I can provide further explanations if it is not clear ;) I think that will be needed. You are doing server-server communication if you are running within Apache. It would be helpful if you would describe what your end goal is. rob Sorry for this mail

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-21 Thread Rob Crittenden
ALAHYANE Rachid wrote: Ok so, my end goal is to use the ipa methods with xml-rpc as following, * ipaServer : my ipa server, used to authenticate users and serves response for xml-rpc calls from rpcServer * rpcServer : this host is my xml-rpc server, I installed freeipa libraires on it,

Re: [Freeipa-users] Apache Error Immediately After Install

2010-04-21 Thread Rob Crittenden
- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 20, 2010 12:26 PM To: Brad Lodgen Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Apache Error Immediately After Install Brad Lodgen wrote: I have a fresh install. All I've done is kinit admin and added

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-21 Thread Rob Crittenden
(u'admin') --- Meilleures salutations / Best Regards Rachid ALAHYANE 2010/4/21 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com ALAHYANE Rachid wrote: Ok so, my end goal

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-22 Thread Rob Crittenden
mailto:jder...@redhat.com On Wed, 2010-04-21 at 15:21 -0400, Rob Crittenden wrote: ALAHYANE Rachid wrote: Here is my apache logs : == /var/log

Re: [Freeipa-users] call implemented methods via xml-rpc

2010-04-23 Thread Rob Crittenden
Lots of embedded comments... ALAHYANE Rachid wrote: Hi, How about: api.bootstrap(context='webservices', debug=True, xmlrpc_uri='https://luna.greyoak.com/ipa/xml') when I do this, I get these messages - In

Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?

2010-05-01 Thread Rob Crittenden
Oliver Burtchen wrote: Hi Stephen, I nailed the problem now a little bit down. I think it's HBAC with it's empty rules in the standard configuration. For me it was hard to recognize that it prevents every user added with ipa user-add from logging in the server or joined machines (via ssh or

Re: [Freeipa-users] ERROR: unable to set Cipher List

2010-05-03 Thread Rob Crittenden
Oliver Burtchen wrote: Hi @all, I did a clean, minimum F-12 install with all updates, and used freeipa and sssd12 from http://jdennis.fedorapeople.org/ Everything seems to work fine when I do a ipa-server-install --setup-dns But what does it mean what I see in ipaserver-install.log

Re: [Freeipa-users] Reports and questions

2010-05-03 Thread Rob Crittenden
Marc Schlinger wrote: Le 03/05/2010 17:38, Rob Crittenden a écrit : Marc Schlinger wrote: Hello, I tried to install freeipa with certs management. I did manage after a problem. 1°) The installation was unable to finished on a french localized system. The error at stage [3/15

Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?

2010-05-03 Thread Rob Crittenden
Oliver Burtchen wrote: Am Montag, 3. Mai 2010 09:14:26 schrieb Sumit Bose: On Sun, May 02, 2010 at 08:41:14PM +0200, Oliver Burtchen wrote: Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi Stephen, I nailed the problem now a little bit down. I think it's

Re: [Freeipa-users] User Private Groups

2010-05-06 Thread Rob Crittenden
Ryan Thomson wrote: Wow, I need to improve my search skills: http://freeipa.org/page/IPAv2_alpha2 My answer is at the bottom of the page! My apologies, everyone. No worries. We're going to build this on a new feature in 389-ds, Managed Entries

Re: [Freeipa-users] problem with build rpm package of freeipa-server for centos

2010-05-25 Thread Rob Crittenden
Krzysztof Zając wrote: Hi, I have to build freeipa package for centos server. I've downloaded *.src.rpm file but after rpmbuild -ba command I receive the following error: tg-admin i18n compile Traceback (most recent call last): File /usr/bin/tg-admin, line 5, in ? from pkg_resources

Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13

2010-05-27 Thread Rob Crittenden
Thomas Sailer wrote: Hi, After upgrading one IPA client from Fedora12 to Fedora13 (the server runs Fedora12), I'm experiencing NFS4 problems. I can still mount the server from the client like this: mount -t nfs4 -o soft,intr,rsize=8192,wsize=8192,rw,sec=krb5p server.xxx.com:/home /tmp/z root

Re: [Freeipa-users] Dynamic DNS and Kerberos...

2010-05-28 Thread Rob Crittenden
Stjepan Gros wrote: Hi! I have a simple question regarding adding hosts in Kerberos when hosts are dynamically assigned IP addresses and registered to DNS. In such cases, ipa-addservice complains that host has to have A record in DNS and doesn't want to add new principal. So, there are two

Re: [Freeipa-users] Dynamic DNS and Kerberos...

2010-06-07 Thread Rob Crittenden
Rob Townley wrote: On Fri, May 28, 2010 at 10:02 AM, Stjepan Gros sg...@zemris.fer.hr wrote: Hi! I have a simple question regarding adding hosts in Kerberos when hosts are dynamically assigned IP addresses and registered to DNS. In such cases, ipa-addservice complains that host has to have A

Re: [Freeipa-users] Reports and questions

2010-06-07 Thread Rob Crittenden
Marc Schlinger wrote: Hello, At last I did manage to create and use my certs, but with nss tools. I've stop using openssl ones, since they are not integrated with freeipa. So I encounter no problems. Last things I'd like to know. I've seen that I'was able to modify the content signed certs

Re: [Freeipa-users] Modify the mail forgot in the aci Modify Users

2010-06-10 Thread Rob Crittenden
ALAHYANE Rachid wrote: Hi, I am working with ACIs and I noticed that you forgot to add mail in the set of attribute that it can be modified : ipa aci-find Modify Users - aci-find: - (targetattr = givenName || sn || cn ||

Re: [Freeipa-users] Modify the mail forgot in the aci Modify Users

2010-06-10 Thread Rob Crittenden
ALAHYANE Rachid wrote: I execute this command hoping it'll work but I get some errors : on my client == ipa -v aci-mod --taskgroup=modifyusers --permissions=write --attrs=mail --type=user Modify Users ipa: INFO: skipping plugin module ipalib.plugins.cert:

Re: [Freeipa-users] Reports and questions

2010-06-11 Thread Rob Crittenden
Marc Schlinger wrote: Adding support for other profiles is possible but would require changes in both the IPA RA backend and in the IPA cert plugin. If you'd be interested in pursuing that I can give some guidance on how that might be done. rob Yes, I'm interested, I will need this

Re: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join

2010-06-11 Thread Rob Crittenden
Marc Schlinger wrote: hello all, I'm doing bulk enrollment, with ipa-client-install -w mypassword . But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails. This is because the host principal has

Re: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join

2010-06-11 Thread Rob Crittenden
Rob Crittenden wrote: Marc Schlinger wrote: hello all, I'm doing bulk enrollment, with ipa-client-install -w mypassword . But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails. This is because

Re: [Freeipa-users] Problem with FreeIPA and Samba 3...

2010-06-18 Thread Rob Crittenden
Stjepan Gros wrote: On Thu, 2010-06-17 at 11:26 -0400, Simo Sorce wrote: Unfortunately in v1.x we didn't have enough infrastructure to make it easier to set additional attributes beyond the default one we set on user/group creation. v2.x should make this possible. In other words, the only

Re: [Freeipa-users] Fedora 13 client login problems

2010-07-06 Thread Rob Crittenden
Stephen Gallagher wrote: On 06/28/2010 12:14 PM, Dan Scott wrote: Hello, I've just installed a new Fedora 13 client and configured it to use FreeIPA. During ipa-client install, I received the following error: nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf and

Re: [Freeipa-users] Fedora 12 install documentation 2.0.0 admin documentation 2.0.0 and problems.

2010-07-07 Thread Rob Crittenden
Steven Jones wrote: Hi, I have installed free-ipa on fedora 12... Install documentation Some issues3.2 To test your IPA installation, 3. Item should read /usr/sbin/ipa-finduser admin and not /usr/bin/ipa user-find admin The command-line changed between 1.2 and 2.0. If you are using

Re: [Freeipa-users] Fedora 12 install documentation 2.0.0 admin documentation 2.0.0 and problems.

2010-07-07 Thread Rob Crittenden
Steven Jones wrote: 8 I tried https://localhost:443 and I get a Kerberos Authentication failed.there is no workable documentation / indication on how to fix this

Re: [Freeipa-users] Rebuild FreeIPA V2

2010-07-26 Thread Rob Crittenden
Shan Kumaraswamy wrote: All, Can I rebuild FreeIPA v2 (released alpha version 3) against RHEL 5.5? If possible, please let me know the source rpm location and steps. And let me know when we can avail final version FreeIPA v2 We recently released IPA v2 alpha 4. You can get the srpms at

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-11 Thread Rob Crittenden
Shan Kumaraswamy wrote: Hi Rob, I am trying to rebuild the free IPA V2 against RHEL 6.0 beta and I installed all the build requirements as per the ipa.spec file. When I start the build it ends with bad error: ipa_repl_version.o ipa_repl_version.c:39:33: error: repl-session-plugin.h: No such file

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-11 Thread Rob Crittenden
Shan Kumaraswamy wrote: Rob, I have installed 389-ds and again I started FreeIPA build, but again some error: Provides: config(ipa-python) = 1.9.0.pre4-0.el6 Requires(rpmlib): rpmlib(CompressedFileNames) = 3.0.4-1 rpmlib(FileDigests) = 4.6.0-1 rpmlib(PartialHardlinkSets) = 4.0.4-1

Re: [Freeipa-users] Upgraded replication slave server - dirsrv process dying

2010-08-11 Thread Rob Crittenden
Dan Scott wrote: Hi, I have a FreeIPA slave server which used to be running Fedora 11 and has recently been upgraded to Fedora 13. It is replicating from a server which is still running Fedora 11. Twice over the last week, the process providing LDAP (dirsrv?) has died. I receive these errors

[Freeipa-users] [PATCH] 510 enable compat plugin by default

2010-08-11 Thread Rob Crittenden
This enables the compat plugin by default and moves the netgroup configuration to the standard schema compat configuration so it is enabled by default. Also add a status option to ipa-compat-manage so you can figure out what the current state is. rob freeipa-510-compat.patch Description:

[Freeipa-users] [PATCH] 512 track server certs with certmonger

2010-08-13 Thread Rob Crittenden
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-16 Thread Rob Crittenden
, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Shan Kumaraswamy wrote: Rob, I have installed 389-ds and again I started FreeIPA build, but again some error: Provides: config(ipa-python) = 1.9.0.pre4-0.el6

Re: [Freeipa-users] FreeIPA V2 build error

2010-08-16 Thread Rob Crittenden
### [100%] Please advice to fix this. You need pki-selinux installed. rob On Mon, Aug 16, 2010 at 4:18 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Shan Kumaraswamy wrote: Rob, While installing the ipa rpm's after build, I am getting

[Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems

2010-08-16 Thread Rob Crittenden
I fat-fingered this moderated message and it went into the bit bucket, here it is revived. Subject: FreeIPA v2.0 alpha4 replica installation problems From: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] heco0...@stcloudstate.edu Date: Mon, 16 Aug 2010 10:32:14 -0500 To:

Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems

2010-08-16 Thread Rob Crittenden
Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters

Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems

2010-08-17 Thread Rob Crittenden
install should proceed. I've opened a ticket to add this functionality to ipa-replica-install: https://fedorahosted.org/freeipa/ticket/146 rob Corey- From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 2:49 PM To: Hemminger, Corey

[Freeipa-users] fine-grained access control feedback

2010-08-24 Thread Rob Crittenden
In v2 we are adding more fine-grained access control per the many requests we had in v1. v1 only provided the ability to grant permission to write a fixed set of user attributes from group A to group B. We're looking for feedback on the types of access control that the IPA users require in

Re: [Freeipa-users] updated FreeIPA documentation?

2010-09-07 Thread Rob Crittenden
Brian LaMere wrote: Let me start by saying I work at a software development co; I get it - so this isn't a harsh at all. However, the latest docs I could find ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) seem a bit outdated already. For example, this section:

Re: [Freeipa-users] updated FreeIPA documentation?

2010-09-08 Thread Rob Crittenden
Brian LaMere wrote: What version of IPA are you looking at? I have both options in mine. Note that if you want to use magic-private groups only set uidstart. We made this configurable for those installations that may have limited UIDs. The lastest in the fedora repo; just

Re: [Freeipa-users] freeipa and postgresql

2010-09-15 Thread Rob Crittenden
Fereyre Jerome wrote: Hi all I am trying to connect postgresql to freeipa/kerberos to ensure user authentication... but i did not find a lot of information concerning this type of configuration. currently the messages i encounter arewhen i'm using the psql command: psql: FATAL: accepting GSS

Re: [Freeipa-users] getting a kerberos ticket for Firefox

2010-09-20 Thread Rob Crittenden
Steven Jones wrote: Hi, I am trying to web browse to the localhost and it is telling me to obtain a valid kerberos ticket and configure Firefox... Where do I export / find this ticket? and how do I install it as a user so I can connect? To configure Firefox see these instructions:

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rob Crittenden
Steven Jones wrote: Hi, Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rob Crittenden
Steven Jones wrote: This time I copied the output from the ldapsearch command dn: cn=ipa_pwd_extop,cn=plugins,cn=config and it worked... Cosmic rays maybe, those strings look identical to me. Glad its working now in any case. ? So, section 4.4 ipa-replica-manage add --winsync --binddn

Re: [Freeipa-users] probems installin freeipa v2

2010-09-21 Thread Rob Crittenden
Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 22 September 2010 1:57 p.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems

Re: [Freeipa-users] ldap.so problem after --setup-dns

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: I have the following error in the log after named refuses to start: named[1736]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory At first I thought it was simply a bah, they require the i686 library

Re: [Freeipa-users] Fedora 11 master replication problems

2010-09-22 Thread Rob Crittenden
Dan Scott wrote: Hi, Sorry, I just checked the manpage myself and I see that there's an init option to ipa-replica-manage. On Wed, Sep 22, 2010 at 12:08, Rich Megginsonrmegg...@redhat.com wrote: Initialization is the initial copy of data from the master - The slave server (curie) has been

Re: [Freeipa-users] changing primary GID for a user?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: The primary GID for a user isn't in the web interface for the user to be able to change it. /usr/sbin/ipa-moduser (what the document references) doesn't exist, nor does ipa user-mod have an options for changing the GID. How is this done? I'll assume you're using IPA v2.

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: I know about --user-container and --group-container, but that's not sufficient; the domain is different, so I want to completely change the search base for migration. Is this possible? Thanks! Brian It looks like it tries to auto-detect the remote search base using the

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
going to do the right thing? rob Thanks :) Brian On Wed, Sep 22, 2010 at 12:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Brian LaMere wrote: I know about --user-container and --group-container, but that's not sufficient; the domain

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: On Wed, Sep 22, 2010 at 1:14 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: And this request came from newserver? I don't see where we would query namingContexts with this search base. Seems strange that something knew about the new

Re: [Freeipa-users] changing search base during migration?

2010-09-22 Thread Rob Crittenden
Brian LaMere wrote: It looks like we have a bug when setting an empty base_dn. We try to set it blank but it ends up getting set to the IPA base. so if I just change base_dn from '' to 'dc=briandomain,dc=com' then my selfish desire to complete the migration might complete? ; )

  1   2   3   4   5   6   7   8   9   10   >