[Freeipa-users] register ipa directory server with register-ds-admin.pl

2011-04-07 Thread Stephen Ingram
I'm trying to register the ipa directory server with register-ds-admin.pl so that I may use the ds-console to view the directory. As I see that the ipa portion of the directory is meant to be managed by ipa, I don't intend on touching that part of the tree. However, it would be really nice to be

[Freeipa-users] Fwd: packages for Fedora 14

2011-04-08 Thread Stephen Ingram
-- Forwarded message -- From: Stephen Ingram sbing...@gmail.com Date: Fri, Apr 8, 2011 at 2:02 PM Subject: Re: [Freeipa-users] packages for Fedora 14 To: d...@redhat.com I installed the rc2 version and used the f14-testing repo to accommodate. Would this work for v2 or has dogtag

[Freeipa-users] allowing anonymous access to ipa directory

2011-04-13 Thread Stephen Ingram
This question might be better posed on a general directory server list, however, as ipa obviously contains very sensitive data, I'm curious as to what ipa users think. Although ipa uses extensive acl's to shield the most important directory attributes from general view, it does allow anonymous

[Freeipa-users] extending FreeIPA

2011-05-04 Thread Stephen Ingram
I currently maintain a directory with MTA configuration data in it (among other items). I'm wondering what is the best way to add to the FreeIPA schema without stepping on current and future schema additions that might conflict with what I add. I know at one time you were expecting to add

Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server

2011-05-31 Thread Stephen Ingram
out... regards From: Stephen Ingram [sbing...@gmail.com] Sent: Wednesday, 1 June 2011 8:01 a.m. To: Steven Jones Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server I could be wrong on this, but wasn't

[Freeipa-users] disable account behavior

2011-06-08 Thread Stephen Ingram
I've disabled an account in FreeIPA using the UI and I don't see any changes in the directory. Are there supposed to be changes there or is this something that is accomplished in Kerberos? I was hoping to be able to search the directory for disabled accounts. Steve

Re: [Freeipa-users] extending FreeIPA

2011-08-06 Thread Stephen Ingram
On Sat, Aug 6, 2011 at 12:18 PM, Stephen Ingram sbing...@gmail.com wrote: On Fri, May 6, 2011 at 1:11 PM, Adam Young ayo...@redhat.com wrote: On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA

Re: [Freeipa-users] extending FreeIPA

2011-08-08 Thread Stephen Ingram
Ingram wrote: On Sat, Aug 6, 2011 at 12:18 PM, Stephen Ingramsbing...@gmail.com  wrote: On Fri, May 6, 2011 at 1:11 PM, Adam Youngayo...@redhat.com  wrote: On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory

[Freeipa-users] backup and upgrade/transition to new versions

2011-09-12 Thread Stephen Ingram
I've seen mentioned on this list before that it is better to just image the entire system as a backup rather than actually try to figure out where the specific files are that relate to the various components of IPA. What I'm wondering is what if you want to upgrade the distribution say from Fedora

[Freeipa-users] user login exposes all users in UI

2011-09-28 Thread Stephen Ingram
When logging into the FreeIPA UI as a user, most everything is removed with the exception of the Identity tab and the Users list. Although I'm guessing that LDAP needs to expose the users list to all users just as anyone can view the passwd file on any one system, is there a technical need to

[Freeipa-users] ipa user/group-mod --setattr can't remove objectclass

2011-10-03 Thread Stephen Ingram
I've successfully used ipa user-mod --setattr to remove custom attributes that I've added by simply setting the attribute equal to nothing. However, it does not work in the case of objectclasses since there are several and the command does not support multiple arguments. I've seen references to

Re: [Freeipa-users] ipa user/group-mod --setattr can't remove objectclass

2011-10-03 Thread Stephen Ingram
that multiple arguments were not supported. Steve On Mon, Oct 3, 2011 at 11:48 AM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I've successfully used ipa user-mod --setattr to remove custom attributes that I've added by simply setting the attribute equal to nothing. However

Re: [Freeipa-users] ipa user/group-mod --setattr can't remove objectclass

2011-10-03 Thread Stephen Ingram
to say quickly remove an objectclass or one of a list of email addresses. Steve On Mon, Oct 3, 2011 at 12:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: Rob- I tried that, but I couldn't figure out the correct format: ipa user-mod --setattr=objectclass=oc1, oc2, oc3

Re: [Freeipa-users] LDAP search for email address of user in a particular group

2011-11-04 Thread Stephen Ingram
On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott danieljamessc...@gmail.com wrote: ldapsearch -b cn=users,cn=accounts,dc=example,dc=com ((mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com -x In version 2, it looks like the memberOf attributes have been removed from the user

Re: [Freeipa-users] LDAP search for email address of user in a particular group

2011-11-04 Thread Stephen Ingram
On Fri, Nov 4, 2011 at 3:05 PM, Dan Scott danieljamessc...@gmail.com wrote: Thanks for spotting that, it was an error from when I was removing my domain information. However, the problem remains that the memberOf attributes don't exist in FreeIPA V2, so I need to figure out another way to do

[Freeipa-users] another 2.x release

2011-11-18 Thread Stephen Ingram
I notice there is a 2.1.4 shown in Trac. There have been several updates since 2.1.3. Will there be another 2.x release before the 3.0 pre-releases? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] manual client join

2011-11-30 Thread Stephen Ingram
Rob- On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden rcrit...@redhat.com wrote: Retrieve the CA certificate for the FreeIPA CA. # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt Create a separate Kerberos configuration to test the provided credentials. This enables a

[Freeipa-users] Fwd: manual client join

2011-12-05 Thread Stephen Ingram
On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden rcrit...@redhat.com wrote: The only part assuming that is ipa-join itself. IPA does not support the direct use of kadmin or kadmin.local. On a supported platform you'd run: # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p

[Freeipa-users] PEM and DER certificate formats

2012-01-06 Thread Stephen Ingram
I noticed a message on here some time ago about changing IPA to output certificates in PEM format instead of DER. I see that in version 2.1.4, the UI does indeed output in PEM format. It appears as though the CLI still outputs in DER. Is this the case? I agree that PEM is certainly more typical,

Re: [Freeipa-users] PEM and DER certificate formats

2012-01-06 Thread Stephen Ingram
this on the list, I was more curious than anything as to whether IPA would output directly in DER. I was also coming more from the point of training people to perform this function. Steve On Fri, Jan 6, 2012 at 1:58 PM, John Dennis jden...@redhat.com wrote: On 01/06/2012 04:45 PM, Stephen Ingram

Re: [Freeipa-users] Using FreeIPA with AWS EC2

2012-01-12 Thread Stephen Ingram
On Thu, Jan 12, 2012 at 8:28 AM, Jeff White jwh...@corp.acesse.com wrote: I'd like to use FreeIPA with Amazon's EC2 virtual machines.  I'm seeing a number of barriers, mostly around DNS.  An elastic IP address looks like it would solve the issues, but I'm not sure that will.  And I'm wondering

Re: [Freeipa-users] IPA Error on Server with Public IP?? cannot use IP network address

2012-02-07 Thread Stephen Ingram
On Tue, Feb 7, 2012 at 8:39 PM, Craig T free...@noboost.org wrote: Hi, Is IPA somehow restricted from running on machines with a public IP address? I'm attempting to install IPA for practise on my Linux VPS (Centos 6.2 x86_64); ...snip... Error:

[Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-10 Thread Stephen Ingram
I'm testing the new FreeIPA 2.1.90 rc1 on a fresh Fedora 17 alpha this weekend. I started by installing the freeipa-server package and the dns packages hoping they would pull in all of the dependencies. 1. I received the error message: 2012-03-11T01:52:51Z DEBUG stderr=Can't locate File/Slurp.pm

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-10 Thread Stephen Ingram
On Sat, Mar 10, 2012 at 10:49 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Sat, 10 Mar 2012, Stephen Ingram wrote: I'm testing the new FreeIPA 2.1.90 rc1 on a fresh Fedora 17 alpha this weekend. I started by installing the freeipa-server package and the dns packages hoping they would

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-11 Thread Stephen Ingram
On Sun, Mar 11, 2012 at 12:20 AM, Alexander Bokovoy aboko...@redhat.com wrote: On Sat, 10 Mar 2012, Stephen Ingram wrote: ...snip... You are using RC1, we have released beta1 last week, it should include the fix: https://www.redhat.com/archives/freeipa-devel/2012-March/msg00087.html Could

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-11 Thread Stephen Ingram
Now I've made it to the WebUI. Login works great (also via the new form auth). Click on IPA Server tab and then Configuration yields: IPA Error 4208 - get-effective-rights: missing subject: Invalid syntax This also happens at several other points in the UI. For example, click one DNS zone and

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-12 Thread Stephen Ingram
On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson rmegg...@redhat.com wrote: On 03/12/2012 01:34 AM, Martin Kosek wrote: On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote: On 03/11/2012 04:22 PM, Stephen Ingram wrote: Now I've made it to the WebUI. Login works great (also via the new form

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-12 Thread Stephen Ingram
On Mon, Mar 12, 2012 at 1:09 PM, Rob Crittenden rcrit...@redhat.com wrote: ...snip... Could also be python-ldap, we ran into a schema handling problem already. It may be possible to duplicate this from the command line using the --rights option. This executes the same GER control. I'll have

Re: [Freeipa-users] Fwd: manual client join

2012-03-13 Thread Stephen Ingram
On Mon, Dec 19, 2011 at 5:36 AM, John Dennis jden...@redhat.com wrote: Sorry, but currently on the command line the only way to specify a certificate is via it's serial number. The serial number is the only identifier guaranteed to be unique. However, I agree it's not convenient. Would you

Re: [Freeipa-users] (no subject)

2012-03-14 Thread Stephen Ingram
On Wed, Mar 14, 2012 at 12:22 PM, Jimmy g17ji...@gmail.com wrote: I set the date back and ran the command and this is what I see in the httpd log. The ca directory does not exist, I verified it as missing. Any idea why this is? Did I miss something in the install of IPA? [Sun Jan 01 00:20:46

Re: [Freeipa-users] (no subject)

2012-03-14 Thread Stephen Ingram
On Wed, Mar 14, 2012 at 12:41 PM, Jimmy g17ji...@gmail.com wrote: Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is missing. I'm not sure how that is missing. Was there a separate step for the IPA install that took care of the CA? It's been 6 months since I installed so I don't

[Freeipa-users] compat plug-in and replication

2012-03-16 Thread Stephen Ingram
I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn

Re: [Freeipa-users] compat plug-in and replication

2012-03-16 Thread Stephen Ingram
On Fri, Mar 16, 2012 at 12:12 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those

Re: [Freeipa-users] compat plug-in and replication

2012-03-16 Thread Stephen Ingram
On Fri, Mar 16, 2012 at 1:11 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote: On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug

Re: [Freeipa-users] Firefox on OS X 10.6 problem

2012-03-19 Thread Stephen Ingram
On Mon, Mar 19, 2012 at 9:31 AM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, Today I setup free ipa on CentOS release 6.2. I configured my client machine, that is: 1. I edited my /Library/Preferences/edu.mit.Kerberos file so it has following content: [domain_realm]    polidea.pl =

[Freeipa-users] --subject option for ipa-server-install

2012-04-09 Thread Stephen Ingram
In an attempt to make the CA certificate from IPA a little more noticeable for the users in our realm I've successfully used the --subject option during the ipa-server-install process. It seems however, that you cannot change the CN from the default Certificate Authority. I've added O=, OU= and

Re: [Freeipa-users] --subject option for ipa-server-install

2012-04-09 Thread Stephen Ingram
On Mon, Apr 9, 2012 at 11:35 AM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:25 PM, Stephen Ingram wrote: In an attempt to make the CA certificate from IPA a little more noticeable for the users in our realm I've successfully used the --subject option during the ipa-server-install

Re: [Freeipa-users] --subject option for ipa-server-install

2012-04-10 Thread Stephen Ingram
On Mon, Apr 9, 2012 at 12:00 PM, Stephen Ingram sbing...@gmail.com wrote: On Mon, Apr 9, 2012 at 11:35 AM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:25 PM, Stephen Ingram wrote: In an attempt to make the CA certificate from IPA a little more noticeable for the users in our realm I've

Re: [Freeipa-users] client without certmonger/dbus

2012-04-17 Thread Stephen Ingram
On Mon, Apr 16, 2012 at 11:09 PM, Christoph Kaminski christoph.kamin...@biotronik.com wrote: hi It is possible to use the ipa-client without certmonger/dbus? Have an openvz environemnt where I cant start dbus... Christoph- You can install IPA in OpenVZ container. I was able to install after

Re: [Freeipa-users] client without certmonger/dbus

2012-04-17 Thread Stephen Ingram
On Tue, Apr 17, 2012 at 10:28 PM, Christoph Kaminski christoph.kamin...@biotronik.com wrote: done it without success :( [root@xaphon ~]# dbus-daemon --system --nofork Failed to start message bus: Failed to drop capabilities: Operation not permitted What OS and version are you using? I was

Re: [Freeipa-users] client without certmonger/dbus

2012-04-18 Thread Stephen Ingram
On Tue, Apr 17, 2012 at 11:07 PM, Christoph Kaminski christoph.kamin...@biotronik.com wrote: centos 6.2 inside vserver, but I dont know what OS is the host system. (leased at heckrath.com) You can do a cat /proc/version inside your container to see what version of the kernel they are using. I'm

Re: [Freeipa-users] client without certmonger/dbus

2012-04-18 Thread Stephen Ingram
On Wed, Apr 18, 2012 at 12:06 AM, Christoph Kaminski christoph.kamin...@biotronik.com wrote: [root@xaphon ~]# cat /proc/version Linux version 2.6.26-2-openvz-amd64 (Debian 2.6.26-26lenny1) ( da...@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Thu Nov 25

Re: [Freeipa-users] client without certmonger/dbus

2012-04-18 Thread Stephen Ingram
On Wed, Apr 18, 2012 at 9:09 AM, Stephen Ingram sbing...@gmail.com wrote: On Wed, Apr 18, 2012 at 12:06 AM, Christoph Kaminski christoph.kamin...@biotronik.com wrote: [root@xaphon ~]# cat /proc/version Linux version 2.6.26-2-openvz-amd64 (Debian 2.6.26-26lenny1) (da...@debian.org) (gcc

Re: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc.

2012-04-26 Thread Stephen Ingram
On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca cao2...@yahoo.com wrote: Hi folks,  I'm pretty new to freeIPA. And here is a freeIPA installation problem encountered in my work. For company policies reasons we can not use ipa-client-install on Linux clients, instead manual installation method is

[Freeipa-users] host name too long for Web interface

2012-05-08 Thread Stephen Ingram
Perhaps this is already corrected in 2.2.0, but I'm currently using 2.1.3 and when using a long hostname (like amazon ec2 names ec2-50-xx-xxx-xxx.us-1-east.compute.amazonaws.com), once you click on the hostname in the Identity/Hosts tab, you can no longer return to the hosts listing because the

Re: [Freeipa-users] sudo rules in IPA infrastructure

2012-05-18 Thread Stephen Ingram
On Fri, May 18, 2012 at 2:35 PM, Gelen James hahaha_...@yahoo.com wrote: Hi all,  Are the sudo rules applied to IPA clients through nss_ldap, instead of sssd?  I tried that on Redhat 6.2 clients, and some documents said that sudo rules would work when enabled inside /etc/nslcd.conf, but we

[Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)

2012-06-15 Thread Stephen Ingram
Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos principals or must you use the cn=accounts,cn=users container? I'm thinking this for script-authenticated machine accounts (might be of form user-hostname@REALM or user/hostname@REALM) that need to authenticate to another

Re: [Freeipa-users] ipa-getkeytab and mandatory password change

2012-06-19 Thread Stephen Ingram
On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal d...@redhat.com wrote: On 06/18/2012 11:58 AM, Darran Lofthouse wrote: Just experienced some weird behaviour on my Fedora 17 installation, just wanted to check if this was expected. I have the default config that requires a user to change their

Re: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)

2012-06-19 Thread Stephen Ingram
On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos principals or must you use the cn=accounts,cn=users container? I'm thinking this for script

Re: [Freeipa-users] ipa-getkeytab and mandatory password change

2012-06-19 Thread Stephen Ingram
On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce s...@redhat.com wrote: On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal d...@redhat.com wrote: On 06/18/2012 11:58 AM, Darran Lofthouse wrote: Just experienced some weird behaviour on my Fedora 17

Re: [Freeipa-users] Add attributes to default user schema

2012-06-21 Thread Stephen Ingram
On Thu, Jun 21, 2012 at 2:06 PM, James James jre...@gmail.com wrote: Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? That particular attribute is included in the schema (objectclass=mailRecipient) so it is easy to

Re: [Freeipa-users] Add attributes to default user schema

2012-06-22 Thread Stephen Ingram
On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal d...@redhat.com wrote: On 06/22/2012 01:57 AM, Stephen Ingram wrote: On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal d...@redhat.com wrote: On 06/21/2012 05:44 PM, Stephen Ingram wrote: On Thu, Jun 21, 2012 at 2:06 PM, James James jre...@gmail.com wrote

Re: [Freeipa-users] Add attributes to default user schema

2012-06-23 Thread Stephen Ingram
On Fri, Jun 22, 2012 at 1:37 PM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 06/22/2012 12:28 PM, Stephen Ingram wrote: On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pald...@redhat.com  wrote: On 06/22/2012 01:57 AM, Stephen Ingram wrote: On Thu, Jun 21, 2012 at 3:22 PM

Re: [Freeipa-users] Authentication failure when a reset the password

2012-06-29 Thread Stephen Ingram
On Fri, Jun 29, 2012 at 6:11 PM, Joe Linoff jlin...@tabula.com wrote: Hi Everybody. I ran into a strange problem today: I reset a user password in the GUI to “Test1234” for testing but when I tried to login as that user and enter the password, I got an authentication error. Does anyone know

[Freeipa-users] 2.20 dirsrv memory usage

2012-07-12 Thread Stephen Ingram
I was previously using 2.1.4 and know that there was a substantial memory leak in the directory server. After upgrading to 2.20, I notice that although overall memory usage seems higher, the creep upwards is not as quick. Although memory still tends to trend upward leaving me to worry that dirsrv

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-16 Thread Stephen Ingram
On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson rmegg...@redhat.com wrote: On 07/16/2012 11:48 AM, Stephen Ingram wrote: On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginsonrmegg...@redhat.com wrote: On 07/16/2012 10:19 AM, Stephen Ingram wrote: On Fri, Jul 13, 2012 at 6:14 AM, Rob

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-17 Thread Stephen Ingram
On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson rmegg...@redhat.com wrote: On 07/16/2012 11:48 AM, Stephen Ingram wrote: On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginsonrmegg...@redhat.com

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-17 Thread Stephen Ingram
On Tue, Jul 17, 2012 at 2:01 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson rmegg...@redhat.com wrote: On 07/16/2012

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-18 Thread Stephen Ingram
On Tue, Jul 17, 2012 at 3:56 PM, John Dennis jden...@redhat.com wrote: On 07/17/2012 05:43 PM, Stephen Ingram wrote: [ details of performance analysis snipped for brevity ] I wonder if we shouldn't add some timing metrics to our code. As it is it's very hard to know where time is being spent

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-18 Thread Stephen Ingram
On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik pvobo...@redhat.com wrote: On 07/17/2012 11:43 PM, Stephen Ingram wrote: 8-- I'm beginning to think this is just the Web UI itself instead of 389 although it is really difficult to tell. I've poured over the debug logs and didn't see

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-18 Thread Stephen Ingram
On Wed, Jul 18, 2012 at 12:28 PM, John Dennis jden...@redhat.com wrote: On 07/18/2012 02:59 PM, Stephen Ingram wrote: On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik pvobo...@redhat.com wrote: On 07/17/2012 11:43 PM, Stephen Ingram wrote: 8-- I'm beginning to think this is just

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-18 Thread Stephen Ingram
On Wed, Jul 18, 2012 at 10:59 AM, Dmitri Pal d...@redhat.com wrote: On 07/18/2012 01:53 PM, Stephen Ingram wrote: On Tue, Jul 17, 2012 at 3:56 PM, John Dennis jden...@redhat.com wrote: On 07/17/2012 05:43 PM, Stephen Ingram wrote: [ details of performance analysis snipped for brevity ] I

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-18 Thread Stephen Ingram
On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal d...@redhat.com wrote: On 07/18/2012 03:45 PM, Stephen Ingram wrote: On Wed, Jul 18, 2012 at 12:28 PM, John Dennis jden...@redhat.com wrote: On 07/18/2012 02:59 PM, Stephen Ingram wrote: On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik pvobo

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-19 Thread Stephen Ingram
On Wed, Jul 18, 2012 at 2:26 PM, Dmitri Pal d...@redhat.com wrote: On 07/18/2012 05:09 PM, Stephen Ingram wrote: On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal d...@redhat.com wrote: On 07/18/2012 04:27 PM, Stephen Ingram wrote: On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal d...@redhat.com wrote

Re: [Freeipa-users] RHEL 6.3 identity manual - IPA

2012-08-23 Thread Stephen Ingram
On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Some notes on the identity manual which says its for RHEl6, 13.4.2. Client Configuration for sudo Rules This example specifically configures a Red Hat Enterprise Linux 6 client for sudo rules. 8 2. Enable debug

Re: [Freeipa-users] saslauthd on freeipa machine

2012-10-05 Thread Stephen Ingram
On Fri, Oct 5, 2012 at 10:03 AM, Dmitri Pal d...@redhat.com wrote: On 10/05/2012 12:16 PM, Stephen Ingram wrote: As I typically have saslauthd use kerberos to authenticate users I really haven't had the occasion to try before. Since freeipa machines use SSSD to help manage users on the system

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

2012-10-31 Thread Stephen Ingram
On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

2012-10-31 Thread Stephen Ingram
On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

2012-10-31 Thread Stephen Ingram
On Wed, Oct 31, 2012 at 10:21 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 15:07, Stephen Ingram sbing...@gmail.com wrote: On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue

Re: [Freeipa-users] User Roles and access in GUI

2013-04-15 Thread Stephen Ingram
On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal d...@redhat.com wrote: On 04/15/2013 11:11 AM, Chandan Kumar wrote: I think controlling Visibility of tabs would be the best option, if possible, based on Roles as mentioned by Rob. As long as other entries are not visible in UI, even though

Re: [Freeipa-users] SSL Private Key?

2013-06-23 Thread Stephen Ingram
On Sun, Jun 23, 2013 at 9:18 PM, free...@noboost.org wrote: ipa-client-3.0.0-26.el6_4.4.x86_64 * When the IPA client is initally installed does anyone know where the SSL private key is kept on an IPA client PC? IPA uses NSS by default for SSL. The private key is stored in the NSS database

Re: [Freeipa-users] Replicate on Servers with diffrent Version (Minor)

2013-07-07 Thread Stephen Ingram
On Sun, Jul 7, 2013 at 2:11 PM, Schmitt, Christian c.schm...@briefdomain.de wrote: Hello is it possible to replicate FreeIPA Server with diffrent Minor versions? Currently we are running a FreeIPA Server on Fedora 19 since CentOS/RHEL only has a FreeIPA 2.X Server and we wanted the features

Re: [Freeipa-users] disable forms-based login

2013-07-22 Thread Stephen Ingram
On Mon, Jul 22, 2013 at 9:29 AM, Simo Sorce s...@redhat.com wrote: On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote: On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek mko...@redhat.com wrote: On 07/20/2013 02:51 AM, Stephen Ingram wrote: Is there a way to disable

[Freeipa-users] TTL in individual DNS records

2013-10-18 Thread Stephen Ingram
I'm using IPA 3.0.x on RHEL 6.4 and trying to setup other zones in DNS. I notice that regardless of the TTL set in the SOA for the zone, the individual records default to 86400. I see there has been previous discussion on the list (

Re: [Freeipa-users] TTL in individual DNS records

2013-10-21 Thread Stephen Ingram
On Sun, Oct 20, 2013 at 11:44 PM, Petr Spacek pspa...@redhat.com wrote: On 18.10.2013 21:44, Stephen Ingram wrote: I'm using IPA 3.0.x on RHEL 6.4 and trying to setup other zones in DNS. I notice that regardless of the TTL set in the SOA for the zone, the individual records default to 86400

Re: [Freeipa-users] TTL in individual DNS records

2013-10-21 Thread Stephen Ingram
On Mon, Oct 21, 2013 at 9:37 AM, Petr Spacek pspa...@redhat.com wrote: On 21.10.2013 17:58, Stephen Ingram wrote: On Sun, Oct 20, 2013 at 11:44 PM, Petr Spacek pspa...@redhat.com wrote: On 18.10.2013 21:44, Stephen Ingram wrote: I'm using IPA 3.0.x on RHEL 6.4 and trying to setup other

[Freeipa-users] fine-grained permissions for DNS tasks

2013-12-12 Thread Stephen Ingram
Is it possible to restrict user to say a DNS Administrator role for only one domain in the system? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

2014-01-03 Thread Stephen Ingram
On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal d...@redhat.com wrote: On 01/03/2014 12:50 PM, Will Sheldon wrote: Thanks Petr, that certainly makes sense from the point of view of functionality. I do think the default is sane, but there are a lot of possible deployment scenarios and my

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

2014-01-03 Thread Stephen Ingram
On Fri, Jan 3, 2014 at 11:37 AM, Dmitri Pal d...@redhat.com wrote: On 01/03/2014 02:33 PM, Stephen Ingram wrote: On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal d...@redhat.com wrote: On 01/03/2014 12:50 PM, Will Sheldon wrote: Thanks Petr, that certainly makes sense from the point of view

[Freeipa-users] trust non-IPA certificate client

2014-12-15 Thread Stephen Ingram
I have one client using a certificate issued by a third party provider such that any secure (TLS) LDAP queries are refused since the certificates were not issued by IPA. Since there are only a few clients with foreign certificates, can the CA simply be added to the NSS database used by the 389

Re: [Freeipa-users] trust non-IPA certificate client

2014-12-16 Thread Stephen Ingram
On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com wrote: I have one client using a certificate issued by a third party provider such that any secure (TLS) LDAP queries are refused since the certificates were not issued by IPA. Since there are only a few clients with foreign

Re: [Freeipa-users] trust non-IPA certificate client

2015-01-06 Thread Stephen Ingram
On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com mailto:sbing...@gmail.com wrote: I have one client using a certificate issued by a third party provider

Re: [Freeipa-users] 3rd party certificate for WebUI only

2015-07-03 Thread Stephen Ingram
cert. On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without

[Freeipa-users] 3rd party certificate for WebUI only

2015-06-29 Thread Stephen Ingram
I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for

Re: [Freeipa-users] cannot access keys in /var/lib/pki-ca/alias

2016-03-18 Thread Stephen Ingram
On Thu, Mar 17, 2016 at 7:29 AM, Rob Crittenden wrote: --snip-- > Since I now saw three 'Server-Cert' certificates with two accompanying >> keys, I exported the certs and keys, then removed all of the >> 'Server-Cert' entries and then imported back only the key and the most

[Freeipa-users] cannot access keys in /var/lib/pki-ca/alias

2016-03-19 Thread Stephen Ingram
I've run into a problem on a v3 IPA where several certificates did not renew automatically with certmonger. I'm now, of course stuck and trying to renew the certificates manually. I've managed to renew the WebUI cert, and now onto the pki-ca certificate in the /var/lib/pki-ca/alias NSS store. I'm

[Freeipa-users] Kerberos realm for different domain

2016-12-09 Thread Stephen Ingram
Can you have a domain that belongs to a Kerberos realm with a completely different domain? For example, could example.com belong to the ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the necessary SRV and TXT records to locate it and krb5.conf is configured properly?

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-12 Thread Stephen Ingram
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka wrote: > > yes you can do it. DNS domain and Kerberos realm are two different things. > It's common and AFAIK recommended to capitalize DNS domain to get the realm > but it's not required. > If you really want to have them