Re: [Freeipa-users] some documentation issues
On 11.5.2015 14:51, Arthur Fayzullin wrote: Have a nice day! I think that I have found somethings that are mispresent and unpresent in documentation. I have tried to configure debian jessie as a freeipa client. This has been done in 2 ways: * reference instalation: I have installed freeipa-client package from sid and configured host by running ipa-client-install command. * manual instalation: I have installed packages that've been installed as dependencies during reference installation. And I have done steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html Evrything seems to work fine (and even sudo rules) exept 1 thing: I could not get host certificate by certmonger. comparing to reference installation I have found that ipa-client-install also makes 1 more config file: /etc/ipa/default.conf but this step is not described in documentation. so this is unpresent. Another thing that I think is present with mistake: according to documentation I should give this command to get host-certificate: # ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM' and we can see that 'HOST' is capitalised, but it should in small letters. Thanks for reading! Thank you for bug reports! Could you please send patches which fix these problems? (Preferably separate patch for each problem.) Necessary links are here: http://www.freeipa.org/page/Contribute/Documentation If you do not want to fix it yourself please open a bug to make sure that documentation team will not forget to fix it: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207component=doc-Linux_Domain_Identity_Management_Guide Thank you and have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] some documentation issues
On 05/11/2015 09:53 AM, Petr Spacek wrote: On 11.5.2015 14:51, Arthur Fayzullin wrote: Have a nice day! I think that I have found somethings that are mispresent and unpresent in documentation. I have tried to configure debian jessie as a freeipa client. This has been done in 2 ways: * reference instalation: I have installed freeipa-client package from sid and configured host by running ipa-client-install command. * manual instalation: I have installed packages that've been installed as dependencies during reference installation. And I have done steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html Evrything seems to work fine (and even sudo rules) exept 1 thing: I could not get host certificate by certmonger. comparing to reference installation I have found that ipa-client-install also makes 1 more config file: /etc/ipa/default.conf but this step is not described in documentation. so this is unpresent. Another thing that I think is present with mistake: according to documentation I should give this command to get host-certificate: # ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM' and we can see that 'HOST' is capitalised, but it should in small letters. Thanks for reading! Thank you for bug reports! Could you please send patches which fix these problems? (Preferably separate patch for each problem.) Necessary links are here: http://www.freeipa.org/page/Contribute/Documentation If you do not want to fix it yourself please open a bug to make sure that documentation team will not forget to fix it: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207component=doc-Linux_Domain_Identity_Management_Guide Thank you and have a nice day! AFAIR some time ago we stopped fetching host cert by default. There was no use of it so we decided not issue a cert that has not practical use. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] some documentation issues
В Пн, 11/05/2015 в 11:35 -0400, Dmitri Pal пишет: AFAIR some time ago we stopped fetching host cert by default. There was no use of it so we decided not issue a cert that has not practical use. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. Yes, I have noticed it from reference debian instalation and from EL7fedora instalation. But this step is present in documentation, and it containes mistake. Also, I have one question about /etc/ipa/default.conf file. it looks something like this: [global] basedn = dc=domain_part,dc=domain_part realm = REALM domain = domain server = dc1.domain xmlrpc_uri = https://dc1.domain/ipa/xml enable_ra = True is there any way to configure it for HA? in case I will get one freeipa server replica down. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] some documentation issues
On Tue, 12 May 2015, Arthur Fayzullin wrote: В Пн, 11/05/2015 в 11:35 -0400, Dmitri Pal пишет: AFAIR some time ago we stopped fetching host cert by default. There was no use of it so we decided not issue a cert that has not practical use. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. Yes, I have noticed it from reference debian instalation and from EL7fedora instalation. But this step is present in documentation, and it containes mistake. Please file a documentation bug. Also, I have one question about /etc/ipa/default.conf file. it looks something like this: [global] basedn = dc=domain_part,dc=domain_part realm = REALM domain = domain server = dc1.domain xmlrpc_uri = https://dc1.domain/ipa/xml enable_ra = True is there any way to configure it for HA? in case I will get one freeipa server replica down. IPA command line tools are using SRV records for _ldap._tcp.$DOMAIN to find out list of servers to talk to. The server specified in default.conf is used first but if it fails, connection attempts continue through the list of servers discovered via SRV records. So, you don't need to change anything. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
