Peter, Did you get this to work, I know this is an old thread, but where did you put those java parameters? I am trying to get GADS to work for my IPA server and think this is my problem.
Thanks, _____________________________________________________ John Moyer On May 7, 2013, at 4:37 AM, Peter Brown <rendhal...@gmail.com> wrote: > On 7 May 2013 16:50, Martin Kosek <mko...@redhat.com> wrote: > On 05/07/2013 04:51 AM, Peter Brown wrote: > > On 6 May 2013 17:07, Martin Kosek <mko...@redhat.com > > <mailto:mko...@redhat.com>> wrote: > > > > I am glad you made it working. Just for the record, CRL and OCSP > > revocation > > URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA > > 3.2 that > > will make it working again. > > > > > > Thanks for the heads up Martin. > > I will likely upgrade to 3.2 once Fedora 19 is released. > > > > I am going to assume my 3.1 clients will be compatible? > > Yes, this is a correct assumption. BTW we are just in a process of testing and > releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also > contain > the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4 > when it is released is appreciated. > > Awesome. > I shall install them and let you know how I go. > > > > Martin > > > > > > > > > More information can be found out in FreeIPA.org wiki: > > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs > > > > Relevant upstream ticket: > > https://fedorahosted.org/freeipa/ticket/3552 > > > > Martin > > > > On 04/29/2013 06:59 AM, Peter Brown wrote: > > > I finally got this to work. > > > > > > I managed to get an error message that told me it couldn't check the > > revocation > > > of the certificates against a crl. > > > I tried to find out how to tell java where to find that crl but I > > these > > > discovered these options instead to tell java to not check a crl. > > > -Dcom.sun.net.ssl.checkRevocation=false > > > -Dcom.sun.security.enableCRLDP=false > > > > > > > > > On 26 April 2013 18:30, Petr Viktorin <pvikt...@redhat.com > > <mailto:pvikt...@redhat.com> > > > <mailto:pvikt...@redhat.com <mailto:pvikt...@redhat.com>>> wrote: > > > > > > Hello, > > > > > > > > > On 04/26/2013 07:22 AM, Peter Brown wrote: > > > > > > Hi everyone. > > > > > > I am attempting to get Google Apps to sync with FreeIPA and I > > am > > having > > > problems getting the sync utility to talk to freeipa. > > > It complains about the ssl cert. > > > I have it setup so it only accepts ssl or tls encrypted > > connections and > > > I don't want to turn that off. > > > I have imported the ca cert using the jre's keytool but it > > still > > refuses > > > to connect. > > > I am getting the impression I need to import the ssl cert for > > the > > ldap > > > server into it as well. > > > > > > > > > The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the > > other > > > certs. Make sure you import it with the right trust level (SSL > > certificate > > > signing). Unfortunately I don't know about jre's keytool so I > > can't > > be more > > > specific. > > > > > > > > > > > > I have no idea which certificate that is and I have no idea > > how to > > > export it. > > > > > > > > > Do not do this. You should only explicitly trust the CA cert. > > > For example, if you trust the certs explicitly you'd have to > > re-import them > > > one by one when they are renewed. > > > > > > > > > Can someone please tell me how to do this? > > > > > > > > > If you really want to: > > > There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), > > and one > > > for the LDAP server. > > > To export the httpd server certificate (to PEM): > > > $ certutil -L -d /etc/httpd/alias -n Server-Cert -a > > > To export the directory server certificate (to PEM): > > > $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n > > Server-Cert -a > > > But again, you don't need this for what you're trying to do. > > > > > > -- > > > Petrł > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users