[Freeipa-users] Compiling and deploying ipa-pwd-extop in a 389DS
Hi all First, I am not using FreeIPA, just 389 Directory Server; we have a large installation and we can not (now) migrate the entire service. But I would like to use free ipa-pwd-extop plugin to auto-generate the Samba equivalent passwords (not Kerberos). Is the plugin ready to be deployed in a non-IPA installation? Is there any documentation about how to compile and configure it (plugin arguments in the cn=ipapwd-extop,cn=pluins,cn=config)? We are using 389DS 1.2.5 in CentOS 5.5 i386. Regards and thanks in advance. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Compiling and deploying ipa-pwd-extop in a 389DS
Juan Asensio Sánchez wrote: Hi all First, I am not using FreeIPA, just 389 Directory Server; we have a large installation and we can not (now) migrate the entire service. But I would like to use free ipa-pwd-extop plugin to auto-generate the Samba equivalent passwords (not Kerberos). Is the plugin ready to be deployed in a non-IPA installation? Is there any documentation about how to compile and configure it (plugin arguments in the cn=ipapwd-extop,cn=pluins,cn=config)? We are using 389DS 1.2.5 in CentOS 5.5 i386. Regards and thanks in advance. AFAIK we've never tried building the plugin outside our source tree. The kerberos code is fairly well embedded. Extracting that would be a bit of a challenge, though it may also mean you could exclude the files from the top-level util subdir. The configuration for the plugin can be found with the source in pwd-extop-conf.ldif. I think this it would take a lot of effort to get this workout outside of IPA and Kerberos. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HBAC Test - web vs command line - returns different results
Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users