[Freeipa-users] dirsrv access log redirect
Dear all: I got 2 servers as cluster ... how can i redirect all logs server2 's /var/log/dirsrv/slapd-abc.com/access to server 1 's /var/log/dirsrv/ slapd-abc.com/access so i can view once ?what config should consider ? Or should i use syslog to collect server2 and redirect all to server 1 ? thks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIP just stopped starting
Here is what I get if I try to start it manually... Any ideas? [root@itservices /]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service Starting pki-ca: [ OK ] Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Failed to start CA Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[ OK ] Stopping pki-ca: [FAILED] Shutting down dirsrv: COLLECTIVEBIAS-COM... [ OK ] PKI-IPA... [ OK ] Aborting ipactl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Need for some pull-style replication, or an alternate solution
A replica must connect to the master for initial setup; after that, the master pushes to the replica. j On Tuesday, August 19, 2014 09:26:11 Ludwig Krispenz wrote: > What's wrong with your scenario B: master(s) in internal network, they > can contact consumers in DMZ and remote rack and replicate to them. > What do you mean by "to contact for setup" ? > > Ludwig > > On 08/19/2014 03:12 AM, Joshua J. Kugler wrote: > > So, we have a need for replication, but the existing push-only methodology > > doesn't work for us. I suppose our problems could be attributed to over- > > zealous network rules, but it is what it is. :) I'd love to change our > > network policy, but we aren't in charge of network policy, and there is > > no way I'm swaying the person that is. > > > > Topology: > > 1) DMZ environments 1,...,n > > 2) An Internal network > > 3) A remote rack in a data center. > > > > Rules (by "talk" I mean initiate connections to): > > 1) DMZs can talk to each other, somewhat. > > 2) The Internal network can talk to the DMZs > > 3) The DMZ *cannot* connect to the Internal network > > 4) The remote rack of course cannot contact the Internal network, but can > > contact the DMZs. > > > > Scenario A, Master in a DMZ: > > - Slave in the Internal network could contact the DMZ master for replica > > > > setup, but the Master could not contact the slave to push updates > > > > - Slave in the remote rack could contact master in DMZ, but incoming to > > > > remote rack is very restrictive, so it is possible that master couldn't > > push. > > > > Scenario B: Master in the Internal network. > > > > - Slaves in DMZ and remote rack couldn't contact master for setup, > > although > > > > the master could contact the slaves to push updates. > > > > Scenario C: Master in remote rack > > > > - Not acceptable as remote rack is a testing rack, and may go down at > > any > > > > time. > > > > So, the best solution, from my current understanding is being able to > > somehow> > > do pull-updates for replicas, because then we could have this: > > - Master in DMZs > > - Slaves in Internal network can contact Master in DMZ for replica setup > > and> > > updates > > > > - Slaves in remote rack can contact Master in DMZ for replica setup and > > > > updates > > > > Any feedback is appreciated, especially if I'm missing something...obvious > > or minor. > > > > j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Improving FreeIPA.org
Hi, I think a small screenshot in the middle or on the side of the main webpage will serve to increase the "coolness" of the website and may possibly even result in many more people trying it out and visiting the demo. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Petr Spacek [pspa...@redhat.com] Sent: 19 August 2014 16:13 To: freeipa-users@redhat.com Subject: [Freeipa-users] Improving FreeIPA.org Hello community, Do you have an idea how to improve Freeipa.org web site? Share it! I will start: The main page currently contains three links placed right above "Main features" section header: "Learn more about FreeIPA • What FreeIPA means for me? • Try FreeIPA in a public demo" It seems to me that two links "Learn more about FreeIPA" [http://www.freeipa.org/page/About] and "What FreeIPA means for me?" [http://www.freeipa.org/page/Leaflet] are somehow too much for the main page. I propose to either merge "About" and "Leaflet" or to hide Leaflet from main page. It would be better to replace Leaftlet with Quick Start Guide: "Learn more about FreeIPA • Quick Start Guide • Try FreeIPA in a public demo" -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Improving FreeIPA.org
Hello community, Do you have an idea how to improve Freeipa.org web site? Share it! I will start: The main page currently contains three links placed right above "Main features" section header: "Learn more about FreeIPA • What FreeIPA means for me? • Try FreeIPA in a public demo" It seems to me that two links "Learn more about FreeIPA" [http://www.freeipa.org/page/About] and "What FreeIPA means for me?" [http://www.freeipa.org/page/Leaflet] are somehow too much for the main page. I propose to either merge "About" and "Leaflet" or to hide Leaflet from main page. It would be better to replace Leaftlet with Quick Start Guide: "Learn more about FreeIPA • Quick Start Guide • Try FreeIPA in a public demo" -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimal permissions for "joiner" account?
On 08/18/2014 09:35 PM, Michael Lasevich wrote: > I wanted to use the python ipalib directly, but like you mentioned, I found > very little documentation and what I found indicated I was going to just > pass cli arguments to it, it seemed to be not much better than calling the > wrapper directly :-( I disagree. It *is* vastly better that calling "ipa" command tool from a subprocess. If not only because you receive proper Python exceptions and results in Python data types instead of having to parse it from the CLI. AFAIK, the "only" missing piece is the documentation for this API. For now, you need to read the plugins code (takes_options section) or deduce the call option names from CLI option names. ... > As far as Host-Enrollment vs Host-Administrators privileges - it may be > that I am mixing up 2 ways to enroll hosts. My original attempt was to try > to have an "enroller" account that would add client directly from the > client - but I have relented and switched to a more proper method of adding > a host entrue with a generated OTP for the client followed by joining of > that client from the client itself with the OTP password. This works, but > when I try to add host entry with OTP password using account with only > "Host Enrollment" privilege I get: > > ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the > 'userPassword' attribute Ah, so this is the error. What FreeIPA version do you use? This bug was fixed in FreeIPA 4.0: https://fedorahosted.org/freeipa/ticket/4252 Current permissions would still not allow you to add new Hosts with Host Enrollment privilege, one would also need to add "System: Add hosts" permission, IIUC. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Need for some pull-style replication, or an alternate solution
What's wrong with your scenario B: master(s) in internal network, they can contact consumers in DMZ and remote rack and replicate to them. What do you mean by "to contact for setup" ? Ludwig On 08/19/2014 03:12 AM, Joshua J. Kugler wrote: So, we have a need for replication, but the existing push-only methodology doesn't work for us. I suppose our problems could be attributed to over- zealous network rules, but it is what it is. :) I'd love to change our network policy, but we aren't in charge of network policy, and there is no way I'm swaying the person that is. Topology: 1) DMZ environments 1,...,n 2) An Internal network 3) A remote rack in a data center. Rules (by "talk" I mean initiate connections to): 1) DMZs can talk to each other, somewhat. 2) The Internal network can talk to the DMZs 3) The DMZ *cannot* connect to the Internal network 4) The remote rack of course cannot contact the Internal network, but can contact the DMZs. Scenario A, Master in a DMZ: - Slave in the Internal network could contact the DMZ master for replica setup, but the Master could not contact the slave to push updates - Slave in the remote rack could contact master in DMZ, but incoming to remote rack is very restrictive, so it is possible that master couldn't push. Scenario B: Master in the Internal network. - Slaves in DMZ and remote rack couldn't contact master for setup, although the master could contact the slaves to push updates. Scenario C: Master in remote rack - Not acceptable as remote rack is a testing rack, and may go down at any time. So, the best solution, from my current understanding is being able to somehow do pull-updates for replicas, because then we could have this: - Master in DMZs - Slaves in Internal network can contact Master in DMZ for replica setup and updates - Slaves in remote rack can contact Master in DMZ for replica setup and updates Any feedback is appreciated, especially if I'm missing something...obvious or minor. j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project