[Freeipa-users] IE10 Dialogs close on Enter keypress
Hello,
I found that when running FreeIPA Web UI on IE10 that modal dialogs close
when enter is pressed. Normal functionality is to 'submit' the dialog on an
enter keypress.
I found a solution by adding a type="button" attribute to the close button
of the dialog (in /install/ui/src/freeipa/dialog.js).
I have tested on recent Chrome, IE and Firefox versions as well as on IE10.
Seems to be no side-effects.
Attached is a patch showing the change I made. Apologies if the patch isn't
formatted correctly.
Regards,
Jim G
From 53503f6cb28c1923a841cc837b8f1e062b2d429b Mon Sep 17 00:00:00 2001
From: James Groffen
Date: Thu, 7 Jan 2016 14:26:03 +1030
Subject: [PATCH] Set close button type attribute to 'button'.
Stops IE10 from closing the dialog on an enter keypress.
---
install/ui/src/freeipa/dialog.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
index 22bda3e..4c157c5 100644
--- a/install/ui/src/freeipa/dialog.js
+++ b/install/ui/src/freeipa/dialog.js
@@ -395,6 +395,7 @@ IPA.dialog = function(spec) {
that.title_close_button = $('', {
'class': 'close',
+'type': 'button',
'aria-hidden': 'true',
click: function() {
that.close();
--
1.9.5.msysgit.1
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec
Happy new year to all, just to point out that this also affect Fedora23 Free-IPA 4.2.0 and 4.3.0 from corps. locale are set to es_ES.UTF-8. Regards 2016-01-05 23:32 GMT-05:00 Fraser Tweedale : > On Mon, Jan 04, 2016 at 03:13:43PM +0100, Domineaux Philippe wrote: > > Hello, > > > > Happy new year. > > > > So the content of my /etc/locale.conf : > > > > LANG="fr_FR.UTF-8" > > > Happy new year to you too, and thanks for the info. > > I reproduced the issue and there is a now a patch awaiting review. > Ticket: https://fedorahosted.org/freeipa/ticket/5578 > > Cheers, > Fraser > > > -- Forwarded message -- > > From: Fraser Tweedale > > Date: 2015-12-23 5:11 GMT+01:00 > > Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte > with > > utf8 codec > > To: Gmail > > Cc: freeipa-users@redhat.com > > > > > > On Tue, Dec 22, 2015 at 08:39:09AM +0100, Gmail wrote: > > > Here are the files you ask for: > > > > > Thank you. I see Tomcat is running in an fr_FR locale. Could you > > also provide contents of `/etc/locale.conf'? > > > > Cheers, > > Fraser > > > > > > > > > > > Le 22 décembre 2015 à 02:30:06, Fraser Tweedale (ftwee...@redhat.com) > a > > écrit: > > > > > > On Mon, Dec 21, 2015 at 05:29:01PM +0100, Gmail wrote: > > > > Hi all, > > > > > > > > When trying to install on a fresh new Centos 7 I’ve got this error : > > > > > > > > 2015-12-21T16:04:44Z DEBUG The ipa-server-install command failed, > > exception: NetworkError: cannot connect to ' > > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't > > decode byte 0xea in position 13: invalid continuation byte > > > > 2015-12-21T16:04:44Z ERROR cannot connect to ' > > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't > > decode byte 0xea in position 13: invalid continuation byte > > > > > > > > My freeipa-server version is : 4.2.0 > > > > I’m running a Centos 3.10.0-327.3.1.el7.x86_64 > > > > > > > > Any idea of what goes wrong? > > > > > > > Thanks for reporting. I have not seen this error before. Could you > > > please include the following log files and I will take a closer > > > look: > > > > > > /var/log/ipaserver-install.log > > > /var/log/pki/pki-tomcat/ca/debug > > > > > > Cheers, > > > Fraser > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Importing from shadow: ERROR: Constraint violation: pre-hashed passwords are not valid
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > > >When I execute this, I get this error for every entry: "ipa: ERROR: > >Constraint violation: pre-hashed passwords are not valid" > > > >What have I done wrong? > Did you enable migration mode? The check in the password plugin is conditioned > on allowing pre-hashed passwords only when the migration mode is on. Well that's embarrassing. It's even right there, on the page I quoted. Didn't even see that paragraph when I was reading it. Thank you L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Trying to reset the admin password and failing...
Hi, Any idea how to fix this please? [root@vuwunicoipam002 ~]# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=xx,dc=xxx,dc=xx,dc=xx -H ldap://vuwunicoipam002.xxx New password: Re-enter new password: ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. [root@vuwunicoipam002 ~]# regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Issue with fresh install of FreeRADIUS
Hi all, Just did a fresh install of FreeRADIUS following this guide on a Centos 7 box - http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 Local testing with radtest works, however radiusd have issues. I do find it odd that these line indicated success: Process: 1270 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS) But then: [root@ipa1test ~]# systemctl status radiusd.service -l ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-01-05 18:32:09 EST; 15h ago Process: 1334 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=1/FAILURE) Process: 1270 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS) Jan 05 18:32:07 ipa1test.lab.net systemd[1]: Starting FreeRADIUS high performance RADIUS server Jan 05 18:32:09 ipa1test.lab.net systemd[1]: radiusd.service: control process exited, code=exited status=1 Jan 05 18:32:09 ipa1test.lab.net systemd[1]: Failed to start FreeRADIUS high performance RADIUS server.. Jan 05 18:32:09 ipa1test.lab.net systemd[1]: Unit radiusd.service entered failed state. Jan 05 18:32:09 ipa1test.lab.net systemd[1]: radiusd.service failed. I find a few google hits but they had different error codes & issues which seemed different. Anyone have any suggestion or should I just go to latest stable which is 3.0.10? [root@ipa1test ~]# radiusd -v radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Mar 5 2015 at 23:41:36 Thanks, Anthony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.2.0 / CentOS 7.2 / DNS Strangeness (Sub-domains)
Please always include ipa-users list when replying. On 6.1.2016 11:48, Devin wrote: > Jan 06 01:37:45 idm.servers.lnx.ninja named-pkcs11[5524]: zone > lnx.ninja/IN: NS 'idm.servers.lnx.ninja' has no address records (A or ) > Jan 06 01:37:45 idm.servers.lnx.ninja named-pkcs11[5524]: zone > lnx.ninja/IN: not loaded due to errors. > Jan 06 01:37:45 idm.servers.lnx.ninja named-pkcs11[5524]: zone > servers.lnx.ninja/IN: loaded serial 1452044265 Apparently the zone lnx.ninja does not contain any (A or ) records for name idm.servers.lnx.ninja listed in NS record. You need to fix this (add so-called glue record) otherwise BIND will not load that zone. I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] faking DNS autodiscovery of servers
Hello, I have some web applications that use LDAP for authentication/authorization, and which do not support LDAP auto-discovery. I'm wondering if it's possible to fake the auto-discovery of server. For instance, I could imagine using a DNS CNAME ldap_current.example.com which should point to a currently available ldap server. Then a cron job would query the DNS/ldaps to find an available ldap server, and if different from the current, update the DNS CNAME ldap_current.example.com. Does it make sense ? In that case, how to discover a working ldap server ? Thanks. Karl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] changing password on user using ldappasswd
Thank you Sumit for the answer, it solved my problem.
Cheers
Emil
___
From: Sumit Bose
Sent: Wednesday, January 6, 2016 1:03 PM
To: FE9817 FE-DDIS.DK
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] changing password on user using ldappasswd
On Wed, Jan 06, 2016 at 08:59:22AM +, FE9817 FE-DDIS.DK wrote:
> Hi,
>
> Im trying to change password for a user, using ldap, but it hangs. Here is
> what is done.
>
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A
I think you are using the SSL/TLS option wrongly. -p 636 indicates that
you want to use the LDAPS port where the SSL/TLS handshake is done
automatically. -Z will use the StartTLS command to start the handshake
and the second Z will require that this will be successful.
First, ldappasswd will not do an automatic SSL/TLS handshake with this
options and hence you see the hang because the server waits for the
handshake. To tell ldappasswd to do the handshake please replace '-h
idm.com' by '-H LDAPS://idm.com'.
Second, you will still see an error like 'SSL connection already
established' because the StartTLS command started due to the -Z option
see that the SSL/TLS tunnel is already established, returns the error
and since the second Z requires a success here ldappasswd fail.
Since it is redundant to do both, using the ldaps port and calling
StartTLS I would recommend to just use StartTLS as in
ldappasswd -h idm.com -ZZ -x -D "uid=admin,cn=users,cn=accounts,dc=com" -W -S
"uid=test000,cn=users,cn=accounts,dc=com" -A
Using the ldaps port should work with
ldappasswd -H LDAPS://idm.com -x -D "uid=admin,cn=users,cn=accounts,dc=com"
-W -S "uid=test000,cn=users,cn=accounts,dc=com" -A
And if you really want to double-stitch it use use a single -Z like
ldappasswd -H LDAPS://idm.com -Z -x -D
"uid=admin,cn=users,cn=accounts,dc=com" -W -S
"uid=test000,cn=users,cn=accounts,dc=com" -A
then you will still see the 'SSL connection already established' error
but ldappasswd can proceed since StartTLS is not required to be
successful. But please note that this will not increase security because
-Z/StartTLS is a no-op in this case.
HTH
bye,
Sumit
> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap://idm.com:636 )
> ldap_create
> ldap_url_parse_ext(ldap://idm.com:636)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP idm.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.10.10:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host: idm01.dap.cfcs.dk port: 636 (default)
> refcnt: 2 status: Connected
> last used: Wed Jan 6 09:29:43 2016
>
>
> ** ld 0x7fc7f40de370 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
>outstanding referrals 0, parent count 0
> ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>Empty
> ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
>
> It works when using kpasswd, but not ldappasswd. Any suggestions?
>
> Cheers
> Emil
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] changing password on user using ldappasswd
On Wed, Jan 06, 2016 at 08:59:22AM +, FE9817 FE-DDIS.DK wrote:
> Hi,
>
> Im trying to change password for a user, using ldap, but it hangs. Here is
> what is done.
>
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A
I think you are using the SSL/TLS option wrongly. -p 636 indicates that
you want to use the LDAPS port where the SSL/TLS handshake is done
automatically. -Z will use the StartTLS command to start the handshake
and the second Z will require that this will be successful.
First, ldappasswd will not do an automatic SSL/TLS handshake with this
options and hence you see the hang because the server waits for the
handshake. To tell ldappasswd to do the handshake please replace '-h
idm.com' by '-H LDAPS://idm.com'.
Second, you will still see an error like 'SSL connection already
established' because the StartTLS command started due to the -Z option
see that the SSL/TLS tunnel is already established, returns the error
and since the second Z requires a success here ldappasswd fail.
Since it is redundant to do both, using the ldaps port and calling
StartTLS I would recommend to just use StartTLS as in
ldappasswd -h idm.com -ZZ -x -D "uid=admin,cn=users,cn=accounts,dc=com" -W -S
"uid=test000,cn=users,cn=accounts,dc=com" -A
Using the ldaps port should work with
ldappasswd -H LDAPS://idm.com -x -D "uid=admin,cn=users,cn=accounts,dc=com"
-W -S "uid=test000,cn=users,cn=accounts,dc=com" -A
And if you really want to double-stitch it use use a single -Z like
ldappasswd -H LDAPS://idm.com -Z -x -D
"uid=admin,cn=users,cn=accounts,dc=com" -W -S
"uid=test000,cn=users,cn=accounts,dc=com" -A
then you will still see the 'SSL connection already established' error
but ldappasswd can proceed since StartTLS is not required to be
successful. But please note that this will not increase security because
-Z/StartTLS is a no-op in this case.
HTH
bye,
Sumit
> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap://idm.com:636 )
> ldap_create
> ldap_url_parse_ext(ldap://idm.com:636)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP idm.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.10.10:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host: idm01.dap.cfcs.dk port: 636 (default)
> refcnt: 2 status: Connected
> last used: Wed Jan 6 09:29:43 2016
>
>
> ** ld 0x7fc7f40de370 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
>outstanding referrals 0, parent count 0
> ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>Empty
> ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
>
> It works when using kpasswd, but not ldappasswd. Any suggestions?
>
> Cheers
> Emil
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] changing password on user using ldappasswd
On 01/06/2016 09:59 AM, FE9817 FE-DDIS.DK wrote:
> Hi,
>
> Im trying to change password for a user, using ldap, but it hangs. Here is
> what is done.
>
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A
> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap://idm.com:636 )
> ldap_create
> ldap_url_parse_ext(ldap://idm.com:636)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP idm.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.10.10:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host: idm01.dap.cfcs.dk port: 636 (default)
> refcnt: 2 status: Connected
> last used: Wed Jan 6 09:29:43 2016
>
>
> ** ld 0x7fc7f40de370 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
>outstanding referrals 0, parent count 0
> ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>Empty
> ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
>
> It works when using kpasswd, but not ldappasswd. Any suggestions?
I had similar problem when kadmin did not start fully because of low entropy on
my VM, I wonder if this is your case as well. You can find out with
# systemctl status kadmin.service
But I am surprised that kadmin password change works and ldappasswd does not.
This would mean that "ipa passwd" command is also not working as it uses LDAP
way also.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA - Mixing clients using sssd for some and nscd/nslcd for others
On (06/01/16 10:44), bahan w wrote: >Hello ! > >I send you this mail because I am using this topology : >- FreeIPA 3.0.0-42 >- RHEL6.6 >- Two masters (replicated) >- n clients > >My question is the following : >May I use for some clients sssd and for others the couple nscd/nslcd ? I >would like to perform tests to compare both and I wondering if I can do >that ? > ipa-client-install has argument "--no-sssd" which shoudl configure machine with nslcd + pam_ldap. I have never used it. If it doesn't work you might configure it yourself. There is no blocker. But failover in sssd is in better state than in nslcd and pam_ldap in rhel6.6 create ldap connection to server with each authentication + another ldap connection in nslcd. So load of your server might be higher that with sssd. it depends on counf of client machines and count of users which will use that machine. I would like to ask why do you want to compare both. Is sssd slow for you? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA - Mixing clients using sssd for some and nscd/nslcd for others
Hello ! I send you this mail because I am using this topology : - FreeIPA 3.0.0-42 - RHEL6.6 - Two masters (replicated) - n clients My question is the following : May I use for some clients sssd and for others the couple nscd/nslcd ? I would like to perform tests to compare both and I wondering if I can do that ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] changing password on user using ldappasswd
Hi,
Im trying to change password for a user, using ldap, but it hangs. Here is what
is done.
:~$ ldappasswd -h idm.com -ZZ -p 636 -x -D
"uid=admin,cn=users,cn=accounts,dc=com" -W -S
"uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A
Old password:
Re-enter old password:
New password:
Re-enter new password:
ldap_initialize( ldap://idm.com:636 )
ldap_create
ldap_url_parse_ext(ldap://idm.com:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP idm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7fc7f40de370 msgid 1
wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
** ld 0x7fc7f40de370 Connections:
* host: idm01.dap.cfcs.dk port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Jan 6 09:29:43 2016
** ld 0x7fc7f40de370 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fc7f40de370 request count 1 (abandoned 0)
** ld 0x7fc7f40de370 Response Queue:
Empty
ld 0x7fc7f40de370 response count 0
ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
ldap_int_select
It works when using kpasswd, but not ldappasswd. Any suggestions?
Cheers
Emil
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups
Hi, OK, clear. Thanks for the information! Winny Sumit Bose schreef op 06-01-2016 9:19: On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: Hi all, Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site we're just not able to see AD "Domain Local Groups". Is that just not possible (a limitation of the current version that is), is some extra configuration needed of is just something wrong? Hope one can give an answer! This is by design. As the name says the groups are 'Domain Local' i.e. only valid in the own AD domain (not even in the whole AD forest). Since the IPA domain is a completely different forest from the AD perspective the Domain Local Groups do not apply here. IPA just does the same here as AD does. HTH bye, Sumit Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Importing from shadow: ERROR: Constraint violation: pre-hashed passwords are not valid
On Wed, 06 Jan 2016, Simpson Lachlan wrote:
Hi,
New install of FreeIPA 4.2.0-15.el7.centos.3 on Centos 7.2.1511 (and
I'm very new to FreeIPA)
Following the advice I got from here:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
I dumped old shadow into a csv, then wrote a small bash script to
import all the users:
#!/bin/bash
INPUT=s.csv
IFS=,
kinit admin
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read lname pw
do
echo "Importing user $lname"
FIRST=${lname:0:1}
LAST=${lname:1}
ipa user-add $lname --first $FIRST --last $LAST --setattr
userpassword={crypt}"$pw"
done < $INPUT
When I execute this, I get this error for every entry: "ipa: ERROR:
Constraint violation: pre-hashed passwords are not valid"
What have I done wrong?
Did you enable migration mode? The check in the password plugin is
conditioned on allowing pre-hashed passwords only when the migration
mode is on.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups
On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: > Hi all, > > Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site > we're just not able to see AD "Domain Local Groups". > > Is that just not possible (a limitation of the current version that is), is > some extra configuration needed of is just something wrong? > > Hope one can give an answer! This is by design. As the name says the groups are 'Domain Local' i.e. only valid in the own AD domain (not even in the whole AD forest). Since the IPA domain is a completely different forest from the AD perspective the Domain Local Groups do not apply here. IPA just does the same here as AD does. HTH bye, Sumit > > Winny > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA, AD Trust and Domain Local Groups
Hi all, Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site we're just not able to see AD "Domain Local Groups". Is that just not possible (a limitation of the current version that is), is some extra configuration needed of is just something wrong? Hope one can give an answer! Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
