Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?
Same as before I already follow part < 4.1 as below: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 comdo cert is new cert / It seem I m nearly right HTTP server side can read trust cert BUT seem dirsrv still lacking of a ca cert to verify it ./.. but ca.crt changed to new already and imported ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com - COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <f...@redhat.com>: > Hi, > > In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate > Authority, and this file may be outdated. Running ipa-certupdate may fix > your issue. See [1] > > If it doesn't, you can start by identifying which certificate expired with > $ sudo getcert list | egrep -e 'expires|Request ID|subject' > > HTH, > Flo > > [1] https://pagure.io/freeipa/issue/6375 > > On 03/07/2017 04:14 AM, barry...@gmail.com wrote: > >> gpg >> >> Creating SSL certificate for the Directory Server >> ipa : ERRORcert validation failed for "CN=central.ABC.com >> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>" >> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >> preparation of replica failed: cannot connect to >> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> cannot connect to >> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> File "/usr/sbin/ipa-replica-prepare", line 490, in >> main() >> >> File "/usr/sbin/ipa-replica-prepare", line 361, in main >> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", >> replica_fqdn, subject_base) >> >> File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb >> raise e >> >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to reisnatll the ca or the dogtag system
Hi: Errors occur ...cert ni problem ..seem ca error and cannot tract cert. thx ipa-replica-prepare c03.abc.com --ip-address 192.168.1.73 Directory Manager (existing master) password: preparation of replica failed: cannot connect to u'ldapi://%2fvar%2frun%2fslapd-WISERS-COM.socket': LDAP Server Down cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 274, in main conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password) File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 846, in create_connection self.handle_errors(e) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 736, in handle_errors error=u'LDAP Server Down') [root@central ~]# ipa-replica-prepare central03.wisers.com --ip-address 192.168.1.73 Directory Manager (existing master) password: preparation of replica failed: cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC-COM.socket': LDAP Server Down File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 274, in main conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password) File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 846, in create_connection self.handle_errors(e) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 736, in handle_errors error=u'LDAP Server Down') -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???
Hi: Which location i should renew cert? Http/alias Etc/dirsrv/slapd* Enough? 2016年5月24日 下午10:01 於 "Rob Crittenden" <rcrit...@redhat.com> 寫道: > barry...@gmail.com wrote: > >> hi all: >> >> >> Thx ad title >> >> ipa : ERRORcert validation failed for "CN=server.abc.com >> <http://server.abc.com>,O=WISER S.COM <http://S.COM>" >> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >> preparation of replica failed: cannot connect to >> 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. >> cannot connect to >> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie nt': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> > > The root of all your problems is that your certificates are expired. > Fixing this should be your priority. This is probably going to involve > going back in time to when the certificates are still valid, restarting > IPA, restarting certmonger and waiting for things to properly renew. It can > take some time as the certificates don't all renew at once. > > I suspect that once renewed and returned to current time the rest of your > problems will, for the most part, go away. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Restore form backup , start servrer will error but sucess
The bottom manual files based backup restore . I remember there s one for 3.0 And test work before. 2016年5月10日 下午8:00 於 "Petr Vobornik" <pvobo...@redhat.com> 寫道: > On 05/10/2016 01:49 PM, Martin Basti wrote: > > No there is not python 2.7 on centos 6.x, maybe there is something wrong > in the > > code, let me check first > > How did you run the backup and restore? AFAIK it was introduced in > FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is > not on RHEL 6. > > > > > > > On 10.05.2016 13:34, Barry wrote: > >> > >> Ipa 3.0 e47 > >> > >> Centos 6.5 . Just update python? > >> > >> 2016年5月10日 下午6:58 於 "Martin Basti" > >> <<mailto:mba...@redhat.com>mba...@redhat.com> 寫道: > >> > >> > >> > >> On 10.05.2016 12:41, barry...@gmail.com <mailto:barry...@gmail.com> > wrote: > >>> Hi: > >>> > >>> Restore form backup follow the procedure below: > >>> http://www.freeipa.org/page/V3/Backup_and_Restore > >>> > >>> Now server web page launch but canot access > >>> Sorry you are not allowed to access this service. > >>> > >>> Starting dirsrv: > >>> PKI-IPA... [ OK ] > >>> WISERS-COM... [ OK ] > >>> Starting KDC Service > >>> Starting Kerberos 5 KDC: [ OK ] > >>> Starting KPASSWD Service > >>> Starting Kerberos 5 Admin Server: [ OK ] > >>> Starting MEMCACHE Service > >>> Starting ipa_memcached:[ OK ] > >>> Starting HTTP Service > >>> Starting httpd:[ OK ] > >>> Starting CA Service > >>> > >>> > >>> Starting CA Service > >>> Traceback (most recent call last): > >>> File "/usr/sbin/pki-server", line 88, in > >>> cli = PKIServerCLI() > >>> File "/usr/sbin/pki-server", line 34, in __init__ > >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server > >>> command-line interface') > >>> File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in > __init__ > >>> self.modules = collections.OrderedDict() > >>> AttributeError: 'module' object has no attribute 'OrderedDict' > >>> Starting pki-ca: [ OK ] > >>> > >>> > >>> Any idea above? > >>> > >>> > >> > >> You are using the old python, python 2.7 is required, which version > of OS > >> and IPA do you use? > >> Martin > >> > > > > > > > > > -- > Petr Vobornik > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Restore form backup , start servrer will error but sucess
Ipa 3.0 e47 Centos 6.5 . Just update python? 2016年5月10日 下午6:58 於 "Martin Basti" <mba...@redhat.com> 寫道: > > > On 10.05.2016 12:41, barry...@gmail.com wrote: > > Hi: > > Restore form backup follow the procedure below: > http://www.freeipa.org/page/V3/Backup_and_Restore > > Now server web page launch but canot access > Sorry you are not allowed to access this service. > > Starting dirsrv: > PKI-IPA... [ OK ] > WISERS-COM... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached:[ OK ] > Starting HTTP Service > Starting httpd:[ OK ] > Starting CA Service > > > Starting CA Service > Traceback (most recent call last): > File "/usr/sbin/pki-server", line 88, in > cli = PKIServerCLI() > File "/usr/sbin/pki-server", line 34, in __init__ > super(PKIServerCLI, self).__init__('pki-server', 'PKI server > command-line interface') > File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ > self.modules = collections.OrderedDict() > AttributeError: 'module' object has no attribute 'OrderedDict' > Starting pki-ca: [ OK ] > > > Any idea above? > > > > You are using the old python, python 2.7 is required, which version of OS > and IPA do you use? > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire
Hello Barry, Can you provide more info? What is your IPA version, OS? CENTOS 6.5 server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64 server 2 - ipa-server-3.0.0-37.el6.x86_64 What are the symptoms you are experiencing? server1 's update not transfer to server 2 but server 2 can transfer to server 1 even cert expired What do you mean by default ipa cert ? if cert is issue then fall back to orginal not expire self sign cert. Can you provide logs from replicas? >From server 2 [09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)) errno 0 (Success) [09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) Can you provide `getcert list` command output? Serevr 1 - Number of certificates and requests being tracked: 0. < NO record Server 2- Number of certificates and requests being tracked: 3. Request ID '20140106083849': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com,O=ABC.COM expires: 2015-12-19 06:40:44 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM track: yes auto-renew: yes Request ID '20140106083931': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com,O=ABC.COM expires: 2015-12-19 06:40:46 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140106083944': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=ABC.COM subject: CN=IPA RA,O=ABC.COM expires: 2015-11-12 08:41:45 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Can you provide `ipactl status` from both server? Server1 - Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING Server 2 = Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Now don't want any cert ,just GASSAPI work... Replication uses GSSAPI, at least on new IPA versions, I'm not sure if certificates are involved in this. Martin 2016-05-02 18:28 GMT+08:00 Martin Basti <mba...@redhat.com>: > Hello, > > Can you try to upgrade server to the same version? > > You did not provided all information I requested. > > Martin > > > On 29.04.2016 19:13, barry...@gmail.com wrote: > > server 1: > ipa-server-3.0.0-26.el6_4.4.x86_64 > > server2 > > ipa-server-3.0.0-37.el6.x86_64 > > 2016-04-30 1:10 GMT+08:00 <barry...@gmail.com>: > >> >> ipa-server-3.0.0-37.el6.x86_64 << here >> >> 2016-04-29 19:36 GMT+08:00 Martin Basti <mba...@redhat.com>: >> >>> Please keep, user-list in CC >>> >>> You did not send all information I requested. >>> >>> Please use `rpm -ql ipa-server` to get exact version number >>> >>> >>> On 29.04.2016 13:32, barry...@gmail.com wrote: >>> >>> Error.is from Gss api And i m thinkbif it relate cert issue. >>> >>> Server1> server 2 fail >>> Server 2 > server1 ok >>> >>> Freeipa 3.0 both >>> >>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >>> bind for i
[Freeipa-users] Error Server update not syn to Server02 but reverse ok
Hi all: Orginal config server <> server02 , either server can add user and syn Now server < server02 ,GSSAPI show as below ..ANY idea? THX [05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951 starting up [05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size 10485760B is less than db size 17113088B; We recommend to increase the entry cache size nsslapd-cachememsize. [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [05/May/2016:17:29:03 +0800] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption. [05/May/2016:17:29:03 +0800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [05/May/2016:17:29:07 +0800] set_krb5_creds - Could not get initial credentials for principal [ldap/server.abc@abc.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [05/May/2016:17:29:07 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [05/May/2016:17:29:07 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [05/May/2016:17:29:07 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) [05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [05/May/2016:17:29:07 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [05/May/2016:17:29:07 +0800] - Listening on All Interfaces port 636 for LDAPS requests [05/May/2016:17:29:07 +0800] - Listening on /var/run/slapd-ABC-COM.socket for LDAPI requests [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth resumed [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Missing data encountered [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Incremental update failed and requires administrator action -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can live turn off nsslapd-security: to off ?
Already set nsslapd:sceruity off on server 1 <> server 2 BUt still produce error on replication. Is it possible to ignore any cert / start tLS ? /var/log/dirsrv/slapd-PKI-IPA [28/Apr/2016:16:51:15 +0800] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [26/Apr/2016:18:35:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) 2016-04-28 16:15 GMT+08:00 Martin Basti <mba...@redhat.com>: > > > On 28.04.2016 08:00, Barry wrote: > > NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work > > EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: > cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w << EOF > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > can you please try to put FQDN name of LDAP server to option -h ? > I have doubts that -h 'ms' is server name > > Martin > > > > 2016-04-27 19:29 GMT+08:00 <barry...@gmail.com>: > >> thx let me try as i dont want stop dirsrv but live disable nsslapd >> security. >> 2016年4月27日 下午7:26 於 "David Kupka" <dku...@redhat.com> 寫道: >> >>> On 27/04/16 13:15, barry...@gmail.com wrote: >>> >>>> Do u meant use ldapmodify? >>>> I tried update the dse.ldif but it will fall back after a while. >>>> >>>> 2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com >>>> <mailto:dku...@redhat.com>> 寫道: >>>> >>>> On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com> >>>> wrote: >>>> >>>> Hi: >>>> >>>> Without restarting dirsrv possible do that ? >>>> >>>> >>>> thx Regards >>>> >>>> barry >>>> >>>> >>>> >>>> >>>> Hello Barry, >>>> >>>> this ldapsearch should list all attributes that needs restart after >>>> modification: >>>> >>>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config >>>> nsslapd-requiresrestart >>>> >>>> I don't see nsslapd-security listed so it should be possible to >>>> change it in >>>> runtime. >>>> >>>> -- >>>> David Kupka >>>> >>>> >>> Yes, I mean ldapmodify. >>> >>> Editing dse.ldif while dirsrv is running has no effect because it is >>> read only at start and written at least before exit. >>> >>> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it >>> and start dirsrv again. >>> >>> -- >>> David Kupka >>> >> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can live turn off nsslapd-security: to off ?
NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w << EOF ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 2016-04-27 19:29 GMT+08:00 <barry...@gmail.com>: > thx let me try as i dont want stop dirsrv but live disable nsslapd > security. > 2016年4月27日 下午7:26 於 "David Kupka" <dku...@redhat.com> 寫道: > >> On 27/04/16 13:15, barry...@gmail.com wrote: >> >>> Do u meant use ldapmodify? >>> I tried update the dse.ldif but it will fall back after a while. >>> >>> 2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com >>> <mailto:dku...@redhat.com>> 寫道: >>> >>> On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com> >>> wrote: >>> >>> Hi: >>> >>> Without restarting dirsrv possible do that ? >>> >>> >>> thx Regards >>> >>> barry >>> >>> >>> >>> >>> Hello Barry, >>> >>> this ldapsearch should list all attributes that needs restart after >>> modification: >>> >>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config >>> nsslapd-requiresrestart >>> >>> I don't see nsslapd-security listed so it should be possible to >>> change it in >>> runtime. >>> >>> -- >>> David Kupka >>> >>> >> Yes, I mean ldapmodify. >> >> Editing dse.ldif while dirsrv is running has no effect because it is read >> only at start and written at least before exit. >> >> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it >> and start dirsrv again. >> >> -- >> David Kupka >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
any command make it refresh ? it seem still getiing old godaddy hisotry? 2015-07-06 21:45 GMT+08:00 barry...@gmail.com: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CACT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com: barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CACT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto: barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] check access log of when a user login integrated system
Hi: Yes there are some log show user but seem it log the user who directly login ldap using their uid. i integrate the buzilla using an uid=ldap ..then otther user can login freely ...it seem it logged ldap not inside users using the buzilla. 2014-08-13 14:36 GMT+08:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 13 Aug 2014, barry...@gmail.com wrote: Hi all: I have a buzilla intgrated with ldap ,,,is it poosible to check when the user login through the access log of ldap free ipa server .. What sentence should it look like ? For example, following will return you date and uid of the user login. # cat /var/log/dirsrv/slapd-EXAMPLE-COM/access|awk '/RESULT.*dn=uid=/ { split($10, a, /[=,]/); print $1,$2,a[3] }' [12/Aug/2014:20:27:57 +0200] abbra [12/Aug/2014:20:28:23 +0200] abbra [12/Aug/2014:20:30:33 +0200] abbra [13/Aug/2014:08:06:48 +0200] admin -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project