Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

2017-03-07 Thread Barry 
Same as before I already follow  part < 4.1 as below:

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1

comdo cert is new cert /
It seem I m nearly right HTTP server side can read trust cert
BUT seem dirsrv still lacking of a ca cert to verify it ./..
but ca.crt changed to new already and imported

ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com -
COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)


2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <f...@redhat.com>:

> Hi,
>
> In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate
> Authority, and this file may be outdated. Running ipa-certupdate may fix
> your issue. See [1]
>
> If it doesn't, you can start by identifying which certificate expired with
> $ sudo getcert list | egrep -e 'expires|Request ID|subject'
>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/6375
>
> On 03/07/2017 04:14 AM, barry...@gmail.com wrote:
>
>> gpg
>>
>> Creating SSL certificate for the Directory Server
>> ipa : ERRORcert validation failed for "CN=central.ABC.com
>> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>> preparation of replica failed: cannot connect to
>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>> cannot connect to
>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>   File "/usr/sbin/ipa-replica-prepare", line 490, in 
>> main()
>>
>>   File "/usr/sbin/ipa-replica-prepare", line 361, in main
>> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>> replica_fqdn, subject_base)
>>
>>   File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
>> raise e
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to reisnatll the ca or the dogtag system

2016-06-28 Thread Barry 
Hi:

Errors occur ...cert ni problem ..seem ca error and cannot tract cert.
thx

ipa-replica-prepare c03.abc.com --ip-address 192.168.1.73
Directory Manager (existing master) password:

preparation of replica failed: cannot connect to
u'ldapi://%2fvar%2frun%2fslapd-WISERS-COM.socket': LDAP Server Down
cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP
Server Down
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 274, in main
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dirman_password)

  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
846, in create_connection
self.handle_errors(e)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
736, in handle_errors
error=u'LDAP Server Down')

[root@central ~]# ipa-replica-prepare central03.wisers.com --ip-address
192.168.1.73
Directory Manager (existing master) password:

preparation of replica failed: cannot connect to
u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down
cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC-COM.socket': LDAP
Server Down
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 274, in main
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dirman_password)

  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
846, in create_connection
self.handle_errors(e)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
736, in handle_errors
error=u'LDAP Server Down')
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-24 Thread Barry 
Hi:

Which location i should renew cert?
Http/alias
Etc/dirsrv/slapd*

Enough?
2016年5月24日 下午10:01 於 "Rob Crittenden" <rcrit...@redhat.com> 寫道:

> barry...@gmail.com wrote:
>
>> hi all:
>>
>>
>> Thx ad title
>>
>> ipa : ERRORcert validation failed for "CN=server.abc.com
>> <http://server.abc.com>,O=WISER S.COM <http://S.COM>"
>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>> preparation of replica failed: cannot connect to
>> 'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
>> cannot connect to
>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>
>
> The root of all your problems is that your certificates are expired.
> Fixing this should be your priority. This is probably going to involve
> going back in time to when the certificates are still valid, restarting
> IPA, restarting certmonger and waiting for things to properly renew. It can
> take some time as the certificates don't all renew at once.
>
> I suspect that once renewed and returned to current time the rest of your
> problems will, for the most part, go away.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Barry 
The bottom manual files based backup restore . I remember there s one for
3.0

And test work before.
2016年5月10日 下午8:00 於 "Petr Vobornik" <pvobo...@redhat.com> 寫道:

> On 05/10/2016 01:49 PM, Martin Basti wrote:
> > No there is not python 2.7 on centos 6.x, maybe there is something wrong
> in the
> > code, let me check first
>
> How did you run the backup and restore? AFAIK it was introduced in
> FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is
> not on RHEL 6.
>
> >
> >
> > On 10.05.2016 13:34, Barry wrote:
> >>
> >> Ipa 3.0 e47
> >>
> >> Centos 6.5 . Just update python?
> >>
> >> 2016年5月10日 下午6:58 於 "Martin Basti"
> >> <<mailto:mba...@redhat.com>mba...@redhat.com> 寫道:
> >>
> >>
> >>
> >> On 10.05.2016 12:41, barry...@gmail.com <mailto:barry...@gmail.com>
> wrote:
> >>> Hi:
> >>>
> >>> Restore form backup follow the procedure below:
> >>> http://www.freeipa.org/page/V3/Backup_and_Restore
> >>>
> >>> Now server web page launch but canot access
> >>> Sorry you are not allowed to access this service.
> >>>
> >>> Starting dirsrv:
> >>> PKI-IPA... [  OK  ]
> >>> WISERS-COM... [  OK  ]
> >>> Starting KDC Service
> >>> Starting Kerberos 5 KDC:   [  OK  ]
> >>> Starting KPASSWD Service
> >>> Starting Kerberos 5 Admin Server:  [  OK  ]
> >>> Starting MEMCACHE Service
> >>> Starting ipa_memcached:[ OK  ]
> >>> Starting HTTP Service
> >>> Starting httpd:[ OK  ]
> >>> Starting CA Service
> >>>
> >>>
> >>> Starting CA Service
> >>> Traceback (most recent call last):
> >>>   File "/usr/sbin/pki-server", line 88, in 
> >>> cli = PKIServerCLI()
> >>>   File "/usr/sbin/pki-server", line 34, in __init__
> >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
> >>> command-line interface')
> >>>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in
> __init__
> >>> self.modules = collections.OrderedDict()
> >>> AttributeError: 'module' object has no attribute 'OrderedDict'
> >>> Starting pki-ca:   [ OK  ]
> >>>
> >>>
> >>> Any idea above?
> >>>
> >>>
> >>
> >> You are using the old python, python 2.7 is required, which version
> of OS
> >> and IPA do you use?
> >> Martin
> >>
> >
> >
> >
>
>
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Barry 
Ipa 3.0 e47

Centos 6.5 . Just update python?
2016年5月10日 下午6:58 於 "Martin Basti" <mba...@redhat.com> 寫道:

>
>
> On 10.05.2016 12:41, barry...@gmail.com wrote:
>
> Hi:
>
> Restore form backup follow the procedure below:
> http://www.freeipa.org/page/V3/Backup_and_Restore
>
> Now server web page launch but canot access
> Sorry you are not allowed to access this service.
>
> Starting dirsrv:
> PKI-IPA... [  OK  ]
> WISERS-COM...  [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:  [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:[  OK  ]
> Starting HTTP Service
> Starting httpd:[  OK  ]
> Starting CA Service
>
>
> Starting CA Service
> Traceback (most recent call last):
>   File "/usr/sbin/pki-server", line 88, in 
> cli = PKIServerCLI()
>   File "/usr/sbin/pki-server", line 34, in __init__
> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
> command-line interface')
>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
> self.modules = collections.OrderedDict()
> AttributeError: 'module' object has no attribute 'OrderedDict'
> Starting pki-ca:   [  OK  ]
>
>
> Any idea above?
>
>
>
> You are using the old python, python 2.7 is required, which version of OS
> and IPA do you use?
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-08 Thread Barry 
  Hello Barry,

Can you provide more info?

What is your IPA version, OS?

CENTOS 6.5

server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64
server 2 - ipa-server-3.0.0-37.el6.x86_64

What are the symptoms you are experiencing?

server1 's update not transfer to server 2 but server 2 can transfer to
server 1 even cert expired

What do you mean by default ipa cert ? if cert is issue then fall back to
orginal not expire self sign cert.

Can you provide logs from replicas?

>From server 2

[09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
(Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Unknown error))
errno 0 (Success)
[09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)

Can you provide `getcert list` command output?

Serevr 1 -  Number of certificates and requests being tracked: 0.  < NO
record
Server 2-

Number of certificates and requests being tracked: 3.
Request ID '20140106083849':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=central02.ABC.com,O=ABC.COM
expires: 2015-12-19 06:40:44 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM
track: yes
auto-renew: yes
Request ID '20140106083931':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=central02.ABC.com,O=ABC.COM
expires: 2015-12-19 06:40:46 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20140106083944':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=IPA RA,O=ABC.COM
expires: 2015-11-12 08:41:45 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


Can you provide `ipactl status` from both server?

Server1 - Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING


Server 2 =

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

Now don't want any cert ,just GASSAPI work...


Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
certificates are involved in this.

Martin


2016-05-02 18:28 GMT+08:00 Martin Basti <mba...@redhat.com>:

> Hello,
>
> Can you try to upgrade server to the same version?
>
> You did not provided all information I requested.
>
> Martin
>
>
> On 29.04.2016 19:13, barry...@gmail.com wrote:
>
> server 1:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> server2
>
> ipa-server-3.0.0-37.el6.x86_64
>
> 2016-04-30 1:10 GMT+08:00 <barry...@gmail.com>:
>
>>
>> ipa-server-3.0.0-37.el6.x86_64  << here
>>
>> 2016-04-29 19:36 GMT+08:00 Martin Basti <mba...@redhat.com>:
>>
>>> Please keep, user-list in CC
>>>
>>> You did not send all information I requested.
>>>
>>> Please use `rpm -ql ipa-server` to get exact version number
>>>
>>>
>>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>>
>>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>>
>>> Server1> server 2 fail
>>> Server 2   > server1 ok
>>>
>>> Freeipa 3.0  both
>>>
>>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>>> bind for i

[Freeipa-users] Error Server update not syn to Server02 but reverse ok

2016-05-05 Thread Barry 
Hi all:

Orginal config server <> server02 , either server can add user and syn

Now  server < server02 ,GSSAPI show as below ..ANY idea? THX

[05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
starting up
[05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size
10485760B is less than db size 17113088B; We recommend to increase the
entry cache size nsslapd-cachememsize.
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[05/May/2016:17:29:03 +0800] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[05/May/2016:17:29:03 +0800] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=ABC,dc=com
[05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=ABC,dc=com
[05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=ABC,dc=com
[05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[05/May/2016:17:29:07 +0800] set_krb5_creds - Could not get initial
credentials for principal [ldap/server.abc@abc.com] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
[05/May/2016:17:29:07 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_492' not found)) errno 0 (Success)
[05/May/2016:17:29:07 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[05/May/2016:17:29:07 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth
failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_492' not found))
[05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[05/May/2016:17:29:07 +0800] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[05/May/2016:17:29:07 +0800] - Listening on All Interfaces port 636 for
LDAPS requests
[05/May/2016:17:29:07 +0800] - Listening on /var/run/slapd-ABC-COM.socket
for LDAPI requests
[05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth
resumed
[05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Missing data encountered
[05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Incremental update failed and
requires administrator action
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-28 Thread Barry 
Already set nsslapd:sceruity off on server 1 <> server 2

BUt still produce error on replication. Is it possible to ignore any cert /
start tLS ?

/var/log/dirsrv/slapd-PKI-IPA
[28/Apr/2016:16:51:15 +0800] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
endpoint is not connected)

[26/Apr/2016:18:35:31 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1
(Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
connected)

2016-04-28 16:15 GMT+08:00 Martin Basti <mba...@redhat.com>:

>
>
> On 28.04.2016 08:00, Barry wrote:
>
> NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work
>
> EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn:
> cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w  << EOF
>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> can you please try to put FQDN name of LDAP server to option -h ?
> I have doubts that -h 'ms' is server name
>
> Martin
>
>
>
> 2016-04-27 19:29 GMT+08:00 <barry...@gmail.com>:
>
>> thx let me try as i dont want stop dirsrv but live disable nsslapd
>> security.
>> 2016年4月27日 下午7:26 於 "David Kupka" <dku...@redhat.com> 寫道:
>>
>>> On 27/04/16 13:15, barry...@gmail.com wrote:
>>>
>>>> Do u meant use ldapmodify?
>>>> I tried update the dse.ldif but it will fall back after a while.
>>>>
>>>> 2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com
>>>> <mailto:dku...@redhat.com>> 寫道:
>>>>
>>>> On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com>
>>>> wrote:
>>>>
>>>> Hi:
>>>>
>>>> Without restarting dirsrv possible do that ?
>>>>
>>>>
>>>> thx Regards
>>>>
>>>> barry
>>>>
>>>>
>>>>
>>>>
>>>> Hello Barry,
>>>>
>>>> this ldapsearch should list all attributes that needs restart after
>>>> modification:
>>>>
>>>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
>>>> nsslapd-requiresrestart
>>>>
>>>> I don't see nsslapd-security listed so it should be possible to
>>>> change it in
>>>> runtime.
>>>>
>>>> --
>>>> David Kupka
>>>>
>>>>
>>> Yes, I mean ldapmodify.
>>>
>>> Editing dse.ldif while dirsrv is running has no effect because it is
>>> read only at start and written at least before exit.
>>>
>>> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
>>> and start dirsrv again.
>>>
>>> --
>>> David Kupka
>>>
>>
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-28 Thread Barry 
NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work

EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn:
cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w  << EOF

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


2016-04-27 19:29 GMT+08:00 <barry...@gmail.com>:

> thx let me try as i dont want stop dirsrv but live disable nsslapd
> security.
> 2016年4月27日 下午7:26 於 "David Kupka" <dku...@redhat.com> 寫道:
>
>> On 27/04/16 13:15, barry...@gmail.com wrote:
>>
>>> Do u meant use ldapmodify?
>>> I tried update the dse.ldif but it will fall back after a while.
>>>
>>> 2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com
>>> <mailto:dku...@redhat.com>> 寫道:
>>>
>>> On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com>
>>> wrote:
>>>
>>> Hi:
>>>
>>> Without restarting dirsrv possible do that ?
>>>
>>>
>>> thx Regards
>>>
>>> barry
>>>
>>>
>>>
>>>
>>> Hello Barry,
>>>
>>> this ldapsearch should list all attributes that needs restart after
>>> modification:
>>>
>>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
>>> nsslapd-requiresrestart
>>>
>>> I don't see nsslapd-security listed so it should be possible to
>>> change it in
>>> runtime.
>>>
>>> --
>>> David Kupka
>>>
>>>
>> Yes, I mean ldapmodify.
>>
>> Editing dse.ldif while dirsrv is running has no effect because it is read
>> only at start and written at least before exit.
>>
>> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
>> and start dirsrv again.
>>
>> --
>> David Kupka
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error after change cert

2015-07-06 Thread Barry 
any command make it refresh ? it seem still getiing old godaddy hisotry?

2015-07-06 21:45 GMT+08:00 barry...@gmail.com:

 Do u meant this :

 i already add the cert to nss and even \etc\ipa\ ca.cert repalced


 [root@(LIVE) slapd-Wwww-COM]$   certutil -d /etc/pki/nssdb  -L

 Certificate Nickname Trust
 Attributes

 SSL,S/MIME,JAR/XPI

 COMODO RSA Domain Validation Secure Server CACT,C,C
 IPA CA   CT,C,C
 COMODO RSA Certification Authority   CT,C,C


 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com:

 barry...@gmail.com wrote:

 the cert already in httpd / ldap side. but it prompt error

 [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
 [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.

 *.wisers.com http://wisers.com - COMODO CA
 Limited u,u,u
 COMODO RSA Domain Validation Secure Server CACT,C,C
 COMODO RSA Certification Authority   CT,C,C


 Taking a wild guess here due to limited information, but check the value
 of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS
 nickname of the server certificate to use.

 rob



 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto:
 barry...@gmail.com:

 hi:

 i changed cert lareadty but seemit still keep hisoty of godadday any
 help.??


 www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
 Initialization: Can't find certificate (*.wwwcom - GoDaddy.com,
 Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable
 Runtime error -8174 - security library: bad database.)
 [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization:
 Unable to retrieve private key for cert *.www.com http://www.com -
 GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape
 Portable Runtime error -8174 - security library: bad database.)
 [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are
 valid
 [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2
 Failed.







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] check access log of when a user login integrated system

2014-08-13 Thread Barry 
Hi:

Yes there are some log show user but seem it log the user who directly
login ldap using their uid.
i integrate the buzilla using an uid=ldap ..then otther user can login
freely ...it seem it logged ldap not inside users using the buzilla.


2014-08-13 14:36 GMT+08:00 Alexander Bokovoy aboko...@redhat.com:

 On Wed, 13 Aug 2014, barry...@gmail.com wrote:

 Hi all:

 I have a buzilla intgrated with ldap ,,,is it poosible to check
 when the user login through the access log of ldap free ipa server ..

 What sentence should it look like ?

 For example, following will return you date and uid of the user login.

 # cat /var/log/dirsrv/slapd-EXAMPLE-COM/access|awk '/RESULT.*dn=uid=/ {
 split($10, a, /[=,]/); print $1,$2,a[3] }'
 [12/Aug/2014:20:27:57 +0200] abbra
 [12/Aug/2014:20:28:23 +0200] abbra
 [12/Aug/2014:20:30:33 +0200] abbra
 [13/Aug/2014:08:06:48 +0200] admin


 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project