Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Yes,

as soon as 389-ds-base-1.2.11.15-56.el6 will be available, I will update
the master.

Rich Megginson says that  389-ds-base-1.2.11.15-56.el6 will be shipped with
rhel 6.7.

Thus I will wait for 6.7 before trying to update the master and create a
rhel 7 replica.

Many thanks.



2015-06-08 14:56 GMT+02:00 thierry bordaz :

>  Hi,
>
> Would you update your master to 389-ds-base-1.2.11.15-56.el6, before
> attempting the upgrade to 7 ?
>
> thanks
> thierry
>
> On 06/08/2015 12:30 PM, James James wrote:
>
> My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 .
>
>  Thanks.
>
>
>
> 2015-06-08 10:25 GMT+02:00 thierry bordaz :
>
>>  Hello James,
>>
>> The fact that the master is more powerfull than the replica increase the
>> possibility to hit that bug.
>> The bug fix is on the master side. The master is made smarter to adapt
>> its replication flow to the speed of the consumer.
>> The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and
>> 389-ds-base-1.2.11.15-56.el6.
>>
>> What is the current version of your master ?
>>
>> thanks
>> thierry
>>
>> On 06/08/2015 09:49 AM, James James wrote:
>>
>> Hi Thierry,
>>
>>  thanks for you answer.
>>
>>  I was away for a long time, this is why my post comes later .
>>
>>  This timing issue is coming when you try to upgrade from rhel 6
>> (ipa-3.0) to rhel7 (ipa4.xx) ?
>>
>>  I have a physical machine for the master and a VM as replica. The
>> solution is to use a physical machine for the replica ?
>>
>>  How can I limit the cpu/memory in the physical machine (with cgroups
>> ??).
>>
>>  Any  hints will be appreciated ..
>>
>>  Regards
>>
>>  James
>>
>> 2015-05-18 14:04 GMT+02:00 thierry bordaz :
>>
>>>  On 05/15/2015 05:11 PM, James James wrote:
>>>
>>>  ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7
>>> .
>>>
>>>
>>>  Hi James,
>>>
>>> Unfortunately there is no workaround. This is a timing issue mostly seen
>>> when the master is more powerful than the consumer.
>>> If you are using VM you may try to get master/replica with nearly the
>>> same cpu/memory.
>>>
>>> thanks
>>> thierry
>>>
>>>
>>>  Best.
>>>
>>>  James
>>>
>>> 2015-05-15 16:58 GMT+02:00 Rich Megginson :
>>>
>>>>  On 05/15/2015 08:46 AM, James James wrote:
>>>>
>>>> [root@ipa ~]#  rpm -q 389-ds-base
>>>> 389-ds-base-1.2.11.15-50.el6_6.x86_64
>>>>
>>>>
>>>>  Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
>>>> 389-ds-base-1.2.11.15-56.el6
>>>>
>>>> I don't know if there are any workarounds.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-05-15 16:32 GMT+02:00 Rich Megginson :
>>>>
>>>>>  On 05/15/2015 08:22 AM, James James wrote:
>>>>>
>>>>>  I think that :
>>>>>
>>>>> Starting replication, please wait until this has completed.
>>>>> Update in progress, 127 seconds elapsed
>>>>> Update in progress yet not in progress
>>>>>
>>>>>
>>>>>  looks like a time error :
>>>>> https://fedorahosted.org/freeipa/ticket/4756
>>>>>
>>>>>
>>>>>  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
>>>>> version of 389-ds-base?  rpm -q 389-ds-base
>>>>>
>>>>>
>>>>>
>>>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson :
>>>>>
>>>>>>  On 05/15/2015 07:55 AM, James James wrote:
>>>>>>
>>>>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of
>>>>>> this timeout error ?
>>>>>>
>>>>>>
>>>>>> What timeout error?
>>>>>>
>>>>>>
>>>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson :
>>>>>>
>>>>>>>  On 04/15/2015 10:44 PM, James James wrote:
>>>>>>>
>>>>>>> The ipareplica-install.log file in attachment ...
>>>>>>>
>>>>>>>
>>>>>>>  Here are the pertinent bits:
>>>>>>>
>>>>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: lo

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 .

Thanks.



2015-06-08 10:25 GMT+02:00 thierry bordaz :

>  Hello James,
>
> The fact that the master is more powerfull than the replica increase the
> possibility to hit that bug.
> The bug fix is on the master side. The master is made smarter to adapt its
> replication flow to the speed of the consumer.
> The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and
> 389-ds-base-1.2.11.15-56.el6.
>
> What is the current version of your master ?
>
> thanks
> thierry
>
> On 06/08/2015 09:49 AM, James James wrote:
>
> Hi Thierry,
>
>  thanks for you answer.
>
>  I was away for a long time, this is why my post comes later .
>
>  This timing issue is coming when you try to upgrade from rhel 6
> (ipa-3.0) to rhel7 (ipa4.xx) ?
>
>  I have a physical machine for the master and a VM as replica. The
> solution is to use a physical machine for the replica ?
>
>  How can I limit the cpu/memory in the physical machine (with cgroups ??).
>
>  Any  hints will be appreciated ..
>
>  Regards
>
>  James
>
> 2015-05-18 14:04 GMT+02:00 thierry bordaz :
>
>>  On 05/15/2015 05:11 PM, James James wrote:
>>
>>  ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 .
>>
>>
>>  Hi James,
>>
>> Unfortunately there is no workaround. This is a timing issue mostly seen
>> when the master is more powerful than the consumer.
>> If you are using VM you may try to get master/replica with nearly the
>> same cpu/memory.
>>
>> thanks
>> thierry
>>
>>
>>  Best.
>>
>>  James
>>
>> 2015-05-15 16:58 GMT+02:00 Rich Megginson :
>>
>>>  On 05/15/2015 08:46 AM, James James wrote:
>>>
>>> [root@ipa ~]#  rpm -q 389-ds-base
>>> 389-ds-base-1.2.11.15-50.el6_6.x86_64
>>>
>>>
>>>  Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
>>> 389-ds-base-1.2.11.15-56.el6
>>>
>>> I don't know if there are any workarounds.
>>>
>>>
>>>
>>>
>>>
>>> 2015-05-15 16:32 GMT+02:00 Rich Megginson :
>>>
>>>>  On 05/15/2015 08:22 AM, James James wrote:
>>>>
>>>>  I think that :
>>>>
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress, 127 seconds elapsed
>>>> Update in progress yet not in progress
>>>>
>>>>
>>>>  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756
>>>>
>>>>
>>>>  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
>>>> version of 389-ds-base?  rpm -q 389-ds-base
>>>>
>>>>
>>>>
>>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson :
>>>>
>>>>>  On 05/15/2015 07:55 AM, James James wrote:
>>>>>
>>>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of
>>>>> this timeout error ?
>>>>>
>>>>>
>>>>> What timeout error?
>>>>>
>>>>>
>>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson :
>>>>>
>>>>>>  On 04/15/2015 10:44 PM, James James wrote:
>>>>>>
>>>>>> The ipareplica-install.log file in attachment ...
>>>>>>
>>>>>>
>>>>>>  Here are the pertinent bits:
>>>>>>
>>>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389]
>>>>>> timeout 300
>>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
>>>>>> SchemaCache
>>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>>>>> ldap://ipa.example.com:389 conn=>>>>> instance at 0x484f4d0>
>>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636
>>>>>> from SchemaCache
>>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>>>>> ldaps://ipa1.example.com:636 conn=>>>>> instance at 0x4170290>
>>>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
>>>>>>   File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
>>>>>> 382,
>>>>>> in start_creation
>>>>>> run_step(full_msg, method)
>>>>>>  

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Hi Thierry,

thanks for you answer.

I was away for a long time, this is why my post comes later .

This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0)
to rhel7 (ipa4.xx) ?

I have a physical machine for the master and a VM as replica. The solution
is to use a physical machine for the replica ?

How can I limit the cpu/memory in the physical machine (with cgroups ??).

Any  hints will be appreciated ..

Regards

James

2015-05-18 14:04 GMT+02:00 thierry bordaz :

>  On 05/15/2015 05:11 PM, James James wrote:
>
>  ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 .
>
>
> Hi James,
>
> Unfortunately there is no workaround. This is a timing issue mostly seen
> when the master is more powerful than the consumer.
> If you are using VM you may try to get master/replica with nearly the same
> cpu/memory.
>
> thanks
> thierry
>
>
>  Best.
>
>  James
>
> 2015-05-15 16:58 GMT+02:00 Rich Megginson :
>
>>  On 05/15/2015 08:46 AM, James James wrote:
>>
>> [root@ipa ~]#  rpm -q 389-ds-base
>> 389-ds-base-1.2.11.15-50.el6_6.x86_64
>>
>>
>>  Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
>> 389-ds-base-1.2.11.15-56.el6
>>
>> I don't know if there are any workarounds.
>>
>>
>>
>>
>>
>> 2015-05-15 16:32 GMT+02:00 Rich Megginson :
>>
>>>  On 05/15/2015 08:22 AM, James James wrote:
>>>
>>>  I think that :
>>>
>>> Starting replication, please wait until this has completed.
>>> Update in progress, 127 seconds elapsed
>>> Update in progress yet not in progress
>>>
>>>
>>>  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756
>>>
>>>
>>>  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
>>> version of 389-ds-base?  rpm -q 389-ds-base
>>>
>>>
>>>
>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson :
>>>
>>>>  On 05/15/2015 07:55 AM, James James wrote:
>>>>
>>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of
>>>> this timeout error ?
>>>>
>>>>
>>>> What timeout error?
>>>>
>>>>
>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson :
>>>>
>>>>>  On 04/15/2015 10:44 PM, James James wrote:
>>>>>
>>>>> The ipareplica-install.log file in attachment ...
>>>>>
>>>>>
>>>>>  Here are the pertinent bits:
>>>>>
>>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389]
>>>>> timeout 300
>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
>>>>> SchemaCache
>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>>>> ldap://ipa.example.com:389 conn=>>>> instance at 0x484f4d0>
>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
>>>>> SchemaCache
>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>>>> ldaps://ipa1.example.com:636 conn=>>>> instance at 0x4170290>
>>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382,
>>>>> in start_creation
>>>>> run_step(full_msg, method)
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372,
>>>>> in run_step
>>>>> method()
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>>>> 368, in __setup_replica
>>>>> r_bindpw=self.dm_password)
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line
>>>>> 969, in setup_replication
>>>>> raise RuntimeError("Failed to start replication")
>>>>> RuntimeError: Failed to start replication
>>>>>
>>>>>  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
>>>>> replication
>>>>>
>>>>> The times are a little off, but I believe this corresponds to
>>>>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
>>>>> Processed 1539 entries 

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 .

Best.

James

2015-05-15 16:58 GMT+02:00 Rich Megginson :

>  On 05/15/2015 08:46 AM, James James wrote:
>
> [root@ipa ~]#  rpm -q 389-ds-base
> 389-ds-base-1.2.11.15-50.el6_6.x86_64
>
>
> Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
> 389-ds-base-1.2.11.15-56.el6
>
> I don't know if there are any workarounds.
>
>
>
>
>
> 2015-05-15 16:32 GMT+02:00 Rich Megginson :
>
>>  On 05/15/2015 08:22 AM, James James wrote:
>>
>>  I think that :
>>
>> Starting replication, please wait until this has completed.
>> Update in progress, 127 seconds elapsed
>> Update in progress yet not in progress
>>
>>
>>  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756
>>
>>
>>  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
>> version of 389-ds-base?  rpm -q 389-ds-base
>>
>>
>>
>> 2015-05-15 16:00 GMT+02:00 Rich Megginson :
>>
>>>  On 05/15/2015 07:55 AM, James James wrote:
>>>
>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of
>>> this timeout error ?
>>>
>>>
>>> What timeout error?
>>>
>>>
>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson :
>>>
>>>>  On 04/15/2015 10:44 PM, James James wrote:
>>>>
>>>> The ipareplica-install.log file in attachment ...
>>>>
>>>>
>>>>  Here are the pertinent bits:
>>>>
>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout
>>>> 300
>>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
>>>> SchemaCache
>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>>> ldap://ipa.example.com:389 conn=>>> instance at 0x484f4d0>
>>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
>>>> SchemaCache
>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>>> ldaps://ipa1.example.com:636 conn=>>> instance at 0x4170290>
>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 382, in start_creation
>>>> run_step(full_msg, method)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 372, in run_step
>>>> method()
>>>>   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>>> 368, in __setup_replica
>>>> r_bindpw=self.dm_password)
>>>>   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line
>>>> 969, in setup_replication
>>>> raise RuntimeError("Failed to start replication")
>>>> RuntimeError: Failed to start replication
>>>>
>>>>  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
>>>> replication
>>>>
>>>> The times are a little off, but I believe this corresponds to
>>>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
>>>> Processed 1539 entries in 126 seconds. (12.21 entries/sec)
>>>> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
>>>> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
>>>> coming online; enabling replication
>>>>
>>>>  I don't know why setup_replication is reporting an error if
>>>> replication completed successfully.
>>>>
>>>>
>>>>
>>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden :
>>>>
>>>>> Rich Megginson wrote:
>>>>> > On 04/15/2015 02:58 PM, James James wrote:
>>>>> >> Nothing on the replica .. maybye a process on the master. How can I
>>>>> >> check that ?
>>>>> >
>>>>> > I have no idea.  But it seems highly unlikely that a process on the
>>>>> > master is able to shutdown a process on the replica . . .
>>>>> >
>>>>> > I would say that there is some problem with the ipa-replica-install
>>>>> not
>>>>> > properly checking the status - see below:
>>>>> >
>>>>> >>
>>>>> >> 2

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

[root@ipa ~]#  rpm -q 389-ds-base
389-ds-base-1.2.11.15-50.el6_6.x86_64



2015-05-15 16:32 GMT+02:00 Rich Megginson :

>  On 05/15/2015 08:22 AM, James James wrote:
>
>  I think that :
>
> Starting replication, please wait until this has completed.
> Update in progress, 127 seconds elapsed
> Update in progress yet not in progress
>
>
>  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756
>
>
> That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
> version of 389-ds-base?  rpm -q 389-ds-base
>
>
>
> 2015-05-15 16:00 GMT+02:00 Rich Megginson :
>
>>  On 05/15/2015 07:55 AM, James James wrote:
>>
>> Is it possible to change the nsds5ReplicaTimeout value to get rid of
>> this timeout error ?
>>
>>
>> What timeout error?
>>
>>
>> 2015-04-17 4:52 GMT+02:00 Rich Megginson :
>>
>>>  On 04/15/2015 10:44 PM, James James wrote:
>>>
>>> The ipareplica-install.log file in attachment ...
>>>
>>>
>>>  Here are the pertinent bits:
>>>
>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout
>>> 300
>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
>>> SchemaCache
>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>> ldap://ipa.example.com:389 conn=>> instance at 0x484f4d0>
>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
>>> SchemaCache
>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>>> ldaps://ipa1.example.com:636 conn=>> instance at 0x4170290>
>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 382, in start_creation
>>> run_step(full_msg, method)
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 372, in run_step
>>> method()
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 368, in __setup_replica
>>> r_bindpw=self.dm_password)
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line
>>> 969, in setup_replication
>>> raise RuntimeError("Failed to start replication")
>>> RuntimeError: Failed to start replication
>>>
>>>  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
>>> replication
>>>
>>> The times are a little off, but I believe this corresponds to
>>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
>>> Processed 1539 entries in 126 seconds. (12.21 entries/sec)
>>> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
>>> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
>>> coming online; enabling replication
>>>
>>>  I don't know why setup_replication is reporting an error if replication
>>> completed successfully.
>>>
>>>
>>>
>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden :
>>>
>>>> Rich Megginson wrote:
>>>> > On 04/15/2015 02:58 PM, James James wrote:
>>>> >> Nothing on the replica .. maybye a process on the master. How can I
>>>> >> check that ?
>>>> >
>>>> > I have no idea.  But it seems highly unlikely that a process on the
>>>> > master is able to shutdown a process on the replica . . .
>>>> >
>>>> > I would say that there is some problem with the ipa-replica-install
>>>> not
>>>> > properly checking the status - see below:
>>>> >
>>>> >>
>>>> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson >>> >> <mailto:rmegg...@redhat.com>>:
>>>> >>
>>>> >> On 04/15/2015 12:43 PM, James James wrote:
>>>> >>> Here the log
>>>> >>>
>>>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson >>> >>> <mailto:rmegg...@redhat.com>>:
>>>> >>>
>>>> >>> On 04/15/2015 09:46 AM, James James wrote:
>>>> >>>> Hello,
>>>> >>>>
>>>> >>>> I have been looking to solve my problem but I 'm asking for
>>>> >>>> some help.
>>>> >>&g

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

I think that :

Starting replication, please wait until this has completed.
Update in progress, 127 seconds elapsed
Update in progress yet not in progress


looks like a time error : https://fedorahosted.org/freeipa/ticket/4756

2015-05-15 16:00 GMT+02:00 Rich Megginson :

>  On 05/15/2015 07:55 AM, James James wrote:
>
> Is it possible to change the nsds5ReplicaTimeout value to get rid of this
> timeout error ?
>
>
> What timeout error?
>
>
> 2015-04-17 4:52 GMT+02:00 Rich Megginson :
>
>>  On 04/15/2015 10:44 PM, James James wrote:
>>
>> The ipareplica-install.log file in attachment ...
>>
>>
>>  Here are the pertinent bits:
>>
>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout
>> 300
>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
>> SchemaCache
>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>> ldap://ipa.example.com:389 conn=> instance at 0x484f4d0>
>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
>> SchemaCache
>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
>> ldaps://ipa1.example.com:636 conn=> instance at 0x4170290>
>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>> run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>> method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 368, in __setup_replica
>> r_bindpw=self.dm_password)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line
>> 969, in setup_replication
>> raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>>  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
>> replication
>>
>> The times are a little off, but I believe this corresponds to
>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
>> Processed 1539 entries in 126 seconds. (12.21 entries/sec)
>> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
>> coming online; enabling replication
>>
>>  I don't know why setup_replication is reporting an error if replication
>> completed successfully.
>>
>>
>>
>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden :
>>
>>> Rich Megginson wrote:
>>> > On 04/15/2015 02:58 PM, James James wrote:
>>> >> Nothing on the replica .. maybye a process on the master. How can I
>>> >> check that ?
>>> >
>>> > I have no idea.  But it seems highly unlikely that a process on the
>>> > master is able to shutdown a process on the replica . . .
>>> >
>>> > I would say that there is some problem with the ipa-replica-install not
>>> > properly checking the status - see below:
>>> >
>>> >>
>>> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson >> >> <mailto:rmegg...@redhat.com>>:
>>> >>
>>> >> On 04/15/2015 12:43 PM, James James wrote:
>>> >>> Here the log
>>> >>>
>>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson >> >>> <mailto:rmegg...@redhat.com>>:
>>> >>>
>>> >>> On 04/15/2015 09:46 AM, James James wrote:
>>> >>>> Hello,
>>> >>>>
>>> >>>> I have been looking to solve my problem but I 'm asking for
>>> >>>> some help.
>>> >>>>
>>> >>>> The replication begins but cannot be completed 
>>> >>>>
>>> >>>> I want to install a new fresh replica but I've always got
>>> >>>> this error :
>>> >>>>
>>> >>>> [21/35]: configure dirsrv ccache
>>> >>>>   [22/35]: enable SASL mapping fallback
>>> >>>>   [23/35]: restarting directory server
>>> >>>>   [24/35]: setting up initial replication
>>> >>>> Starting replication, please wait until this has completed.
>>> >>>>

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Is it possible to change the nsds5ReplicaTimeout value to get rid of this
timeout error ?

2015-04-17 4:52 GMT+02:00 Rich Megginson :

>  On 04/15/2015 10:44 PM, James James wrote:
>
> The ipareplica-install.log file in attachment ...
>
>
> Here are the pertinent bits:
>
> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300
> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
> SchemaCache
> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
> ldap://ipa.example.com:389 conn= instance at 0x484f4d0>
> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
> SchemaCache
> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
> ldaps://ipa1.example.com:636 conn= instance at 0x4170290>
> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
> run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
> method()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 368, in __setup_replica
> r_bindpw=self.dm_password)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line
> 969, in setup_replication
> raise RuntimeError("Failed to start replication")
> RuntimeError: Failed to start replication
>
> 2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
> replication
>
> The times are a little off, but I believe this corresponds to
> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
> Processed 1539 entries in 126 seconds. (12.21 entries/sec)
> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
> coming online; enabling replication
>
> I don't know why setup_replication is reporting an error if replication
> completed successfully.
>
>
>
> 2015-04-16 2:22 GMT+02:00 Rob Crittenden :
>
>> Rich Megginson wrote:
>> > On 04/15/2015 02:58 PM, James James wrote:
>> >> Nothing on the replica .. maybye a process on the master. How can I
>> >> check that ?
>> >
>> > I have no idea.  But it seems highly unlikely that a process on the
>> > master is able to shutdown a process on the replica . . .
>> >
>> > I would say that there is some problem with the ipa-replica-install not
>> > properly checking the status - see below:
>> >
>> >>
>> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson > >> <mailto:rmegg...@redhat.com>>:
>> >>
>> >> On 04/15/2015 12:43 PM, James James wrote:
>> >>> Here the log
>> >>>
>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson > >>> <mailto:rmegg...@redhat.com>>:
>> >>>
>> >>> On 04/15/2015 09:46 AM, James James wrote:
>> >>>> Hello,
>> >>>>
>> >>>> I have been looking to solve my problem but I 'm asking for
>> >>>> some help.
>> >>>>
>> >>>> The replication begins but cannot be completed 
>> >>>>
>> >>>> I want to install a new fresh replica but I've always got
>> >>>> this error :
>> >>>>
>> >>>> [21/35]: configure dirsrv ccache
>> >>>>   [22/35]: enable SASL mapping fallback
>> >>>>   [23/35]: restarting directory server
>> >>>>   [24/35]: setting up initial replication
>> >>>> Starting replication, please wait until this has completed.
>> >>>> Update in progress, 127 seconds elapsed
>> >>>> Update in progress yet not in progress
>> >>>>
>> >>>> Update in progress yet not in progress
>> >>>
>> >
>> > in progress yet not in progress  The error log below clearly shows
>> > that replica init succeeded after 127 seconds.
>> >
>> > IPA-ers - wasn't there some bug about checking replica status properly?
>> >
>>
>> The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress
>> and nsds5ReplicaLastInitStatus.
>>
>> It loops looking for nsds5BeginReplicaRefresh. If there is no value it
>> prints "Update in progress, %d seconds elapsed". Once it gets a status,
>> the update is done, and it looks at nsds5ReplicaLastInitStatus. If it
>> isn't empty, doesn't include 'replica busy' or 'Total update succeeded'
>> then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is,
>> ir prints Update in progress yet not in progress and tries the loop again.
>>
>> AFAICT this part of a replica install doesn't restart 389-ds.
>>
>> /var/log/ipareplica-install.log may hold some details.
>>
>> rob
>>
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

The ipareplica-install.log file in attachment ...

2015-04-16 2:22 GMT+02:00 Rob Crittenden :

> Rich Megginson wrote:
> > On 04/15/2015 02:58 PM, James James wrote:
> >> Nothing on the replica .. maybye a process on the master. How can I
> >> check that ?
> >
> > I have no idea.  But it seems highly unlikely that a process on the
> > master is able to shutdown a process on the replica . . .
> >
> > I would say that there is some problem with the ipa-replica-install not
> > properly checking the status - see below:
> >
> >>
> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson  >> <mailto:rmegg...@redhat.com>>:
> >>
> >> On 04/15/2015 12:43 PM, James James wrote:
> >>> Here the log
> >>>
> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson  >>> <mailto:rmegg...@redhat.com>>:
> >>>
> >>> On 04/15/2015 09:46 AM, James James wrote:
> >>>> Hello,
> >>>>
> >>>> I have been looking to solve my problem but I 'm asking for
> >>>> some help.
> >>>>
> >>>> The replication begins but cannot be completed 
> >>>>
> >>>> I want to install a new fresh replica but I've always got
> >>>> this error :
> >>>>
> >>>> [21/35]: configure dirsrv ccache
> >>>>   [22/35]: enable SASL mapping fallback
> >>>>   [23/35]: restarting directory server
> >>>>   [24/35]: setting up initial replication
> >>>> Starting replication, please wait until this has completed.
> >>>> Update in progress, 127 seconds elapsed
> >>>> Update in progress yet not in progress
> >>>>
> >>>> Update in progress yet not in progress
> >>>
> >
> > in progress yet not in progress  The error log below clearly shows
> > that replica init succeeded after 127 seconds.
> >
> > IPA-ers - wasn't there some bug about checking replica status properly?
> >
>
> The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress
> and nsds5ReplicaLastInitStatus.
>
> It loops looking for nsds5BeginReplicaRefresh. If there is no value it
> prints "Update in progress, %d seconds elapsed". Once it gets a status,
> the update is done, and it looks at nsds5ReplicaLastInitStatus. If it
> isn't empty, doesn't include 'replica busy' or 'Total update succeeded'
> then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is,
> ir prints Update in progress yet not in progress and tries the loop again.
>
> AFAICT this part of a replica install doesn't restart 389-ds.
>
> /var/log/ipareplica-install.log may hold some details.
>
> rob
>
>
2015-04-15T15:06:11Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-ipa1.example.com.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'skip_schema_check': False, 'ui_redirect': True, 'trust_sshfp': False, 'unattended': False, 'ip_addresses': [], 'no_host_dns': False, 'mkhomedir': False, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'conf_sshd': True, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'setup_ca': False, 'skip_conncheck': False, 'reverse_zones': []}
2015-04-15T15:06:11Z DEBUG IPA version 4.1.0-18.el7.centos.3
2015-04-15T15:06:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-04-15T15:06:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-15T15:06:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2015-04-15T15:06:11Z DEBUG Starting external process
2015-04-15T15:06:11Z DEBUG args='/usr/sbin/httpd' '-t' '-D' 'DUMP_VHOSTS'
2015-04-15T15:06:11Z DEBUG Process finished, return code=0
2015-04-15T15:06:11Z DEBUG stdout=VirtualHost configuration:
*:8443 is a NameVirtualHost
 default server ipa1.example.com (/etc/httpd/conf.d/nss.conf:86)
 port 8443 namevhost ipa1.example.com (/etc/httpd/conf.d/nss.conf:86)
 port 8443 namevhost ipa1.example.com (/etc/httpd/conf.d/nss.conf:86)

2015-04-15T15:06:11Z DEBUG stderr=
2015-04-15T15:06:11Z DEBUG Starting external process
2015-04-15T15:06:11Z DEBUG args=&#

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Nothing on the replica .. maybye a process on the master. How can I check
that ?

2015-04-15 21:37 GMT+02:00 Rich Megginson :

>  On 04/15/2015 12:43 PM, James James wrote:
>
> Here the log
>
> 2015-04-15 18:58 GMT+02:00 Rich Megginson :
>
>>  On 04/15/2015 09:46 AM, James James wrote:
>>
>>   Hello,
>>
>>  I have been looking to solve my problem but I 'm asking for some help.
>>
>>  The replication begins but cannot be completed 
>>
>>  I want to install a new fresh replica but I've always got this error :
>>
>> [21/35]: configure dirsrv ccache
>>   [22/35]: enable SASL mapping fallback
>>   [23/35]: restarting directory server
>>   [24/35]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 127 seconds elapsed
>> Update in progress yet not in progress
>>
>> Update in progress yet not in progress
>>
>> [ipa.example.com] reports: Update failed! Status: [10 Total update
>> abortedLDAP error: Referral]
>>
>>   [error] RuntimeError: Failed to start replication
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Failed to start replication
>>
>>
>>  On the master I have this message :
>> 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task:
>> Successfully cleaned rid(19).
>> [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt="cn=
>> meToipa1.example.com" (ipa1:389): Replica has a different generation ID
>> than the local data.
>> [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total
>> update of replica "agmt="cn=meToipa1.example.com" (ipa1:389)".
>>
>>
>>  What is happening on the consumer (ipa1.example.com) error and access
>> log at this time?
>>
>
> [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin -
> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is going
> offline; disabling replication
> [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to access the
> database
> [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 entries --
> average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0%
> ...
> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
> Processed 1539 entries in 126 seconds. (12.21 entries/sec)
> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
> coming online; enabling replication
>
> So it would appear that initialization finished successfully.  But then .
> . .
>
>
>>  [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - agmt="cn=
>> meToipa1.example.com" (ipa1:389): Unable to receive the response for a
>> startReplication extended operation to consumer (Can't contact LDAP
>> server). Will retry later.
>>
>>
> [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work q stack
> objects - freed 2 op stack objects
> [15/Apr/2015:17:41:16 +0200] - slapd stopped.
>
> So the server is down.  Did someone or some process shutdown the replica
> at this time?
>
> [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send
>> startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
>> endpoint is not connected)
>>
>> Any hints will be useful.
>>
>>  Thanks.
>>
>>
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

It's a little bit more clear. Thanks.

I have created a new ipa 4.1 replica but when I want run :

# ipa-cacert-manage renew --self-signed

I've got this message :

[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured on this system

If I want to install the CA I've got this message :

[root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U
CA is already installed.

Should I have to promote the replica to a standalone master before
installing the CA ?

Any hints will be appreciated...


James


2015-04-08 7:27 GMT+02:00 Jan Cholasta :

> Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
>
>> On 04/07/2015 02:08 PM, James James wrote:
>>
>>> I will try to give a better explanation :
>>>
>>>
>>> I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
>>> installed with an external CA about 3 years ago and I will have to renew
>>> the certificate soon.
>>>
>>>   I have created a test server (ipa-dev) with the same configuration
>>> (centos
>>> 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev
>>> sever
>>> to be installed with an external CA.
>>>
>>> In the same time my external CA has changed and wants the emailAddress
>>> field in the certificate request 's subject.
>>>
>>
>> CSR during installation with external CA is produced by Dogtag, so you are
>> constrained with the options and capabilities provided by
>> ipa-server-install.
>> Maybe it would be possible to modify the CSR and update the Subject
>> manually,
>> but I expect it would crash the installer later (JanC may know more
>> (CCed))
>>
>
> The subject name identifies the CA in server (and other) certificates. If
> you change it, you break the trust chain from the CA certificate to the
> server certificates and that will break all SSL in IPA.
>
>
>>  If it is not possible to add emailAddress in the subject, is it possible
>>> to
>>> migrate my ipa-master CA system from an external CA to a CA-less or
>>> self-signed CA ?
>>>
>>
>> It is, with ipa-cacert-manage - see links below.
>>
>
> You can change your external CA to self-signed CA in IPA 4.1 or newer by
> running:
>
> # ipa-cacert-manage renew --self-signed
>
> You can't change external CA to CA-less.
>
>
>
>>  Thanks.
>>>
>>> 2015-04-07 13:48 GMT+02:00 Martin Kosek :
>>>
>>>  On 04/07/2015 01:44 PM, James James wrote:
>>>>
>>>>> ok.
>>>>>
>>>>> Is there a way to migrate from an external CA to a CA-less or a
>>>>>
>>>> self-signed
>>>>
>>>>> CA  ?
>>>>>
>>>>
>>>> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:
>>>>
>>>> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>>>> https://www.freeipa.org/page/V4/CA_certificate_renewal
>>>>
>>>> (Although I am still not sure about your use case and if this would help
>>>> you)
>>>>
>>>>
>>>>> 2015-04-07 12:51 GMT+02:00 Martin Kosek :
>>>>>
>>>>>  On 04/03/2015 11:39 AM, James James wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I want to initialize a new replica with an external CA. My
>>>>>>> Certificate
>>>>>>> Authority wants a CSR with the field emailAddress in the subject
>>>>>>> like :
>>>>>>>
>>>>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com
>>>>>>>
>>>>>>
>>>>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
>>>>>> with own
>>>>>> CA signed by external CA?
>>>>>>
>>>>>> FreeIPA supports these kinds of setups right now:
>>>>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
>>>>>>
>>>>>>How can I do with the ipa-server-install command ?  I have been
>>>>>>> trying
>>>>>>>
>>>>>> for
>>>>>>
>>>>>>> few days but I still can't.
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>
>>>>>> CCing Honza who should know the definitive answer. However, FreeIPA
>>>>>> was
>>>>>>
>>>>> not
>>>>
>>>>> very flexible in configuring special subjects for it's CA certificate
>>>>>>
>>>>> (i.e.
>>>>
>>>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

I will try to give a better explanation :


I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
installed with an external CA about 3 years ago and I will have to renew
the certificate soon.

 I have created a test server (ipa-dev) with the same configuration (centos
6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever
to be installed with an external CA.

In the same time my external CA has changed and wants the emailAddress
field in the certificate request 's subject.

If it is not possible to add emailAddress in the subject, is it possible to
migrate my ipa-master CA system from an external CA to a CA-less or
self-signed CA ?

Thanks.

2015-04-07 13:48 GMT+02:00 Martin Kosek :

> On 04/07/2015 01:44 PM, James James wrote:
> > ok.
> >
> > Is there a way to migrate from an external CA to a CA-less or a
> self-signed
> > CA  ?
>
> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:
>
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> https://www.freeipa.org/page/V4/CA_certificate_renewal
>
> (Although I am still not sure about your use case and if this would help
> you)
>
> >
> > 2015-04-07 12:51 GMT+02:00 Martin Kosek :
> >
> >> On 04/03/2015 11:39 AM, James James wrote:
> >>> Hello,
> >>>
> >>> I want to initialize a new replica with an external CA. My Certificate
> >>> Authority wants a CSR with the field emailAddress in the subject like :
> >>>
> >>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com
> >>
> >> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
> >> with own
> >> CA signed by external CA?
> >>
> >> FreeIPA supports these kinds of setups right now:
> >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
> >>
> >>>  How can I do with the ipa-server-install command ?  I have been trying
> >> for
> >>> few days but I still can't.
> >>>
> >>> Thanks for your help.
> >>
> >> CCing Honza who should know the definitive answer. However, FreeIPA was
> not
> >> very flexible in configuring special subjects for it's CA certificate
> (i.e.
> >> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
> >>
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

ok.

Is there a way to migrate from an external CA to a CA-less or a self-signed
CA  ?

2015-04-07 12:51 GMT+02:00 Martin Kosek :

> On 04/03/2015 11:39 AM, James James wrote:
> > Hello,
> >
> > I want to initialize a new replica with an external CA. My Certificate
> > Authority wants a CSR with the field emailAddress in the subject like :
> >
> > /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com
>
> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
> with own
> CA signed by external CA?
>
> FreeIPA supports these kinds of setups right now:
> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
>
> >  How can I do with the ipa-server-install command ?  I have been trying
> for
> > few days but I still can't.
> >
> > Thanks for your help.
>
> CCing Honza who should know the definitive answer. However, FreeIPA was not
> very flexible in configuring special subjects for it's CA certificate (i.e.
> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa and external ca

[James James]

Hi everybody, sorry to repost my original question but this time my problem
is better described.

I want to install a ipa sever on centos 6 with an external ca. My problem
is to add emailAddress in the subject field when I type the command :


[root@ipa-dev ~]# ipa-server-install --external_ca
--subject="O=orga,C=FR,OU=MyOU"

Does somebody knows how to do ?

Best.

James
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

Hello,

I want to initialize a new replica with an external CA. My Certificate
Authority wants a CSR with the field emailAddress in the subject like :

/C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com


 How can I do with the ipa-server-install command ?  I have been trying for
few days but I still can't.

Thanks for your help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Web UI customization

[James James]

Hello,

I am with a ipa 3.3 server on centos 7.

I want to customize the web ui user add page (to include
krbprincipalexpiration field with a jquery calendar... ). I have read

http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf ,
https://pvoborni.fedorapeople.org/api/#!/guide/Phases and

http://fossies.org/dox/freeipa-4.1.3/classipalib_1_1plugins_1_1user_1_1user__add.html


 but I can't figure out how to do what I want 

Can somebody give me clues or examples 

Thanks ...
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[James James]

Hi Alexandre,
Thanks for your effort. I am facing some issues with the numeezy freeipa
debian client.
1 )  When I use ipa-client-install I can't specify the ca-cert path and I
have to import my CA cert in /etc/pki/nssdb

2 )  When I try to make ipa-client-automount, the rpc.idmapd, rpc.gssd
deamons can't be restarted :

rpcidmapd failed to restart: Command '/usr/sbin/service rpcidmapd restart '
returned non-zero exit status 1
Failed to configure automatic startup of the rpcidmapd daemon
Failed to enable automatic startup of the rpcidmapd daemon: Command
'/sbin/chkconfig rpcidmapd on' returned non-zero exit status 1
rpcgssd failed to restart: Command '/usr/sbin/service rpcgssd restart '
returned non-zero exit status 1
Failed to configure automatic startup of the rpcgssd daemon
Failed to enable automatic startup of the rpcgssd daemon: Command
'/sbin/chkconfig rpcgssd on' returned non-zero exit status 1


Can you help me ?

Best.

2013-07-18 19:20 GMT+02:00 Alexandre Ellert :

> I've made packages from Debian Wheezy (actually only amd64). The goal is
> ti have a full functional and compatible client with Centos/RHEL 6.4
> freeipa server 3.0.0.
> Actually join domain, ssh key upload, certificate enrollment and sudo
> integration works in my environment.
>
> If you want to test, just add this to /etc/apt/sources.list :
> deb http://apt.numeezy.fr wheezy main
> deb-src http://apt.numeezy.fr wheezy main
> and import my GPG key :
> # wget -qO - http://apt.numeezy.fr/numeezy.asc | sudo apt-key add -
> Then, install package named freeipa-client.
> You can also download source using : apt-get source freeipa.
>
> Feel free to contact me if you have any issue using this package.
>
> PS : I've based my work on package done by Timo Aaltonen for Ubuntu.
> Thanks to him for his excellent work !
>
> Alexandre
>
> Le 15 juil. 2013 à 08:37, Petr Spacek  a écrit :
>
> > On 12.7.2013 19:57, Alexandre Ellert wrote:
> >> Thanks for pointing that bug, compilation succeeded if adding
> "X-Python-Version: 2.7" to debian/control file.
> >> Now, testing functionality...
> >> I can give you some feedback if you want (i'm new here. Is there only
> RHEL/Fedora users on this mailing list ?)
> >
> > This list is not Fedora/RHEL specific. We are glad to hear about ports
> to another distributions, please continue! :-)
> >
> > --
> > Petr^2 Spacek
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

[James James]

SOLVED.

realm-proxy has to be indirect member of :
memberofindirect: cn=manage host
keytab,cn=privileges,cn=pbac,dc=example,dc=com

Thanks for your help.

2014-09-09 16:59 GMT+02:00 Rob Crittenden :

> James James wrote:
> > My user : realm-proxy is in a group (Smart Proxy Host Management) which
> > has the Manager host  keytab permission :
> >
> >   Permission name: Manage host keytab
> >   Permissions: write
> >   Attributes: krbprincipalkey, krblastpwdchange
> >   Type: host
> >   Granted to Privilege: Host Administrators, Host Enrollment, Smart
> > Proxy Host Management
> >
> >
> > When I try to retreive a keytab from another host when my principal is
> > the realm-proxy :
> >
> >
> > [root@client1 ~]#  kinit realm-pr...@example.com
> > <mailto:realm-pr...@example.com> -k -t /tmp/freeipa.keytab
> >
> > [root@client1 ~]# klist
> >
> > Ticket cache: KEYRING:persistent:0:0
> > Default principal: realm-pr...@example.com  realm-pr...@example.com>
> >
> > Valid starting   Expires  Service principal
> > 09/09/2014 14:35:50  09/10/2014 14:35:50  krbtgt/example@example.com
> > <mailto:example@example.com>
> >
> > [root@client1 ~]# ipa-getkeytab  --server=ipa.example.com
> > <http://ipa.example.com> --principal=host/client1.example.com
> > <http://client1.example.com> --keytab=/etc/krb5.keytab
> > Operation failed! Insufficient access rights
> >
> >
> > I can't retrieve the key ..
>
> I'd need to see the smart-proxy user, show --all --raw would be best.
>
> I just tested this on a RHEL-6 instance I had handy and it worked fine:
>
> # ipa user-add --first=test --last=user tuser1 --password
> # ipa role-add 'host keytab' --desc 'manage host keytabs'
> # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
> # ipa privilege-add-permission 'manage host keytab'
> --permissions='manage host keytab'
> # ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
> # ipa role-add-member --users=tuser1 'host keytab'
> # kinit tuser1
> # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
> Keytab successfully retrieved and stored in: /tmp/test.keytab
>
> rob
>
> >
> > 2014-09-09 16:14 GMT+02:00 Rob Crittenden  > <mailto:rcrit...@redhat.com>>:
> >
> > James James wrote:
> > > My IPA version is 3.0.0 .
> > > Thanks
> >
> > The permission 'Manage host keytab' should do the trick.
> >
> > rob
> >
> > >
> > > 2014-09-09 1:22 GMT+02:00 Dmitri Pal  d...@redhat.com>
> > > <mailto:d...@redhat.com <mailto:d...@redhat.com>>>:
> > >
> > > On 09/08/2014 06:52 PM, James James wrote:
> > >> Hi everybody,
> > >>
> > >> I want a user to be able to do ipa-getkeytab to retrieve the
> keys
> > >> from any host in the realm.
> > >>
> > >> How can I do this ?
> > >>
> > >> Where I can find an ACI example
> > >>
> >  (
> https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
> > >> which can helps me ?
> > >>
> > >>
> > >> Thanks for your help.
> > >>
> > >>
> > >>
> > >>
> > > Which version of IPA?
> > > There reason for the question is because in FreeIPA 4.0 the
> ACIs
> > > were significantly reworked.
> > >
> > > --
> > > Thank you,
> > > Dmitri Pal
> > >
> > > Sr. Engineering Manager IdM portfolio
> > > Red Hat, Inc.
> > >
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project
> > >
> > >
> > >
> > >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

[James James]

My IPA version is 3.0.0 .
Thanks

2014-09-09 1:22 GMT+02:00 Dmitri Pal :

>  On 09/08/2014 06:52 PM, James James wrote:
>
>   Hi everybody,
>
>  I want a user to be able to do ipa-getkeytab to retrieve the keys from
> any host in the realm.
>
>  How can I do this ?
>
> Where I can find an ACI example (
> https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
> which can helps me ?
>
>
>  Thanks for your help.
>
>
>
>
>  Which version of IPA?
> There reason for the question is because in FreeIPA 4.0 the ACIs were
> significantly reworked.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ACI for ipa-getkeytab

[James James]

Hi everybody,

I want a user to be able to do ipa-getkeytab to retrieve the keys from any
host in the realm.

How can I do this ?

Where I can find an ACI example (
https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
which can helps me ?


Thanks for your help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] WebUI krbprincipal expiration calendar widegt

[James James]

Thanks a lot for your answer. I will switch to RHEL 7 to use 3.3 ..
Best regards.

James


2014-08-11 17:05 GMT+02:00 Martin Kosek :

> On 08/10/2014 01:58 PM, James James wrote:
> > Hello,
> >
> >
> > Is there a way to patch my ipa .3.0.0 with this patch:
> > https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ?
> >
> > The DateTime data type will be very useful !
> >
> > Regards
>
> It would be quite difficult, if not only because of the API versioning
> problem
> we have with parallel branches of FreeIPA, like RHEL-6.x/CentOS-6.x is
> (judging
> based on your version).
>
> There is an upstream ticket filed:
> https://fedorahosted.org/freeipa/ticket/4427
>
> But I do not think it would help in your case. Especially as this is just a
> convenience fix, the best advise I can give is either to
> a) Hack this around in your IPA codebase, making sure that the capability
> API
> version is correct
> b) Live with old string variant
> c) Upgrade to newer IPA, like 3.3 in RHEL-7.0 or 4.0 in Fedora 20! :-)
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] WebUI krbprincipal expiration calendar widegt

[James James]

Hello,


Is there a way to patch my ipa .3.0.0 with this patch:
https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ?

The DateTime data type will be very useful !

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD and Autofs

[James James]

OK. Maybe this should be precised in the documentation.

By the way, thanks your help.

Best regards.


2014-07-24 15:22 GMT+02:00 Jakub Hrozek :

> On Thu, Jul 24, 2014 at 10:48:44AM +0200, James James wrote:
> > The problem is solved.
> >
> > I had to explicity provides the location in the ipa-client-automount
> > command like this :
> >
> > ipa-client-automount --server=ipa.lix.polytechnique.fr
> --location=server1 -U
>
> Ah, yes, the default location for both the IPA server and the SSSD is
> called IIRC "default". If you're using a different location, you need to
> set it in the config file.
>
> I /think/ we had a ticket at one point to autodetect the location and we
> proposed the topic as a thesis, but I can't find it now..
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD and Autofs

[James James]

The problem is solved.

I had to explicity provides the location in the ipa-client-automount
command like this :

ipa-client-automount --server=ipa.lix.polytechnique.fr --location=server1 -U

Thanks again.



2014-07-24 10:22 GMT+02:00 James James :

> The files are in attachment.
>
> Thanks for you help.
>
>
> 2014-07-24 9:41 GMT+02:00 Jakub Hrozek :
>
> On Wed, Jul 23, 2014 at 11:45:28PM +0200, James James wrote:
>> > HI guy, I've been struggling for a while tom make sssd  works with
>> autofs .
>> > I have a freeipa server that serves maps. When a client is enrolled and
>> I
>> > make in a terminal
>> >
>> > root@host ~# ipa-client-automount -U
>> >
>> > everything is ok
>> >
>> >  but i've got :
>> >
>> > root@host ~# automount -fd -vvv
>> > Starting automounter version 5.0.5-88.el6, master map auto.master
>> > using kernel protocol version 5.02
>> > lookup_nss_read_master: reading master sss auto.master
>> > parse_init: parse(sun): init gathered global options: (null)
>> > master_do_mount: mounting /-
>> > automount_path_to_fifo: fifo name /var/run/autofs.fifo--
>> > lookup_nss_read_map: reading map sss auto.direct
>> > parse_init: parse(sun): init gathered global options: (null)
>> > lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
>> > lookup_nss_read_map: reading map files auto.direct
>> > file map /etc/auto.direct not found
>> > st_ready: st_ready(): state = 0 path /
>> >
>> >
>> > Maybye I am missing something 
>> >
>> > Any help will be appreciate ..
>> >
>> > Thanks
>>
>> Can you attach your config file and check out what's in
>> /var/log/sssd/sssd_autofs.log once you add debug_level=6 into the
>> [autofs] section?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD and Autofs

[James James]

The files are in attachment.

Thanks for you help.


2014-07-24 9:41 GMT+02:00 Jakub Hrozek :

> On Wed, Jul 23, 2014 at 11:45:28PM +0200, James James wrote:
> > HI guy, I've been struggling for a while tom make sssd  works with
> autofs .
> > I have a freeipa server that serves maps. When a client is enrolled and I
> > make in a terminal
> >
> > root@host ~# ipa-client-automount -U
> >
> > everything is ok
> >
> >  but i've got :
> >
> > root@host ~# automount -fd -vvv
> > Starting automounter version 5.0.5-88.el6, master map auto.master
> > using kernel protocol version 5.02
> > lookup_nss_read_master: reading master sss auto.master
> > parse_init: parse(sun): init gathered global options: (null)
> > master_do_mount: mounting /-
> > automount_path_to_fifo: fifo name /var/run/autofs.fifo--
> > lookup_nss_read_map: reading map sss auto.direct
> > parse_init: parse(sun): init gathered global options: (null)
> > lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
> > lookup_nss_read_map: reading map files auto.direct
> > file map /etc/auto.direct not found
> > st_ready: st_ready(): state = 0 path /
> >
> >
> > Maybye I am missing something 
> >
> > Any help will be appreciate ..
> >
> > Thanks
>
> Can you attach your config file and check out what's in
> /var/log/sssd/sssd_autofs.log once you add debug_level=6 into the
> [autofs] section?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
[root@client ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#   nisplus Use NIS+ (NIS version 3)
#   nis Use NIS (NIS version 2), also called YP
#   dns Use DNS (Domain Name Service)
#   files   Use the local files
#   db  Use the local database (.db) files
#   compat  Use NIS on compat mode
#   hesiod  Use Hesiod for user lookups
#   [NOTFOUND=return]   Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:


#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss

#hosts: db files nisplus nis dns
hosts:  files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount: sss files

aliases:files nisplus



etc-sysconfig-autofs
Description: Binary data


sssd_conf
Description: Binary data
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [accept_fd_handler] (0x0400): Client connected!
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_autofs_cmd_setautomntent] (0x0400): Got request for automount map named auto.master
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_parse_name_for_domains] (0x0200): name 'auto.master' matched without domain, user is auto
.master
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [setautomntent_send] (0x0400): Requesting info for automount map [auto.master] from []
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [lookup_automntmap_step] (0x0400): Requesting info for [auto.mas...@example.com]
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40f9d0:0:auto.master@lix.polytechnique
.fr]
(Thu Jul 24 08:09:18 2014) [sssd[autofs]] [sss_dp_get_autofs_msg] (0x0400): Creating autofs 

[Freeipa-users] SSSD and Autofs

[James James]

HI guy, I've been struggling for a while tom make sssd  works with autofs .
I have a freeipa server that serves maps. When a client is enrolled and I
make in a terminal

root@host ~# ipa-client-automount -U

everything is ok

 but i've got :

root@host ~# automount -fd -vvv
Starting automounter version 5.0.5-88.el6, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master sss auto.master
parse_init: parse(sun): init gathered global options: (null)
master_do_mount: mounting /-
automount_path_to_fifo: fifo name /var/run/autofs.fifo--
lookup_nss_read_map: reading map sss auto.direct
parse_init: parse(sun): init gathered global options: (null)
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
lookup_nss_read_map: reading map files auto.direct
file map /etc/auto.direct not found
st_ready: st_ready(): state = 0 path /


Maybye I am missing something 

Any help will be appreciate ..

Thanks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Account Expiration

[James James]

Hi Petr
Can you (or somebody else ) give me some hints to use a calendar widget in
the UI ?

Thanks.


2013/2/7 Petr Vobornik 

> On 02/07/2013 08:45 AM, Martin Kosek wrote:
>
>> On 02/07/2013 08:31 AM, James James wrote:
>>
>>> Thanks Rob. I have one more question. Is it possible to add a field in
>>> the ui,
>>> and get the field's value in a custom add user hook script  ?
>>>
>>> James
>>>
>>
> Theoretically it's possible but it requires quite good knowledge of Web UI
> code. It's easier to modify user page source codes. For simple edit (just
> textbox, no calendar widget) it may be just one line of code (in WebUI,
> server plugin will require more work).
>
>
>
>> I know that Petr Vobornik is already working in better extensibility of
>> the UI,
>> but that would be available in future releases. Petr, do you have any
>> advice
>> for James for current release?
>>
>>
>>>
>>> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
>>> >>
>>>
>>>  James James wrote:
>>>
>>>  Can somebody gives me some help to set krbPrincipalExpiration
>>> from the
>>>  freeipa ui ?
>>>
>>>
>>>  You can't set this in the web UI.
>>>
>>
>> Note: You will be able to set it in the CLI/UI when ticket
>> https://fedorahosted.org/**freeipa/ticket/3306<https://fedorahosted.org/freeipa/ticket/3306>
>> is fixed.
>>
>>
>>>  You can do it from the command line using ldapmodify with:
>>>
>>>  $ ldapmodify -x -D 'cn=Directory Manager' -W
>>>  Enter LDAP Password:
>>>  dn: uid=tuser1,cn=users,cn=__**accounts,dc=example,dc=com
>>>  changetype: modify
>>>  replace: krbPasswordExpiration
>>>  krbPasswordExpiration: 20200508032114Z
>>>
>>>  ^D
>>>
>>
>> This would change password expiration attribute. So for account
>> expiration, you
>> would just need to replace krbPasswordExpiration modification above with
>> krbPrincipalExpiration.
>>
>> Martin
>>
>>
> --
> Petr Vobornik
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

thanks for your code. :)


2013/2/13 Jan-Frode Myklebust 

> On Wed, Feb 13, 2013 at 09:29:42AM +0100, Petr Spacek wrote:
> > >
> > >Yeah, I don't think we want to be in the business of installing and
> > >configuring an MTA. However, we should be able to detect if one is
> available
> > >and use it if it is. I think it would be reasonable to restrict it to
> LMTP
> > >with a Unix domain socket (most MTA's support this). Then our config
> would
> > >have a LMTP domain socket pathname, if that pathname exists and we can
> connect
> > >to it we use, if not we fallback to not generating any mail.
> >
> > In meanwhile, it should be relatively simple to code script which
> > does ldapsearch from time to time and sends some e-mails. This
> > script doesn't have to run on the same server as IPA, only access to
> > LDAP and some MTA is required.
>
> Crude, but a start:
>
> 
> #! /bin/bash
> ldapsearch -z 500 -x -h ipa1.example.net -b
> cn=users,cn=accounts,dc=example,dc=net "(krbPasswordExpiration<=$(date
> +%Y%m%d --date='+1 week')00Z)" mail |grep ^mail|cut -d: -f2 |while read
> mail
> do
> echo password expires in less than a week | mail -s "Password
> expires" $mail
> done
> 
>
>
>
>   -jf
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

What is the IIRC docs ?


2013/2/13 Rob Crittenden 

> Petr Spacek wrote:
>
>> On 12.2.2013 20:21, John Dennis wrote:
>>
>>> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>>>
 Is it possible to ipa to send a email to user when his account is about
> to expire (the current date is near krbprincipalexpiration date) ?
>

 Not currently. In 3.0+ we will provide a notice when one logs into the
 WebUI but that's it.

 We can't be sure that an MTA is properly configured on the IPA server at
 install time so we have punted on this for a while. We don't want to get
 into the business of picking and configuring one. This is one of those
 things that seems really easy but gets complicated the deeper you dig
 into it. We're open to suggestions/patches.

>>>
>>> Yeah, I don't think we want to be in the business of installing and
>>> configuring an MTA. However, we should be able to detect if one is
>>> available
>>> and use it if it is. I think it would be reasonable to restrict it to
>>> LMTP
>>> with a Unix domain socket (most MTA's support this). Then our config
>>> would
>>> have a LMTP domain socket pathname, if that pathname exists and we can
>>> connect
>>> to it we use, if not we fallback to not generating any mail.
>>>
>>
>> In meanwhile, it should be relatively simple to code script which does
>> ldapsearch from time to time and sends some e-mails. This script doesn't
>> have to run on the same server as IPA, only access to LDAP and some MTA
>> is required.
>>
>>
> Yes, that is our current recommendation. There is a sample query in the
> docs IIRC.
>
> rob
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

It's a good idea. I will try that.



2013/2/13 Petr Spacek 

> On 12.2.2013 20:21, John Dennis wrote:
>
>> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>>
>>> Is it possible to ipa to send a email to user when his account is about
 to expire (the current date is near krbprincipalexpiration date) ?

>>>
>>> Not currently. In 3.0+ we will provide a notice when one logs into the
>>> WebUI but that's it.
>>>
>>> We can't be sure that an MTA is properly configured on the IPA server at
>>> install time so we have punted on this for a while. We don't want to get
>>> into the business of picking and configuring one. This is one of those
>>> things that seems really easy but gets complicated the deeper you dig
>>> into it. We're open to suggestions/patches.
>>>
>>
>> Yeah, I don't think we want to be in the business of installing and
>> configuring an MTA. However, we should be able to detect if one is
>> available
>> and use it if it is. I think it would be reasonable to restrict it to LMTP
>> with a Unix domain socket (most MTA's support this). Then our config would
>> have a LMTP domain socket pathname, if that pathname exists and we can
>> connect
>> to it we use, if not we fallback to not generating any mail.
>>
>
> In meanwhile, it should be relatively simple to code script which does
> ldapsearch from time to time and sends some e-mails. This script doesn't
> have to run on the same server as IPA, only access to LDAP and some MTA is
> required.
>
> --
> Petr^2 Spacek
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Thanks  guys for your answers.


2013/2/12 John Dennis 

> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>
>> Is it possible to ipa to send a email to user when his account is about
>>> to expire (the current date is near krbprincipalexpiration date) ?
>>>
>>
>> Not currently. In 3.0+ we will provide a notice when one logs into the
>> WebUI but that's it.
>>
>> We can't be sure that an MTA is properly configured on the IPA server at
>> install time so we have punted on this for a while. We don't want to get
>> into the business of picking and configuring one. This is one of those
>> things that seems really easy but gets complicated the deeper you dig
>> into it. We're open to suggestions/patches.
>>
>
> Yeah, I don't think we want to be in the business of installing and
> configuring an MTA. However, we should be able to detect if one is
> available and use it if it is. I think it would be reasonable to restrict
> it to LMTP with a Unix domain socket (most MTA's support this). Then our
> config would have a LMTP domain socket pathname, if that pathname exists
> and we can connect to it we use, if not we fallback to not generating any
> mail.
>
> --
> John Dennis 
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Can you tell me how update my ipa's files once when ticket
https://fedorahosted.org/freeipa/ticket/3306 will be fixed ?

Should I have to do 'yum update ipa*'  ?

Is it possible to ipa to send a email to user when his account is about to
expire (the current date is near krbprincipalexpiration date) ?


2013/2/7 Martin Kosek 

> On 02/07/2013 08:31 AM, James James wrote:
> > Thanks Rob. I have one more question. Is it possible to add a field in
> the ui,
> > and get the field's value in a custom add user hook script  ?
> >
> > James
>
> I know that Petr Vobornik is already working in better extensibility of
> the UI,
> but that would be available in future releases. Petr, do you have any
> advice
> for James for current release?
>
> >
> >
> > 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
> >>
> >
> > James James wrote:
> >
> > Can somebody gives me some help to set krbPrincipalExpiration
> from the
> > freeipa ui ?
> >
> >
> > You can't set this in the web UI.
>
> Note: You will be able to set it in the CLI/UI when ticket
> https://fedorahosted.org/freeipa/ticket/3306
> is fixed.
>
> >
> > You can do it from the command line using ldapmodify with:
> >
> > $ ldapmodify -x -D 'cn=Directory Manager' -W
> > Enter LDAP Password:
> > dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
> > changetype: modify
> > replace: krbPasswordExpiration
> > krbPasswordExpiration: 20200508032114Z
> >
> > ^D
>
> This would change password expiration attribute. So for account
> expiration, you
> would just need to replace krbPasswordExpiration modification above with
> krbPrincipalExpiration.
>
> Martin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

[James James]

Thanks you Rob. My replica is workin now.

:)


2013/2/10 Rob Crittenden 

> James James wrote:
>
>> Maybe I am stupid or tired (or both ..) but I  have tried many thing to
>> include the ca cert, the ipa key and pem file in a single pkcs12 file
>> but I am still stucked.
>>
>> Can you give me a more detailled help ?
>>
>
> Well, this is one of the reasons we're deprecating this feature, because
> it hasn't been well-tested since v1 and is ridden with corner cases.
>
> I think the only solution is going to be to in direct code changes to the
> IPA python scripts to match what your PKCS#12 files contain. If it is
> signed by a root CA then chances are if you simply skip the step where the
> CA is loaded and trusted then things may just work.
>
> It is failing in ipaserver/install/certs.p12 in the call to
> find_root_cert_from_pkcs12(). Either it is simply an issue of our
> identifying the CA or one isn't being loaded at all.
>
> You can do: certutil -L -d /etc/dirsrv/slapd-YOUR_REALM to list the
> certificates that were loaded. It may be that the CA was loaded but we
> aren't detecting the nickname, in which case you could simply hardcode it
> into the python file for a workaround, something like:
>
> ca_names = ['CA nickname']
>
> rob
>
>>
>>
>> 2013/2/8 Rob Crittenden mailto:rcrit...@redhat.com
>> >>
>>
>> James James wrote:
>>
>> OK .. but I have to put the pkc12 file in /etc/pki/nssdb ?
>>
>>
>> No. The PKCS#12 file that contains your server private key and cert
>> needs to also contain the CA that signed it.
>>
>> rob
>>
>>
>>
>> 2013/2/8 Rob Crittenden > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
>>
>> <mailto:rcrit...@redhat.com>>>
>>
>>
>>  James James wrote:
>>
>>  Now on the replica server I've got this error :
>>  Run connection check to master
>>  Connection check OK
>>  Configuring ntpd
>>  [1/4]: stopping ntpd
>>  [2/4]: writing configuration
>>  [3/4]: configuring ntpd to start on boot
>>  [4/4]: starting ntpd
>>  done configuring ntpd.
>>  Configuring directory server: Estimated time 1 minute
>>  [1/30]: creating directory server user
>>  [2/30]: creating directory server instance
>>  [3/30]: adding default schema
>>  [4/30]: enabling memberof plugin
>>  [5/30]: enabling referential integrity plugin
>>  [6/30]: enabling winsync plugin
>>  [7/30]: configuring replication version plugin
>>  [8/30]: enabling IPA enrollment plugin
>>  [9/30]: enabling ldapi
>>  [10/30]: configuring uniqueness plugin
>>  [11/30]: configuring uuid plugin
>>  [12/30]: configuring modrdn plugin
>>  [13/30]: enabling entryUSN plugin
>>  [14/30]: configuring lockout plugin
>>  [15/30]: creating indices
>>  [16/30]: configuring ssl for ds instance
>>  creation of replica failed: Could not find a CA cert in
>>  /tmp/tmp21VpT8ipa/realm_info/_**___dscert.p12
>>
>>
>>
>>  Your system may be partly configured.
>>  Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>>  Where I have to put the CA certficate ?
>>
>>
>>  It needs to be in the PKCS#12 file.
>>
>>  rob
>>
>>
>>
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

[James James]

Maybe I am stupid or tired (or both ..) but I  have tried many thing to
include the ca cert, the ipa key and pem file in a single pkcs12 file but I
am still stucked.

Can you give me a more detailled help ?


2013/2/8 Rob Crittenden 

> James James wrote:
>
>> OK .. but I have to put the pkc12 file in /etc/pki/nssdb ?
>>
>
> No. The PKCS#12 file that contains your server private key and cert needs
> to also contain the CA that signed it.
>
> rob
>
>
>>
>> 2013/2/8 Rob Crittenden mailto:rcrit...@redhat.com
>> >>
>>
>>
>> James James wrote:
>>
>> Now on the replica server I've got this error :
>> Run connection check to master
>> Connection check OK
>> Configuring ntpd
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> done configuring ntpd.
>> Configuring directory server: Estimated time 1 minute
>> [1/30]: creating directory server user
>> [2/30]: creating directory server instance
>> [3/30]: adding default schema
>> [4/30]: enabling memberof plugin
>> [5/30]: enabling referential integrity plugin
>> [6/30]: enabling winsync plugin
>> [7/30]: configuring replication version plugin
>> [8/30]: enabling IPA enrollment plugin
>> [9/30]: enabling ldapi
>> [10/30]: configuring uniqueness plugin
>> [11/30]: configuring uuid plugin
>> [12/30]: configuring modrdn plugin
>> [13/30]: enabling entryUSN plugin
>> [14/30]: configuring lockout plugin
>> [15/30]: creating indices
>> [16/30]: configuring ssl for ds instance
>> creation of replica failed: Could not find a CA cert in
>> /tmp/tmp21VpT8ipa/realm_info/_**_dscert.p12
>>
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> Where I have to put the CA certficate ?
>>
>>
>> It needs to be in the PKCS#12 file.
>>
>> rob
>>
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

[James James]

OK .. but I have to put the pkc12 file in /etc/pki/nssdb ?


2013/2/8 Rob Crittenden 

> James James wrote:
>
>> Now on the replica server I've got this error :
>> Run connection check to master
>> Connection check OK
>> Configuring ntpd
>>[1/4]: stopping ntpd
>>[2/4]: writing configuration
>>[3/4]: configuring ntpd to start on boot
>>[4/4]: starting ntpd
>> done configuring ntpd.
>> Configuring directory server: Estimated time 1 minute
>>[1/30]: creating directory server user
>>[2/30]: creating directory server instance
>>[3/30]: adding default schema
>>[4/30]: enabling memberof plugin
>>[5/30]: enabling referential integrity plugin
>>[6/30]: enabling winsync plugin
>>[7/30]: configuring replication version plugin
>>[8/30]: enabling IPA enrollment plugin
>>[9/30]: enabling ldapi
>>[10/30]: configuring uniqueness plugin
>>[11/30]: configuring uuid plugin
>>[12/30]: configuring modrdn plugin
>>[13/30]: enabling entryUSN plugin
>>[14/30]: configuring lockout plugin
>>[15/30]: creating indices
>>[16/30]: configuring ssl for ds instance
>> creation of replica failed: Could not find a CA cert in
>> /tmp/tmp21VpT8ipa/realm_info/**dscert.p12
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> Where I have to put the CA certficate ?
>>
>
> It needs to be in the PKCS#12 file.
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

[James James]

Now on the replica server I've got this error :
Run connection check to master
Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in
/tmp/tmp21VpT8ipa/realm_info/dscert.p12

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Where I have to put the CA certficate ?

Regards (again)


2013/2/8 Rob Crittenden 

> James James wrote:
>
>> I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,
>> --http_pin and the ipa-replica-prepare command runs without failure.
>>
>> Thanks for your help.
>>
>
> Yes, this is what I was going to suggest. Using ipa-server-certinstall
> replace the IPA CA with an external one.
>
> I should note that we're deprecating this tool and do not recommend that
> it be used. We instead suggest that if you need certificates from an
> external CA you get the IPA CA signed as a subordinate.
>
> rob
>
>
>>
>> 2013/2/8 James James mailto:jre...@gmail.com>>
>>
>>
>> My ipa version is ipa-server-2.2.0-17.el6_3.1.**x86_64 and the distro
>> is  Scientific Linux 6.3.  I have used ipa-server-certinstall to
>> replace the default IPA certs.
>>
>>
>>
>>
>> 2013/2/8 Rob Crittenden > <mailto:rcrit...@redhat.com>>
>>
>>
>> James James wrote:
>>
>> Hi,
>> today I wanted to install a ipa replica. When I used the
>> ipa-replica-prepare command, I've got this error :
>>
>> [root@ipa ~]# ipa-replica-prepare ipa2-example.com
>> <http://ipa2-example.com> <http://ipa2-example.com>
>>
>>
>> Directory Manager (existing master) password:
>>
>> Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>> <http://ipa.EXAMPLE.COM>
>> <http://ipa.EXAMPLE.COM>
>>
>> Creating SSL certificate for the Directory Server
>> certutil: could not find certificate named "CN=EXAMPLE.COM
>> <http://EXAMPLE.COM>
>> <http://EXAMPLE.COM> Certificate Authority": security
>> library: bad database.
>>
>> certutil: unable to create cert (security library: bad
>> database.)
>> preparation of replica failed: Command '/usr/bin/certutil -d
>> /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>> /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f
>> /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned
>>
>> non-zero exit status 255
>> Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A
>> -n
>> Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der
>> -f
>> /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned
>> non-zero exit status 255
>> File "/usr/sbin/ipa-replica-__**prepare", line 459, in
>> 
>>   main()
>>
>> File "/usr/sbin/ipa-replica-__**prepare", line 345, in
>> main
>>
>>   export_certdb(api.env.realm, ds_dir, dir,
>> passwd_fname, "dscert",
>> replica_fqdn, subject_base)
>>
>> File "/usr/sbin/ipa-replica-__**prepare", line 143, in
>>
>> export_certdb
>>   raise e
>>
>>
>> I have a certificate generated by a custom certificate
>> authority in the
>> ipa server.
>>
>>
>> Need more information on your installation. What version of IPA,
>> what distro?
>>
>> Did you use ipa-server-certinstall to replace the default IPA
>> certs?
>>
>> rob
>>
>>
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

[James James]

I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin
and the ipa-replica-prepare command runs without failure.

Thanks for your help.


2013/2/8 James James 

> My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is
> Scientific Linux 6.3.  I have used ipa-server-certinstall to replace the
> default IPA certs.
>
>
>
>
> 2013/2/8 Rob Crittenden 
>
>> James James wrote:
>>
>>> Hi,
>>> today I wanted to install a ipa replica. When I used the
>>> ipa-replica-prepare command, I've got this error :
>>>
>>> [root@ipa ~]# ipa-replica-prepare ipa2-example.com <
>>> http://ipa2-example.com>
>>>
>>> Directory Manager (existing master) password:
>>>
>>> Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>>> <http://ipa.EXAMPLE.COM>
>>>
>>> Creating SSL certificate for the Directory Server
>>> certutil: could not find certificate named "CN=EXAMPLE.COM
>>> <http://EXAMPLE.COM> Certificate Authority": security library: bad
>>> database.
>>>
>>> certutil: unable to create cert (security library: bad database.)
>>> preparation of replica failed: Command '/usr/bin/certutil -d
>>> /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>>> /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f
>>> /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit
>>> status 255
>>> Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
>>> Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f
>>> /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit
>>> status 255
>>>File "/usr/sbin/ipa-replica-**prepare", line 459, in 
>>>  main()
>>>
>>>File "/usr/sbin/ipa-replica-**prepare", line 345, in main
>>>  export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>>> replica_fqdn, subject_base)
>>>
>>>File "/usr/sbin/ipa-replica-**prepare", line 143, in export_certdb
>>>  raise e
>>>
>>>
>>> I have a certificate generated by a custom certificate authority in the
>>> ipa server.
>>>
>>
>> Need more information on your installation. What version of IPA, what
>> distro?
>>
>> Did you use ipa-server-certinstall to replace the default IPA certs?
>>
>> rob
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

[James James]

My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is
Scientific Linux 6.3.  I have used ipa-server-certinstall to replace the
default IPA certs.




2013/2/8 Rob Crittenden 

> James James wrote:
>
>> Hi,
>> today I wanted to install a ipa replica. When I used the
>> ipa-replica-prepare command, I've got this error :
>>
>> [root@ipa ~]# ipa-replica-prepare ipa2-example.com <
>> http://ipa2-example.com>
>>
>> Directory Manager (existing master) password:
>>
>> Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>> <http://ipa.EXAMPLE.COM>
>>
>> Creating SSL certificate for the Directory Server
>> certutil: could not find certificate named "CN=EXAMPLE.COM
>> <http://EXAMPLE.COM> Certificate Authority": security library: bad
>> database.
>>
>> certutil: unable to create cert (security library: bad database.)
>> preparation of replica failed: Command '/usr/bin/certutil -d
>> /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>> /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f
>> /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit
>> status 255
>> Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
>> Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f
>> /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit
>> status 255
>>File "/usr/sbin/ipa-replica-**prepare", line 459, in 
>>  main()
>>
>>File "/usr/sbin/ipa-replica-**prepare", line 345, in main
>>  export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>> replica_fqdn, subject_base)
>>
>>File "/usr/sbin/ipa-replica-**prepare", line 143, in export_certdb
>>  raise e
>>
>>
>> I have a certificate generated by a custom certificate authority in the
>> ipa server.
>>
>
> Need more information on your installation. What version of IPA, what
> distro?
>
> Did you use ipa-server-certinstall to replace the default IPA certs?
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

ok thanks.



2013/2/7 Petr Vobornik 

> On 02/07/2013 08:45 AM, Martin Kosek wrote:
>
>> On 02/07/2013 08:31 AM, James James wrote:
>>
>>> Thanks Rob. I have one more question. Is it possible to add a field in
>>> the ui,
>>> and get the field's value in a custom add user hook script  ?
>>>
>>> James
>>>
>>
> Theoretically it's possible but it requires quite good knowledge of Web UI
> code. It's easier to modify user page source codes. For simple edit (just
> textbox, no calendar widget) it may be just one line of code (in WebUI,
> server plugin will require more work).
>
>
>
>> I know that Petr Vobornik is already working in better extensibility of
>> the UI,
>> but that would be available in future releases. Petr, do you have any
>> advice
>> for James for current release?
>>
>>
>>>
>>> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
>>> >>
>>>
>>>  James James wrote:
>>>
>>>  Can somebody gives me some help to set krbPrincipalExpiration
>>> from the
>>>  freeipa ui ?
>>>
>>>
>>>  You can't set this in the web UI.
>>>
>>
>> Note: You will be able to set it in the CLI/UI when ticket
>> https://fedorahosted.org/**freeipa/ticket/3306<https://fedorahosted.org/freeipa/ticket/3306>
>> is fixed.
>>
>>
>>>  You can do it from the command line using ldapmodify with:
>>>
>>>  $ ldapmodify -x -D 'cn=Directory Manager' -W
>>>  Enter LDAP Password:
>>>  dn: uid=tuser1,cn=users,cn=__**accounts,dc=example,dc=com
>>>  changetype: modify
>>>  replace: krbPasswordExpiration
>>>  krbPasswordExpiration: 20200508032114Z
>>>
>>>  ^D
>>>
>>
>> This would change password expiration attribute. So for account
>> expiration, you
>> would just need to replace krbPasswordExpiration modification above with
>> krbPrincipalExpiration.
>>
>> Martin
>>
>>
> --
> Petr Vobornik
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Thanks Rob. I have one more question. Is it possible to add a field in the
ui, and get the field's value in a custom add user hook script  ?

James


2013/2/7 Rob Crittenden 

> James James wrote:
>
>> Can somebody gives me some help to set krbPrincipalExpiration from the
>> freeipa ui ?
>>
>
> You can't set this in the web UI.
>
> You can do it from the command line using ldapmodify with:
>
> $ ldapmodify -x -D 'cn=Directory Manager' -W
> Enter LDAP Password:
> dn: uid=tuser1,cn=users,cn=**accounts,dc=example,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20200508032114Z
>
> ^D
>
> rob
>
>>
>> Many thanks
>>
>>
>> 2013/1/28 James James mailto:jre...@gmail.com>>
>>
>>
>> Hi Martin,
>> thanks a lot for your answer. The krbPrincipalExpiration should do
>> the job.
>>
>> Regards.
>>
>>
>> 2013/1/28 Martin Kosek mailto:mko...@redhat.com>>
>>
>>
>> On 01/28/2013 12:14 PM, James James wrote:
>>  > Hi, in 389-ds there is a nice plugin I love,  it's account
>> policy. You can set
>>  > account expiration date and the account will be inactive at
>> this day.
>>  >
>>  >
>> http://directory.**fedoraproject.org/wiki/**
>> Account_Policy_Design#**Detailed_Design_of_Account_**Expiration<http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration>
>>  >
>>  > Is there a way to have this feature with freeipa ?
>>  >
>>  > Regards.
>>  >
>>  >
>>  > James
>>  >
>>
>> Hello James,
>>
>> FreeIPA user plugin does not support this feature, you would
>> need to hack it in
>> the plugin yourselves (patches welcome :-).
>>
>> Generally, you should be able to set account expiration to
>> krbPrincipalExpiration attribute of the user account and it
>> should just work.
>> You can also check few tickets we have already few tickets filed
>> for better
>> handling of this attribute:
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3062<https://fedorahosted.org/freeipa/ticket/3062>
>> [RFE] Allow admins to change expiration attribute for the accounts
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3305<https://fedorahosted.org/freeipa/ticket/3305>
>> KrbPrincipalExpiration should be checked in pre-bind op
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3306<https://fedorahosted.org/freeipa/ticket/3306>
>> [RFE] Expose the krbPrincipalExpiration attribute for editing in
>> the IPA CLI /
>> WEBUI
>>
>>
>> Anyway, if you want a support for this particular plugin, you
>> can file an RFE
>> to Trac/Bugzilla  which we will further process.
>>
>> HTH,
>> Martin
>>
>>
>>
>>
>>
>> __**_
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Can somebody gives me some help to set krbPrincipalExpiration from the
freeipa ui ?

Many thanks


2013/1/28 James James 

> Hi Martin,
> thanks a lot for your answer. The krbPrincipalExpiration should do the job.
>
> Regards.
>
>
> 2013/1/28 Martin Kosek 
>
>> On 01/28/2013 12:14 PM, James James wrote:
>> > Hi, in 389-ds there is a nice plugin I love,  it's account policy. You
>> can set
>> > account expiration date and the account will be inactive at this day.
>> >
>> >
>> http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
>> >
>> > Is there a way to have this feature with freeipa ?
>> >
>> > Regards.
>> >
>> >
>> > James
>> >
>>
>> Hello James,
>>
>> FreeIPA user plugin does not support this feature, you would need to hack
>> it in
>> the plugin yourselves (patches welcome :-).
>>
>> Generally, you should be able to set account expiration to
>> krbPrincipalExpiration attribute of the user account and it should just
>> work.
>> You can also check few tickets we have already few tickets filed for
>> better
>> handling of this attribute:
>>
>> https://fedorahosted.org/freeipa/ticket/3062
>> [RFE] Allow admins to change expiration attribute for the accounts
>>
>> https://fedorahosted.org/freeipa/ticket/3305
>> KrbPrincipalExpiration should be checked in pre-bind op
>>
>> https://fedorahosted.org/freeipa/ticket/3306
>> [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA
>> CLI /
>> WEBUI
>>
>>
>> Anyway, if you want a support for this particular plugin, you can file an
>> RFE
>> to Trac/Bugzilla  which we will further process.
>>
>> HTH,
>> Martin
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

[James James]

Hi Martin,
thanks a lot for your answer. The krbPrincipalExpiration should do the job.

Regards.


2013/1/28 Martin Kosek 

> On 01/28/2013 12:14 PM, James James wrote:
> > Hi, in 389-ds there is a nice plugin I love,  it's account policy. You
> can set
> > account expiration date and the account will be inactive at this day.
> >
> >
> http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
> >
> > Is there a way to have this feature with freeipa ?
> >
> > Regards.
> >
> >
> > James
> >
>
> Hello James,
>
> FreeIPA user plugin does not support this feature, you would need to hack
> it in
> the plugin yourselves (patches welcome :-).
>
> Generally, you should be able to set account expiration to
> krbPrincipalExpiration attribute of the user account and it should just
> work.
> You can also check few tickets we have already few tickets filed for better
> handling of this attribute:
>
> https://fedorahosted.org/freeipa/ticket/3062
> [RFE] Allow admins to change expiration attribute for the accounts
>
> https://fedorahosted.org/freeipa/ticket/3305
> KrbPrincipalExpiration should be checked in pre-bind op
>
> https://fedorahosted.org/freeipa/ticket/3306
> [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA
> CLI /
> WEBUI
>
>
> Anyway, if you want a support for this particular plugin, you can file an
> RFE
> to Trac/Bugzilla  which we will further process.
>
> HTH,
> Martin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Account Expiration

[James James]

Hi, in 389-ds there is a nice plugin I love,  it's account policy. You can
set account expiration date and the account will be inactive at this day.

http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration

Is there a way to have this feature with freeipa ?

Regards.


James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Easy deployment

[James James]

Not yet but can you give me some clues ?

2012/9/27 Dmitri Pal 

>  On 09/25/2012 04:18 PM, Sigbjorn Lie wrote:
>
> On 09/25/2012 12:17 AM, James James wrote:
>
> Hi guys,
>
> we are planning to install 150 freeipa clients and I was wondering if
> there is a way to easily install (from kickstart) nfsv4 client.
>
> I can add host with
>
> # ipa host-add --password=secret
>
> But to get the keytab (host and service), I have to log into the machine,
> launch kinit and get the keytab.
>
> This will be very painful for 150 clients 
>
> Any hints is welcome ...
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>  Hi,
>
> I am working on integrating what you are asking for into OneClickKick.
> OneClickKick which is a web based GUI for managing DHCP server and PXE
> booting. The current version can read the host objects from IPA's LDAP, and
> you can use these to generate PXE boot files for kickstarting RHEL/Fedora,
> preseeding Debian/Ubuntu installations, do BIOS upgrades, run LIVE
> environments, etc.
>
> What I have done in the past is to add a line like this to the post
> section of the kickstart:
> /usr/sbin/ipa-client-install --domain="ix.test.com"
> --principal="ipajoinuser" --password="somepassword" -U -f
>
> This is not ideal even though the kickstart is saved in a database and
> only made available dynamically trough a php script to the host that's
> enabled for kickstarting. It is not saved in a text file on the disk. The
> next version will include tighter integration with IPA where a One Time
> Password is set for the host being kickstarted at the time it's enabled for
> kickstarting, and this password is seeded dynamically when the host is
> served it's kickstart file.
>
> The next version will also have the PXE Enrollment boot image updated to
> supporting adding new hosts directly into IPA. The PXE Enrollment is
> support for adding a new host simply to PXE booting it, logging on, and
> giving it a hostname and assigning it with a kickstart profile to load the
> machine directly from the console of the new machine.
>
> Adding of machines directly to IPA from the web UI will also be available
> in the next version. This allows you to do everything from adding the host,
> to selecting the kickstart profile group, and enabling for PXE
> installation/kickstart in 1 step.
>
> It can also search trough the /var/log/messages file to find new hosts
> that's unknown to it's naming sources and directly add these.
>
> You can also select a group of machine to install, so if you have your 150
> machines in one group you can select the entire group for installation.
>
>
> See the project website or contact me for more information:
> http://sourceforge.net/projects/oneclickkick/
>
>
>
> Have you looked at Foreman?
>
>
> Regards,
> Siggi
>
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Apache, autofs and userdir

[James James]

Thanks I'll try that and will give you a feedback as soon as possible.



2012/9/26 Anthony Messina 

> On Wednesday, September 26, 2012 12:21:14 AM James James wrote:
> > I have  :
> >
> > - a freeipa server + autofs maps
> > - a nfsv4 server
> > - a web server
> >
> > from the webserver I can mount my nfs4 exported home dir. Everything
> works
> > well.
> >
> > I want to acces to my public_html directory from the web server. From my
> > browser, when I try to reach http://myweserver/~user, I've got 403
> > Forbidden and the logs give me :
> >
> > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> > context for user with uid 48 for server nfs-server.example.com Sep 25
> > 23:18:21 web-server rpc.gssd[4522]: doing error downcall
> > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
> > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server
> > rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48
> > enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]:
> > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21
> > web-server rpc.gssd[4522]: process_krb5_upcall: service is '' Sep
> 25
> > 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with
> uid
> > 48 for server nfs-server.example.com Sep 25 23:18:21 web-server
> > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered,
> > with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server
> > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by
> 797200160,
> > not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
> > being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21
> > web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep
> > 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> > context for user with uid 48 for server nfs-server.example.com
> >
> >
> > Apache user id is 48.
>
> You don't say what system you're using, but for Fedora 16 and 17 (with
> systemd), you can use something like the following in
> /etc/systemd/system/httpd.service:
>
> .include /usr/lib/systemd/system/httpd.service
> [Unit]
> Requires=network.target
> After=network.target
>
> [Service]
> Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab
> Environment=KRB5CCNAME=/tmp/krb5cc_48
> ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ;
> /usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t
> ${KRB5CCNAME}
> PrivateTmp=false
>
>
>
> And you'll need to add a cron job similar to:
> 5 */8 * * * apache  /usr/bin/kinit -R ; chcon -t user_tmp_t
> /tmp/krb5cc_48
>
>
> Of course, this may all change when Fedora 18 comes out with it's shiny new
> way of handling credentials.
>
>
> --
> Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
> 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Apache, autofs and userdir

[James James]

Hi, I don't know if this is the right place to ask this question but I will
try.

I have  :

- a freeipa server + autofs maps
- a nfsv4 server
- a web server

from the webserver I can mount my nfs4 exported home dir. Everything works
well.

I want to acces to my public_html directory from the web server. From my
browser, when I try to reach http://myweserver/~user, I've got 403
Forbidden and the logs give me :

Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
context for user with uid 48 for server nfs-server.example.com
Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5
uid=48 enctypes=18,17,16,23,3,1,2 '
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: service is
''
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for client
with uid 48 for server nfs-server.example.com
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm '
EXAMPLE.COM'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' being
considered, with preferred realm 'EXAMPLE.COM'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by
0, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
context for user with uid 48 for server nfs-server.example.com


Apache user id is 48.

Thanks for any help.

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Easy deployment

[James James]

Ok Thanks ..

2012/9/25 Steven Jones 

>  Hi,
>
> I did a while back ask if this could be "automated" in some way into RH
> satellite.  So future roadmap thing.
>
>  regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>   --
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> on behalf of James James [jre...@gmail.com]
> *Sent:* Tuesday, 25 September 2012 10:17 a.m.
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] Easy deployment
>
>  Hi guys,
>
> we are planning to install 150 freeipa clients and I was wondering if
> there is a way to easily install (from kickstart) nfsv4 client.
>
> I can add host with
>
> # ipa host-add --password=secret
>
> But to get the keytab (host and service), I have to log into the machine,
> launch kinit and get the keytab.
>
> This will be very painful for 150 clients 
>
> Any hints is welcome ...
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Easy deployment

[James James]

Hi guys,

we are planning to install 150 freeipa clients and I was wondering if there
is a way to easily install (from kickstart) nfsv4 client.

I can add host with

# ipa host-add --password=secret

But to get the keytab (host and service), I have to log into the machine,
launch kinit and get the keytab.

This will be very painful for 150 clients 

Any hints is welcome ...
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

I was mistaken. The password change from the ui works well.

Thanks again for your help.

2012/9/21 James James 

> This is my krb5kdc.log ...
>
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test@LIX.POLYTECHN
> IQUE.FR for krbtgt/example@example.com, Password has expired
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: NEEDED_PREAUTH: t...@example.com for kadmin/
> chang...@example.com, Additional pre-authentication required
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18
> tkt=18 ses=18}, t...@example.com for kadmin/chang...@example.com
> Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18
> tkt=18 ses=18}, HTTP/ipa.example@example.com for ldap/
> ipa.example@example.com
> Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
> CONSTRAINED-DELEGATION s4u-client=ad...@example.com
> Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18
> tkt=18 ses=18}, HTTP/ipa.example@example.com for ldap/
> ipa.example@example.com
>
>
> Thanks
>
>
> 2012/9/21 James James 
>
>> Now, I can read the userPassword field (after the migration process) but
>> I still can't change my password from the ui. I just got :
>>
>> kerberos ticket is no longer valid.
>>
>>
>>
>> 2012/9/20 James James 
>>
>>> It will be fine to have this info in the doc.
>>>
>>>
>>> 2012/9/20 Rob Crittenden 
>>>
>>>> Dmitri Pal wrote:
>>>>
>>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>>
>>>>>> James James wrote:
>>>>>>
>>>>>>> You 're right. The request return :
>>>>>>>
>>>>>>> Enter LDAP Password:
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base  with scope subtree
>>>>>>> # filter: uid=test
>>>>>>> # requesting: userPassword
>>>>>>> #
>>>>>>>
>>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 2
>>>>>>> result: 0 Success
>>>>>>>
>>>>>>> Can you explain me what happens ?
>>>>>>>
>>>>>>> Is there a solution ?
>>>>>>>
>>>>>>
>>>>>> When migrating you need to bind as a user that has read permission on
>>>>>> the userPassword attribute in the remote LDAP server.
>>>>>>
>>>>>
>>>>> Rob should we check if we can read the userPassword attribute and if
>>>>> not
>>>>> fail migration?
>>>>> Should we open a ticket for this?
>>>>> Also I do not think we document the expectation that you vocalized
>>>>> above.
>>>>>
>>>>
>>>> I'll open a ticket to spell this out in the docs.
>>>>
>>>> Checking it in the command would be nice but I don't know about fatal.
>>>> Still, I'll open a ticket for that as well.
>>>>
>>>> rob
>>>>
>>>
>>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

This is my krb5kdc.log ...

Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test@LIX.POLYTECHN
IQUE.FR for krbtgt/example@example.com, Password has expired
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: NEEDED_PREAUTH: t...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 tkt=18
ses=18}, t...@example.com for kadmin/chang...@example.com
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.example@example.com for ldap/
ipa.example@example.com
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
CONSTRAINED-DELEGATION s4u-client=ad...@example.com
Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.example@example.com for ldap/
ipa.example@example.com


Thanks

2012/9/21 James James 

> Now, I can read the userPassword field (after the migration process) but I
> still can't change my password from the ui. I just got :
>
> kerberos ticket is no longer valid.
>
>
>
> 2012/9/20 James James 
>
>> It will be fine to have this info in the doc.
>>
>>
>> 2012/9/20 Rob Crittenden 
>>
>>> Dmitri Pal wrote:
>>>
>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>
>>>>> James James wrote:
>>>>>
>>>>>> You 're right. The request return :
>>>>>>
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base  with scope subtree
>>>>>> # filter: uid=test
>>>>>> # requesting: userPassword
>>>>>> #
>>>>>>
>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 0 Success
>>>>>>
>>>>>> Can you explain me what happens ?
>>>>>>
>>>>>> Is there a solution ?
>>>>>>
>>>>>
>>>>> When migrating you need to bind as a user that has read permission on
>>>>> the userPassword attribute in the remote LDAP server.
>>>>>
>>>>
>>>> Rob should we check if we can read the userPassword attribute and if not
>>>> fail migration?
>>>> Should we open a ticket for this?
>>>> Also I do not think we document the expectation that you vocalized
>>>> above.
>>>>
>>>
>>> I'll open a ticket to spell this out in the docs.
>>>
>>> Checking it in the command would be nice but I don't know about fatal.
>>> Still, I'll open a ticket for that as well.
>>>
>>> rob
>>>
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

Now, I can read the userPassword field (after the migration process) but I
still can't change my password from the ui. I just got :

kerberos ticket is no longer valid.


2012/9/20 James James 

> It will be fine to have this info in the doc.
>
>
> 2012/9/20 Rob Crittenden 
>
>> Dmitri Pal wrote:
>>
>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>
>>>> James James wrote:
>>>>
>>>>> You 're right. The request return :
>>>>>
>>>>> Enter LDAP Password:
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base  with scope subtree
>>>>> # filter: uid=test
>>>>> # requesting: userPassword
>>>>> #
>>>>>
>>>>> # test, users, accounts, example.com <http://example.com>
>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> Can you explain me what happens ?
>>>>>
>>>>> Is there a solution ?
>>>>>
>>>>
>>>> When migrating you need to bind as a user that has read permission on
>>>> the userPassword attribute in the remote LDAP server.
>>>>
>>>
>>> Rob should we check if we can read the userPassword attribute and if not
>>> fail migration?
>>> Should we open a ticket for this?
>>> Also I do not think we document the expectation that you vocalized above.
>>>
>>
>> I'll open a ticket to spell this out in the docs.
>>
>> Checking it in the command would be nice but I don't know about fatal.
>> Still, I'll open a ticket for that as well.
>>
>> rob
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

It will be fine to have this info in the doc.

2012/9/20 Rob Crittenden 

> Dmitri Pal wrote:
>
>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>
>>> James James wrote:
>>>
>>>> You 're right. The request return :
>>>>
>>>> Enter LDAP Password:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base  with scope subtree
>>>> # filter: uid=test
>>>> # requesting: userPassword
>>>> #
>>>>
>>>> # test, users, accounts, example.com <http://example.com>
>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> Can you explain me what happens ?
>>>>
>>>> Is there a solution ?
>>>>
>>>
>>> When migrating you need to bind as a user that has read permission on
>>> the userPassword attribute in the remote LDAP server.
>>>
>>
>> Rob should we check if we can read the userPassword attribute and if not
>> fail migration?
>> Should we open a ticket for this?
>> Also I do not think we document the expectation that you vocalized above.
>>
>
> I'll open a ticket to spell this out in the docs.
>
> Checking it in the command would be nice but I don't know about fatal.
> Still, I'll open a ticket for that as well.
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

You 're right. The request return :

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: uid=test
# requesting: userPassword
#

# test, users, accounts, example.com
dn: uid=test,cn=users,cn=accounts,dc=example,dc=com

# search result
search: 2
result: 0 Success

Can you explain me what happens ?

Is there a solution ?




2012/9/20 Rob Crittenden 

> Dmitri Pal wrote:
>
>> On 09/20/2012 12:50 PM, James James wrote:
>>
>>> Oups .. migration mode is enable ...
>>>
>>
>> The ldap (access, error) and kerberos logs from the server would be
>> helpful to troubleshoot.
>> /var/log/dirsrv/...
>> krb5kdc.log
>>
>
> This is usually seen when there is no password in LDAP.
>
> You can confirm this as Directory Manager:
>
> $ ldapsearch -x -D 'cn=Directory Manager' -W password -b
> cn=users,cn=accounts,dc=**example,dc=com uid=migrated_user userPassword
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

Thanks for your help.

I've got in krb5kdc.log :

Sep 20 17:00:47 ipa.example.com krb5kdc[14155](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.72: ISSUE: authtime
 1348153247, etypes {rep=18 tkt=18 ses=18}, host/
elide.example@example.com for ldap/ipa.lix.polytechniqu
e...@example.com
Sep 20 17:00:56 ipa.example.com krb5kdc[14164](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.72: NEEDED_PREAUTH:
re...@example.com for krbtgt/example@example.com, Additional
pre-authentication required
Sep 20 17:00:56 ipa.example.com krb5kdc[14169](info): preauth (timestamp)
verify failure: No matching key in entry
Sep 20 17:00:56 ipa.example.com krb5kdc[14169](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.72: PREAUTH_FAILED:
re...@example.com for krbtgt/example@example.com, Preauthentication
failed
Sep 20 17:00:56 ipa.example.com krb5kdc[14161](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.72: NEEDED_PREAUTH:
host/elide.example@example.com for krbtgt/example@example.com,
Additional pre-auth
entication required


I have spent the whole day trying to debug my server. I will re-install and
re-migrate to see if I have missed something ..

2012/9/20 Dmitri Pal 

>  On 09/20/2012 12:50 PM, James James wrote:
>
> Oups .. migration mode is enable ...
>
>
> The ldap (access, error) and kerberos logs from the server would be
> helpful to troubleshoot.
> /var/log/dirsrv/...
> krb5kdc.log
>
>
>
> 2012/9/20 James James 
>
>> Yes config mod is enabled
>>
>> 2012/9/20 Dmitri Pal 
>>
>>>   On 09/20/2012 12:30 PM, James James wrote:
>>>
>>> Hi,
>>>
>>> I've done a migration from ldap to ipa. Everything works well but when I
>>> try to change my password in the ui (
>>> https://ipa.example.com/ipa/migration) I have this error message :
>>>  We're Sorry
>>>
>>> *There was a problem with your request. Please, try again later.*
>>>
>>> If the problem persists, contact your administrator.
>>>
>>> In the log :
>>>
>>> Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed:
>>> Inappropriate authentication ()
>>>
>>>  Can somebody give me some help ?
>>>
>>>
>>>And I assume the migration is in fact enabled?
>>>
>>> # ipa config-mod --enable-migration=TRUE
>>>
>>>
>>>
>>> Can it be that you are hitting
>>> https://bugzilla.redhat.com/show_bug.cgi?id=822350
>>>
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing 
>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> ---
>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>
>>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

Oups .. migration mode is enable ...

2012/9/20 James James 

> Yes config mod is enabled
>
> 2012/9/20 Dmitri Pal 
>
>>  On 09/20/2012 12:30 PM, James James wrote:
>>
>> Hi,
>>
>> I've done a migration from ldap to ipa. Everything works well but when I
>> try to change my password in the ui (
>> https://ipa.example.com/ipa/migration) I have this error message :
>>  We're Sorry
>>
>> *There was a problem with your request. Please, try again later.*
>>
>> If the problem persists, contact your administrator.
>>
>> In the log :
>>
>> Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed:
>> Inappropriate authentication ()
>>
>>  Can somebody give me some help ?
>>
>>
>>   And I assume the migration is in fact enabled?
>>
>> # ipa config-mod --enable-migration=TRUE
>>
>>
>>
>> Can it be that you are hitting
>> https://bugzilla.redhat.com/show_bug.cgi?id=822350
>>
>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa migration, from ui cannot change password

[James James]

Yes config mod is enabled

2012/9/20 Dmitri Pal 

>  On 09/20/2012 12:30 PM, James James wrote:
>
> Hi,
>
> I've done a migration from ldap to ipa. Everything works well but when I
> try to change my password in the ui (https://ipa.example.com/ipa/migration)
> I have this error message :
>  We're Sorry
>
> *There was a problem with your request. Please, try again later.*
>
> If the problem persists, contact your administrator.
>
> In the log :
>
> Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed:
> Inappropriate authentication ()
>
>  Can somebody give me some help ?
>
>
>   And I assume the migration is in fact enabled?
>
> # ipa config-mod --enable-migration=TRUE
>
>
>
> Can it be that you are hitting
> https://bugzilla.redhat.com/show_bug.cgi?id=822350
>
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Ipa migration, from ui cannot change password

[James James]

Hi,

I've done a migration from ldap to ipa. Everything works well but when I
try to change my password in the ui (https://ipa.example.com/ipa/migration)
I have this error message :
We're Sorry

*There was a problem with your request. Please, try again later.*

If the problem persists, contact your administrator.

In the log :

Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed:
Inappropriate authentication ()

Can somebody give me some help ?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa {user-find} ca cert file

[James James]

OK Thanks a lot for the solution and for the advice.


2012/9/19 Rob Crittenden 

> James James wrote:
>
>> Hi,
>>
>> I have followed this
>> http://freeipa.org/page/**Certificate_Authority#Using_**
>> Certificates_From_a_Different_**CA<http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA>
>> and everything works well.
>>
>> Now when, from the console, I execute
>>
>> $ ipa user-find
>>
>> I've got
>>
>> [root@ipa ipa]# ipa user-find
>> ipa: ERROR: cert validation failed for "E=certus...@example.com
>> <mailto:certus...@example.com>**,CN=ipa.example.com
>> <http://ipa.example.com>,OU=**TEST,O=TEST,C=FR"
>>
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
>> as not trusted by the user.)
>> ipa: ERROR: cannot connect to 
>> u'http://ipa.lix.example.com/**ipa/xml<http://ipa.lix.example.com/ipa/xml>
>> ':
>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>> been marked as not trusted by the user.
>>
>> Any help will be very appreciated ..
>>
>
> You need to add the CA certificate to /etc/pki/nssdb on the client and
> mark it as trusted.
>
> Note that installing certificates from another CA is not recommended and
> you may run into further corner cases. If you have an existing CA then
> installing the IPA dogtag CA as a subordinate is a better long-term
> solution.
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa {user-find} ca cert file

[James James]

Hi,

I have followed this
http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CAand
everything works well.

Now when, from the console, I execute

$ ipa user-find

I've got

[root@ipa ipa]# ipa user-find
ipa: ERROR: cert validation failed for "E=certus...@example.com,CN=
ipa.example.com,OU=TEST,O=TEST,C=FR" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked as not trusted by the user.

Any help will be very appreciated ..


James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] MemberOf plugin and LDAP filter

[James James]

Oups in the first message I should write :
I want to have the email of the emails of all the person belonging to a
group.

and not
I want to have the email of the emails of all the person belongingS to a
group.

:0)


2012/9/18 James James 

> Thanks for your answer.
> In my group I have to users but when I use this command :
>
>
>  $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'
> '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail
>
> the result is:
>
> # search result
> search: 2
> result: 0 Success
>
> How can I check my memberOf plugin ?
>
>
>
> 2012/9/18 Rob Crittenden 
>
>> James James wrote:
>>
>>> Hi everybody,
>>>
>>> can somebody help me with the memberof plugin ? Is there a way to add
>>> the memberof attribute like it was in 389-ds ?
>>> For my mailing list program, I want to have the email of the emails of
>>> all the person belongings to a group. Is there a filter to do that ?
>>>
>>
>> To find all e-mail address of users in group "mygroup" use:
>>
>> $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com'
>> '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail
>>
>> This will include nested users who are in groups that are members of
>> mygroup.
>>
>> rob
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] MemberOf plugin and LDAP filter

[James James]

Thanks for your answer.
In my group I have to users but when I use this command :

 $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'
'(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail

the result is:

# search result
search: 2
result: 0 Success

How can I check my memberOf plugin ?


2012/9/18 Rob Crittenden 

> James James wrote:
>
>> Hi everybody,
>>
>> can somebody help me with the memberof plugin ? Is there a way to add
>> the memberof attribute like it was in 389-ds ?
>> For my mailing list program, I want to have the email of the emails of
>> all the person belongings to a group. Is there a filter to do that ?
>>
>
> To find all e-mail address of users in group "mygroup" use:
>
> $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com'
> '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail
>
> This will include nested users who are in groups that are members of
> mygroup.
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] MemberOf plugin and LDAP filter

[James James]

Hi everybody,

can somebody help me with the memberof plugin ? Is there a way to add the
memberof attribute like it was in 389-ds ?
For my mailing list program, I want to have the email of the emails of all
the person belongings to a group. Is there a filter to do that ?

Thanks.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Subject for certificate request in ipa-server-install

[James James]

Hi Everybody,

I want to change the defaut Certifcate Authority automatically added want
you want to  make a certificate request.

There were a thread about something like (
https://www.redhat.com/archives/freeipa-users/2012-April/msg00021.html)
that but I don't know if there is the quick and nice solution.

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Question about migration and scripts variables

[James James]

Back from hollidays...

I have just trying "--user-ignore-attribute=uidnumber,gidnumber", the
server says that the posixAccount attribute requires uid and gid number. I
will find another solution to solve my problem.

James


2012/8/20 Rob Crittenden 

> James James wrote:
>
>> Hi,
>>
>> my first question is about the migrate process. Is it possible to
>> renumber the users during the migrate process (ipa migrate-ds) in a way
>> that all imported users will have a new UID ?
>>
>
> I haven't tested this but you might try --user-ignore-attribute=**
> uidnumber,gidnumber.
>
>
>  my second question is about ipalib. I wanted to make a hook on the user
>> creation. The hook works fine. I just want to know if there is a way to
>> have the value of variables like the username, the name of the creator,
>> the e-mail of the creator and stuff like that.
>>
>
> The current user is available via: principal = getattr(context,
> 'principal')
>
> Using this you can look up that user:
>
> (binddn, bindattrs) = find_entry_by_attr("**krbprincipalname", principal,
> "krbPrincipalAux")
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Question about migration and scripts variables

[James James]

Thanks a lot Rob. I will try that.

2012/8/20 Rob Crittenden 

> James James wrote:
>
>> Hi,
>>
>> my first question is about the migrate process. Is it possible to
>> renumber the users during the migrate process (ipa migrate-ds) in a way
>> that all imported users will have a new UID ?
>>
>
> I haven't tested this but you might try --user-ignore-attribute=**
> uidnumber,gidnumber.
>
>
>  my second question is about ipalib. I wanted to make a hook on the user
>> creation. The hook works fine. I just want to know if there is a way to
>> have the value of variables like the username, the name of the creator,
>> the e-mail of the creator and stuff like that.
>>
>
> The current user is available via: principal = getattr(context,
> 'principal')
>
> Using this you can look up that user:
>
> (binddn, bindattrs) = find_entry_by_attr("**krbprincipalname", principal,
> "krbPrincipalAux")
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Question about migration and scripts variables

[James James]

Hi,

my first question is about the migrate process. Is it possible to renumber
the users during the migrate process (ipa migrate-ds) in a way that all
imported users will have a new UID ?

my second question is about ipalib. I wanted to make a hook on the user
creation. The hook works fine. I just want to know if there is a way to
have the value of variables like the username, the name of the creator, the
e-mail of the creator and stuff like that.

Thanks for your answers.

ps : sorry for my poor english :)
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Add attributes to default user schema

[James James]

Hi,

I have just followed the Stephen's help and I was able to add the
mailAlternateAddress to the ipa default user schema.

I don't know if this is the better way to do this btw it works great.

Thanks again guys.

2012/6/21 Stephen Ingram 

> On Thu, Jun 21, 2012 at 2:06 PM, James James  wrote:
> > Hi everybody,
> >
> > Is it possible to have a procedure to add new attributes like
> > mailAlternateAddress in the default user schema ?
>
>
> That particular attribute is included in the schema
> (objectclass=mailRecipient) so it is easy to add using the ipa
> user-mod --addattr command. I then followed Adam Young's instructions
> to change the interface such that we could view/edit the new attribute
> in the UI:
>
> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to
> include the new field
> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value
> 3. Don't forget to restart httpd and refresh your browser cache to
> pick up the new fields
>
> We needed that instead of using the multi-valued mail attribute
> because there are circumstances where we need to differentiate between
> the "master" email address and aliases. It's easy to add though and
> works great. I certainly wouldn't want to be in the position of adding
> lots of attributes not already included in IPA, but a one or two-off
> seems pretty reasonable to manage.
>
> I don't know if it's still in the I'm sure *very* future plans for
> IPA, but I remember seeing some application (MTA, mail store) support
> mentioned at one time. These sorts of attributes might be nice to have
> if and when that happens.
>
> Steve
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Add attributes to default user schema

[James James]

Hi everybody,

Is it possible to have a procedure to add new attributes like
mailAlternateAddress in the default user schema ?

Regards
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users