[Freeipa-users] Re: custom attributes as a part of default ipa permissions

That sounds exactly like what we need. Thank you very much, Petr Fišer On 08/03/2017 06:01 PM, Alexander Bokovoy wrote: On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote: Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (l

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

Have you tried the replication management script? ipa-replica-manage(1): Manage IPA replica - Linux man page | | | | || | | | | | ipa-replica-manage(1): Manage IPA replica - Linux man page Manages the replication agreements of an IPA server. connect [SERVER_A] - Ad

[Freeipa-users] Re: Unable to re-join CentOS client to FreeIPA

On Thu, Aug 3, 2017 at 9:57 PM, Alexandre Pitre via FreeIPA-users wrote: > I'm unable to rejoin a CentOS client to my FreeIPA realm. I ran the > uninstall command on my client: ipa-client-install --uninstall > > As far as I know the uninstall was successful. It asked me to reboot. After > rebootin

[Freeipa-users] Re: setting up a new replica: failed in "retrieving schema for SchemaCache"

On Wed, Aug 2, 2017 at 3:06 PM, Karl Forner via FreeIPA-users wrote: > Cross-posted from https://github.com/freeipa/freeipa-container/issues/151 > > Context: I have one master running in a docker container, with freeIPA > 4.2.3. > > I'm trying to setup a new replica. I could not using the same doc

[Freeipa-users] Re: Failed Upgrade?

On 08/03/2017 12:28 AM, Florence Blanc-Renaud wrote: On 08/02/2017 11:51 PM, Ian Harding via FreeIPA-users wrote: On 08/02/2017 12:11 AM, Florence Blanc-Renaud wrote: On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03 PM, Rob Crittenden wrote: Ian Harding wrote: On 08/01/2017 07:

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Rob Crittenden via FreeIPA-users writes: > certmonger doesn't support storing certificates in a java keystore. > > certmonger has the concept of pre and post renewal scripts so you can, > for example stop or start a service, or import a renewed certificate > somewhere else (IPA uses this to store

[Freeipa-users] Re: Extended Schema attributes missing

The customizations that define the additions to the schema appear to be in the javascript file /usr/share/ipa/ui/js/plugins/chemuser/chemuser.js. It defines the additional fields we use that are causing us so much trouble. I have included it below. // Place in /usr/share/ipa/ui/js/plugins/chemuse

[Freeipa-users] Unable to re-join CentOS client to FreeIPA

I'm unable to rejoin a CentOS client to my FreeIPA realm. I ran the uninstall command on my client: ipa-client-install --uninstall As far as I know the uninstall was successful. It asked me to reboot. After rebooting if I try to rerun the install command: ipa-client-install -U -p admin -w P@ssw0r

[Freeipa-users] Re: Extended Schema attributes missing

On to, 03 elo 2017, Kristian Petersen via FreeIPA-users wrote: The customizations are in separate files and are still there, but seem to be getting ignored for lack of a better description. You'd need to describe more and in more detail. Look at https://github.com/abbra/freeipa-desktop-profile/

[Freeipa-users] Re: FreeIPA and postfix issue.

Something like that would be quite welcome, I'd love to use IPA to replace our current 3! "SSO" LDAP environments. They do all work together with lots of duct tape and glue but a clean solution would be great. On Thu, Aug 3, 2017 at 2:27 PM, Rob Crittenden wrote: > Bob Rentschler wrote: > > It

[Freeipa-users] Re: FreeIPA and postfix issue.

Bob Rentschler wrote: > It seems the postfix problem was of my creation, I reset the postfix > config file to a copy of the default, re-did everything a step at > a time and it all worked. Who knows what I had in there screwing it up, > I still can't find it when I compare them. > > To sum it up u

[Freeipa-users] Re: Extended Schema attributes missing

The customizations are in separate files and are still there, but seem to be getting ignored for lack of a better description. On Thu, Aug 3, 2017 at 11:27 AM, Rob Crittenden wrote: > Kristian Petersen via FreeIPA-users wrote: > > I work with Randy and there was some custom python and javascript

[Freeipa-users] Re: FreeIPA and postfix issue.

It seems the postfix problem was of my creation, I reset the postfix config file to a copy of the default, re-did everything a step at a time and it all worked. Who knows what I had in there screwing it up, I still can't find it when I compare them. To sum it up under ipa v4 you need to in one way

[Freeipa-users] Re: Extended Schema attributes missing

Kristian Petersen via FreeIPA-users wrote: > I work with Randy and there was some custom python and javascript code > written to implement the extensions to the schema as I recall. My initial thought was that the freeIPA code was updated directly and updating overwrote the customizations. rob >

[Freeipa-users] Deleting revoked certs from CA master

So now that we have a nicely replicating domain and ca, I'd like to rid myself of these revoked certificates which I tried as a way to fix the replication and setting up of a CA. Is there a way to delete these certs out of the store? -- Mark Haney Network Engineer at NeoNova 919-460-3330 opt

[Freeipa-users] Re: custom attributes as a part of default ipa permissions

On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote: Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py looks like this: from ipaserver.plug

[Freeipa-users] Re: Valid Sender ? - Re: Re: ipa-getcert and java certstore/keytool

Rob Crittenden writes: > certmonger doesn't support storing certificates in a java keystore. That's what I found out :-) > The tricky bit might be in dealing with the CSR. certmonger needs the > private key in order do the renewal. > > I guess one thing you could do is a straight ipa-getcert -f

[Freeipa-users] Re: Extended Schema attributes missing

I work with Randy and there was some custom python and javascript code written to implement the extensions to the schema as I recall. On Thu, Aug 3, 2017 at 8:15 AM, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Randy Morgan via FreeIPA-users wrote: > > When we

[Freeipa-users] Re: IPA replica with CA role problems

On 08/03/2017 08:34 AM, Fraser Tweedale wrote: Mark, that's great news; I'm glad you were able to resolve the issue. Everyone gets the tunnel vision sometimes :) I wish you a successful rollout to production. Cheers, Fraser Actually, let me update you on this. I finally got a chance to spe

[Freeipa-users] Re: FreeIPA and postfix issue.

Bob Rentschler wrote: > The query mismatch was a typo/mispaste, sorry about that. > > It was indeed at least partly permissions in the LDAP server, likely > because a service is running the query. > > I solved the freeipa permissions with the below command, which is likely > bad in some way but d

[Freeipa-users] Re: FreeIPA and postfix issue.

The query mismatch was a typo/mispaste, sorry about that. It was indeed at least partly permissions in the LDAP server, likely because a service is running the query. I solved the freeipa permissions with the below command, which is likely bad in some way but did allow postmap to return the desir

[Freeipa-users] Re: Extended Schema attributes missing

Randy Morgan via FreeIPA-users wrote: > When we setup our IPA server, we extended the schema to include 3 fields > that were important to the work we do. When we performed the last > update, those fields still show as required, but they are missing and we > cannot add users to IPA unless we remove

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Jochen Kellner via FreeIPA-users wrote: > Hi, > > 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" > > schrieb: > >> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users >> wrote: >>> I'm playing around with keycloak and wanted to use an SSL certificate >>> from IPA

[Freeipa-users] Re: FreeIPA and postfix issue.

Bob Rentschler via FreeIPA-users wrote: > This may be related to the issue discussed here: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ >

[Freeipa-users] Re: Creating certificate for master domain

Rafał Wądołowski wrote: > Okey, but how can I create certificate for domain intra.example.com? > > I can't create host, because the hostname is required. When I try to add > service, I got output that principal is required. Like I said, every cert needs to live in a bucket (user, service, etc) so

[Freeipa-users] Re: IPA replica with CA role problems

On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote: > On 08/02/2017 04:17 PM, Fraser Tweedale wrote: > > > > > - /var/log/ipareplica-install.log from replica > > > - /etc/pki/pki-tomcat/ca/debug from both master and replica > > > > > > Those logs should do for a start. > > > > > > I'd al

[Freeipa-users] Re: PKI debug files are not rotated

On 08/03/2017 11:19 AM, Harald Dunkel via FreeIPA-users wrote: Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\ pki/pki-tomcat/ca/CS.

[Freeipa-users] Re: custom attributes as a part of default ipa permissions

Oh, sorry, I forgot. FreeIPA 4.4.0 on RHEL 7. Petr Fišer BCV solutions s.r.o. Mobile: +420 607 618 243 E-mail: petr.fi...@bcvsolutions.eu Jabber: petr.fi...@bcvsolutions.eu On 08/03/2017 02:05 PM, Petr Fišer wrote: Hello, We are currently deploying FreeIPA and we make use of custom attributes

[Freeipa-users] custom attributes as a part of default ipa permissions

Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py looks like this: from ipaserver.plugins.user import user from ipalib.parameters import Int fr

[Freeipa-users] Re: IPA replica with CA role problems

On 08/02/2017 04:17 PM, Fraser Tweedale wrote: - /var/log/ipareplica-install.log from replica - /etc/pki/pki-tomcat/ca/debug from both master and replica Those logs should do for a start. I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both master and replica. Depending on where

[Freeipa-users] PKI debug files are not rotated

Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\ pki/pki-tomcat/ca/CS.cfg, setting debug.append=true debug.enabled=t

[Freeipa-users] Re: Edit named-pkcs11

On 08/03/2017 02:10 AM, Tejas Desai via FreeIPA-users wrote: BIND uses the directives “type forward” and “forward first” in its named.conf file. How can I make use of BIND directives when using ipa dns? Because it is based on BIND, can I edit named-pkcs11 directly? Tejas

[Freeipa-users] Re: Failed Upgrade?

On 08/02/2017 11:51 PM, Ian Harding via FreeIPA-users wrote: On 08/02/2017 12:11 AM, Florence Blanc-Renaud wrote: On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03 PM, Rob Crittenden wrote: Ian Harding wrote: On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: On 08/01/2017 03:

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Hi, 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" schrieb: > On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: >> I'm playing around with keycloak and wanted to use an SSL certificate >> from IPA. I've looked around but didn't see any howto about using j