[Freeipa-users] OTP via LDAP auth time sync

Dear All, I'm seeing issues with the time synchronisation for OTP but ONLY for authentication through LDAP and not through kerberos. Is this even possible or am I going down the wrong rabbit hole on this issue. The error presents as LDAP authentication giving "ldap operation failed" when authen

[Freeipa-users] Use of certificates is failing

Hello, I have some issues with certificate management. 2 important points of the recent information: - after a longstanding loss of the certification authority. The certification authority was deleted and a new one was created. https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-repl

[Freeipa-users] Error: "has a RID that is larger than the ldap_idmap_range_size"

hello, I have a IDM cluster (Master + Replica) verison 4.5.4 on REHL 7.4. I have created a trust with an AD 2016 domain AD.COMPANY.ORG. Some users are working properly, but I created a new AD user and it is not working. Checking on the sssd logs I found: [sdap_idmap_sid_to_unix] (0x0040): Objec

[Freeipa-users] Error: "has a RID that is larger than the ldap_idmap_range_size"

Hello again, I have resolved the problem myself. Following https://access.redhat.com/solutions/659243 the sssd cache must be erased using: service sssd stop; rm -f /var/lib/sss/db/*; service sssd start seems that the way I used "sss_cache -E" doesn't work on this. Thanks & Regards. From: SOLE

[Freeipa-users] Re: external ocsp ?

I want to prevent user access if the OCSP responder does not return a valid/successful result. Only those users with a confirmed OCSP response will be allowed access to the systems. I don't find a flag in sssd.confg which would force this type operation. I've also looked over the IPA/idM ins

[Freeipa-users] Re: Use of certificates is failing

On 2/4/19 12:16 PM, Pierre Labanowski via FreeIPA-users wrote: Hello, I have some issues with certificate management. 2 important points of the recent information: - after a longstanding loss of the certification authority. The certification authority was deleted and a new one was created. ht

[Freeipa-users] Re: external ocsp ?

hello Jessie, On Mon, Feb 4, 2019 at 5:10 PM Jessie Floyd via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I want to prevent user access if the OCSP responder does not return a > valid/successful result. Only those users with a confirmed OCSP response > will be allowed access t

[Freeipa-users] CA no certs being tracked?

Hi Everyone, I'm looking for some help. I'm having trouble with everything basically. I think one of my CA's certs expired or something. I can't kinit admin, I can't login via the WebGui. If I "getcert list" it returns "Number of certificates and requests being tracked: 0." This all started

[Freeipa-users] DNS A record for IPA server is not created

Hi, With ipa-server 4.6.4-10.el7_6.2 on RHEL7, I see the following issue My host name is a bit long, of a form: idm01.site01.poc.my.network.com I am installing a fresh new IPA server on this host, with DNS server. Running ipa-server-install without arguments. During installation I can specify

[Freeipa-users] Re: CA no certs being tracked?

On 2/4/19 5:59 PM, Chris Mohler via FreeIPA-users wrote: Hi Everyone, I'm looking for some help. I'm having trouble with everything basically. I think one of my CA's certs expired or something. I can't kinit admin, I can't login via the WebGui. If I "getcert list" it returns "Number of certif

[Freeipa-users] Re: CA no certs being tracked?

Thanks for looking at my issue! There have been no recent updates on my system. Actually I was getting ready to update when I noticed things weren't good. Here is the output from the log of the most recent update. Looks like it was completed successfully. The lines you asked about are in Bol

[Freeipa-users] Re: CA no certs being tracked?

Chris Mohler via FreeIPA-users wrote: > Thanks for looking at my issue! > > There have been no recent updates on my system. Actually I was getting > ready to update when I noticed things weren't good. > > Here is the output from the log of the most recent update. Looks like it > was completed suc

[Freeipa-users] Re: DNS A record for IPA server is not created

Dmitry Perets via FreeIPA-users wrote: > Hi, > > With ipa-server 4.6.4-10.el7_6.2 on RHEL7, I see the following issue > My host name is a bit long, of a form: idm01.site01.poc.my.network.com > > I am installing a fresh new IPA server on this host, with

[Freeipa-users] Re: DNS A record for IPA server is not created

> > > Right, IPA isn't going to recursively fill in the missing zones for you. > > Is there a particular reason you want to install this way? > > rob > Actually yes. It is a multi-site private cloud deployment. All sites are identical. The naming convention is IPA has replicas on each site (

[Freeipa-users] Re: OTP via LDAP auth time sync

Callum Smith via FreeIPA-users wrote: > Dear All, > > I'm seeing issues with the time synchronisation for OTP but ONLY for > authentication through LDAP and not through kerberos. Is this even > possible or am I going down the wrong rabbit hole on this issue. The > error presents as LDAP authentica

[Freeipa-users] Re: CA no certs being tracked?

Rob, I'll be honest. I think you are suggesting an ldapsearch with this Check to see which masteris the renewal master. Look in cn=CA,cn=$(hostname),cn=masters,cn=ipa,cn=etc,$SUFFIX for ipaConfigString=caRenewalMaster sorry I've not figured out how to successfully ldapsearch :-( Instead I did

[Freeipa-users] Re: CA no certs being tracked?

Well... That was a mess. The ipa-server-upgrade didn't go so well. It failed and now my ca-replication master is broken. Here are the details. Any hope? Upgrading IPA:. Estimated time: 1 minute 30 seconds   [1/11]: stopping directory server   [2/11]: saving configuration   [3/11]: disabling l

[Freeipa-users] Replica creation using 'ipa-replica-prepare' to generate replica file,is supported only in 0-level IPA domain.

Hello, Would someone please point me to a concise list of steps I can use here? Running 1.) and 2.) yields various errors and I would like to try a known set of working commands to get a replica going in this state before posting with errors: # ipa-replica-prepare ipa04.abc.xyz.123 --ip-add