[Freeipa-users] Re: AD trust nested AD groups

2020-04-22 Thread Alexander Bokovoy via FreeIPA-users
On ke, 22 huhti 2020, Natxo Asenjo via FreeIPA-users wrote: hi, On Wed, Apr 22, 2020 at 7:26 PM Natxo Asenjo wrote: In order to use AD nested groups, do we need to add an external IDM group for every nested group? specifically, our AD people have global groups (account groups, they say) wi

[Freeipa-users] Re: CSR in PRINTABLESTRING enc when docs says UTF8STRING is default

2020-04-22 Thread Fraser Tweedale via FreeIPA-users
On Mon, Apr 13, 2020 at 08:50:38AM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On su, 12 huhti 2020, Fredrik Arneving via FreeIPA-users wrote: > > Hi Alexander, > > > > Thank you for explaining this to me. > > Next question: > > > > Given that my "oranizationName" is given on the command

[Freeipa-users] Re: AD trust nested AD groups

2020-04-22 Thread Natxo Asenjo via FreeIPA-users
hi, On Wed, Apr 22, 2020 at 7:26 PM Natxo Asenjo wrote: > > In order to use AD nested groups, do we need to add an external IDM group > for every nested group? > > specifically, our AD people have global groups (account groups, they say) with the user accounts, and the domain local groups (resou

[Freeipa-users] AD trust nested AD groups

2020-04-22 Thread Natxo Asenjo via FreeIPA-users
hi, we have a working one way trust between an AD forest and a RHEL 7 forest. In order to use AD nested groups, do we need to add an external IDM group for every nested group? -- Groeten, natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fed

[Freeipa-users] Re: Replication issue with CSN generator

2020-04-22 Thread thierry bordaz via FreeIPA-users
Hi Morgan, Sure. The most immediate and safest action is to do |dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on | On all servers in the topology (no need to restart). Then monitor if replication is catching up. Okay NTP issues is likely the RC

[Freeipa-users] Re: Replication issue with CSN generator

2020-04-22 Thread Morgan Marodin via FreeIPA-users
Hi. I don't have access to RedHat portal :( There are similar articles in a public forum? Anyway ... could I stop ipa-server, change the value of *nsslapd-ignore-time-skew* into */etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif* and start again the server? Or is more complicated to change the configur

[Freeipa-users] Re: Ansible tasks for certprofiles and ca-acls

2020-04-22 Thread Rafael Jeffman via FreeIPA-users
Hi Philipp, You might not want to use wildcard certificates ( https://tools.ietf.org/html/rfc6125#section-7.2). I don't know of any module that can directly manage certprofiles and ca-acls using Ansible and FreeIPA. It is not the best solution, but you might use `command` and follow the Howto/Wil

[Freeipa-users] Re: Replication issue with CSN generator

2020-04-22 Thread thierry bordaz via FreeIPA-users
Hi, CSN generator time skew is a pending issue still under investigation. At the moment the way your csn generator is messed up looks not fatal. You can allow replication to continue with the setting of nsslapd-ignore-time-skew on all servers. (https://access.redhat.com/solutions/1162703) I