On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote:
[root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias
[root@wocfreeipa ~]#
[root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca'
[root@wocfreeipa ~]# grep internal /etc/pki/pki-tomcat/password.conf
in
Got it, thanks!
I add CA certs of Sectigo one by one to /etc/pki/pki-tomcat/alias/, now it
works.
Another thing, please confirm my statement below correct or not
---
I changed Server-Cert to Sectigo's signed one (NOT Self-signed), so when
dog-tag tries to connect to 389 DS, it would check 3
One more questions,
In this thread (
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/)
you mentioned that
subsystemCert cert-pki-ca would map to pkidbuser.
So the process is that dog-tag uses cert-pki-ca to establish a connection
to 389 DS , and 389 D
On 6/12/20 2:52 PM, Karim Bourenane wrote:
Hello Florence, All
After your recommendation :
yum update
ipactl start ( start will be start ipa-server-upgrade too)
In attachment the ipaupgrade.log file
I hope the file will be taken by the website.
Hi,
can you check the content of the /etc/ipa/d
On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote:
One more questions,
In this thread
(https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/)
you mentioned that
subsystemCert cert-pki-ca would map to pkidbuser.
So the process is that dog-tag us
Thanks a lot, flo, you're an expert in Dog-tag and freeIPA.
Have a good day. :)
On Thu, Jun 18, 2020 at 4:52 PM Florence Blanc-Renaud
wrote:
> On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote:
> > One more questions,
> >
> > In this thread
> > (
> https://floblanc.wordpress.com/2017/0
Hello Florence, All
Yes, the mode into my /etc/ipa/default.cond = developement
I wanted POC's validation upgrade.
That's mean, i must tag "mode = production" temporarily before upgrading
into my LAB ?
I updated the default.conf file with the "mode = production", and the
update is very well done.
We have had another look and still cannot find any logical reason the group
memberships aren't reaching id/groups/sssd. The ldapsearch provided and ipa
user-show work fine but nothing else. It is also a somewhat random issue,
and will randomly return x number of secondary groups by id/groups comman
On Thu, Jun 18, 2020 at 09:43:09AM -0500, Alfred Victor wrote:
> We have had another look and still cannot find any logical reason the group
> memberships aren't reaching id/groups/sssd. The ldapsearch provided and ipa
> user-show work fine but nothing else. It is also a somewhat random issue,
> an
Hi Sumit,
[redacted@NODE-1-2 ~]$ ipa permission-show 'System: Read User Membership'
Permission name: System: Read User Membership
Granted rights: read, compare, search
Excluded attributes: memberof
Default attributes: memberof
Bind rule type: all
Subtree: cn=users,cn=accounts,dc=
On Thu, Jun 18, 2020 at 10:25:43AM -0500, Alfred Victor wrote:
> Hi Sumit,
>
> [redacted@NODE-1-2 ~]$ ipa permission-show 'System: Read User Membership'
>
> Permission name: System: Read User Membership
>
> Granted rights: read, compare, search
>
> Excluded attributes: memberof
Hi,
are
Hi Sumit,
That's correct, it is a copy/paste.
Alfred
On Thu, Jun 18, 2020 at 10:51 AM Sumit Bose wrote:
> On Thu, Jun 18, 2020 at 10:25:43AM -0500, Alfred Victor wrote:
> > Hi Sumit,
> >
> > [redacted@NODE-1-2 ~]$ ipa permission-show 'System: Read User
> Membership'
> >
> > Permission name:
I'm trying run ipa-replica-install on a non-IPA joined CentOS 8.2 system:
ipa-replica-install --principal admin --admin-password='SECRET'
Configuring client side components
This program will set up IPA client.
Version 4.8.4
Using existing certificate '/etc/ipa/ca.crt'.
Skip SERVER1: cannot verif
Orion Poplawski via FreeIPA-users wrote:
> I'm trying run ipa-replica-install on a non-IPA joined CentOS 8.2 system:
>
> ipa-replica-install --principal admin --admin-password='SECRET'
>
> Configuring client side components
> This program will set up IPA client.
> Version 4.8.4
>
> Using existin
On Wed, Jun 17, 2020 at 8:52 AM Mark Reynolds wrote:
>
> On 6/16/20 6:07 PM, Chris Herdt via FreeIPA-users wrote:
>
>
>
> On Tue, Jun 16, 2020 at 12:58 PM Chris Herdt wrote:
>
>> I have an appliance that I want to use with our FreeIPA-provided LDAP
>> servers. The appliance only supports the fol
15 matches
Mail list logo
