[Freeipa-users] FreeIPA - Replica - Install

Hello Community! I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora 33 but versions are the same as I can see. The issue I am hitting is by installing the replication (Client works fine). Configuring the web interface (httpd) [1/21]: stopping httpd [2/2

[Freeipa-users] Re: FreeIPA - Replica - Install

Hi, I think this is related to the DS versions being different in f33 and f34. f33 has 389-ds-base-1.4 and f34 has 2.0.x. It sounds like: https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466 Could you post the exact versions of DS you are using? Thank you, François On Thu, S

[Freeipa-users] Re: FreeIPA - Replica - Install

Yes this was a problem.  Schema replciation was failing because version of the entryuuid pugin added a new syntax plugin, which can not be replicated.  So it broke replication and would lead to errors like this. The minimum version of 389-ds-base-2.x you need is:     389-ds-base-2.0.8 This ve

[Freeipa-users] Re: domain attribute

Ciro Iriarte wrote: > El mar, 31 ago 2021 a las 18:32, Rob Crittenden > () escribió: >> >> Ciro Iriarte via FreeIPA-users wrote: >>> >>> >>> On Tue, Aug 31, 2021, 15:01 Ciro Iriarte >> > wrote: >>> >>> >>> >>> On Tue, Aug 31, 2021, 14:11 Rob Crittenden >>

[Freeipa-users] Waiting for CA subsystem to start (round 2)

Dear, with my best effort I am unable tu deploy freeipa on RockyLinux . I would like to know if someone have already try it ? So bellow you will find commands run from a fresh RockyLinux VM (4Gb ram) --- sed -i -e '/identity\.infra\.microbiome\.studio/d' -e '1i 51.15.228.43 ide

[Freeipa-users] Add second SSL to host

Hi  I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have  a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible? I have tri

[Freeipa-users] Re: Add second SSL to host

Per Qvindesland via FreeIPA-users wrote: > Hi  > > I am using the IPA server as the CA for our Apache SSL's, but I am > wondering if it's possible to have  a second SSL that's not the same as > the hostname, meaning I have already sub1.mydomain.com but I would like > to add also sub2.mydomain.com

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

Jeremy Tourville via FreeIPA-users wrote: > /var/lib/ipa/certs/httpd.crt > looks valid and has a 3 year validity date starting from Nov 23, 2020 > > /etc/ipa/ca.crt > looks valid and has a 20 year validity date starting from Nov 23, 2020 It isn't complaining that the certificate isn't valid, it's

[Freeipa-users] Re: FreeIPA - Replica - Install

Hello! thanks for the info. I updated my servers yesterday, so they are all on Fedora 34 and it works perfectly now. The solution was really just updating the systems from Fedora 33 to 34, all without issues. Thank you for the help! Yours, Mathias

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

>>>It isn't complaining that the certificate isn't valid, it's complaining that >>>it isn't trusted. Thanks for pointing out my mistake. I'm wearing some egg on my face. I was thinking about it wrong at the time of my reply. I attempted to verify trust- [root@utility ipa]# openssl verify -ver

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

Oh wait!!! Which set of certs do I need to test against for my certificate chain? I realized I didn't include the proper path when testing. It should be something like- # openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt # openssl verify -verbose -show_chain -CAfile /var/lib/ipa/ce

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

Now I understand how to test the cert(s) after re-reading your comments Rob and Flo 🙂 [root@utility certs]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt: OK Chain: depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.or

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

Log dirsrv on master https://pastebin.com/hqSrNZQ7 Log dirsrv on new replica https://pastebin.com/cpzC2pji ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fe

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

Log dirsrv on master https://pastebin.com/hqSrNZQ7 Log dirsrv on new replica https://pastebin.com/cpzC2pji ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fe

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

Hi, Which version of 389-ds is installed on the replica? I think you're hitting https://github.com/389ds/389-ds-base/issues/4872 The problem happens because the new replica has a schema definition for entryUUID with a new syntax. When it gets installed, the schema should get replicated to the orig

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

I'll installed soft: [code] [root@ipael8 ~]# dnf list 389* Last metadata expiration check: 0:16:59 ago on Пт 10 сен 2021 13:26:14. Installed Packages 389-ds-base.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

Hi, the fix is included in 389-ds-base 1.4.3.23-8. flo On Fri, Sep 10, 2021 at 8:46 AM Mikhail Kiselev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'll installed soft: > [code] > [root@ipael8 ~]# dnf list 389* > Last metadata expiration check: 0:16:59 ago on Пт 10 сен 2021