[Freeipa-users] Re: Anonymous vs authenticated LDAP queries to IDM

Use kerberos or grab credentials from a configuration file? 20:34, September 12, 2023, "Super Tony via FreeIPA-users" :Hi,I have an app that determines user access level by querying the IDM server for user group membership. I have been using anonymous bind, but that means I had to relax the ACI to

[Freeipa-users] Re: A-record creation in during ipa-client-install

Have you checked connectivity from  the enrolled host to TCP port 53 on the IPA server. 08:33, September 9, 2023, "dweller dweller via FreeIPA-users" :Hello everyone. I need some insight on a particular issue.Is it true that the command 'ipa-client-install'

[Freeipa-users] Re: ipaserver.ipa.1017.abc can not serve DNS for 1017.abc

Is it possible you are missing NS/A records for your IPA servers in the new zone?01:45, August 2, 2023, "Alan Latteri via FreeIPA-users" :Sorry, I posted the domain names wrong, but the problem still stands.If I setup FreeIPA with hostname ipaserver.ipa.1017.abc, in domain ipa.1017.abc and realm

[Freeipa-users] Re: Help with ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure in attempt to loadbalance

Hi Is there any good reason why you are trying to do this? Why would you need to join a host to the domain through a proxy? I can ensure you that you can reliably use the web UI and LDAP services through a proxy, but why would you need anything else?

[Freeipa-users] Re: Broken ipa replica

I can confirm that today, I traveled through the same problem, and fixed it the same way you did, no other solution worked for me. I'm running IPA 4.9.6 on Rocky Linux 8.5. I have no so big groups, the bigger around 300 users. I think maybe there's still an unsolved problem a year later. I hope

[Freeipa-users] Re: Need help with confusing query results

Hi Thierry, I commented on the issue and posted the link to the script I made on GitHub. Thanks ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora

[Freeipa-users] Re: Need help with confusing query results

Hi, Finally, I made a bash script that: 1. Receives as arguments a 'base' and a 'filter' (like the fix-up task) 2. Search for incomplete entries (no entryUUID attribute) 3. Patch dirsrv schema (99user.ldif) to make entryUUID attribute mutable (Removes NO-USER-MODIFICATION) 4. Restarts dirsrv

[Freeipa-users] Re: Need help with confusing query results

Hi Thierry, Here it go... ldapsearch -LLL -o ldif-wrap=no -h localhost -x \ -D "cn=Directory Manager" -w "..." \ -b "cn=users,cn=accounts,dc=..." \ '(uid=user1)' nscpentrywsi nscpentrywsi: cn;vucsn-5d77decd0004: Test User 1 nscpentrywsi:

[Freeipa-users] Re: Need help with confusing query results

Hi Thierry, Do you want the output of: ldapsearch -LLL -h localhost -x -D "cn=Directory Manager" -w "..." \ -b "cn=users,cn=accounts,dc=..." '(uid=user1)' '*' Or are you talking about something else? Thanks ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Need help with confusing query results

Hi Thierry, Manually creating the task makes it run, but not with the expected result: DATE_NOW="$(date +%s)" ldapmodify -h localhost -D "cn=Directory Manager" -w "..." -a < fixup failed -> uid=user1,cn=users,cn=accounts,dc=... Operation [...] - INFO - plugins/entryuuid/src/lib.rs:182 -

[Freeipa-users] Re: Need help with confusing query results

Hi, Thanks for the tip. Any workaround in the mean time? I couldn't find one. Thanks ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: Need help with confusing query results

Hi, I realized that only users created after certain date has an entryUUID attribute, so query results are not confusing anymore, and as I can see it now, in the process of hiding private information, my first post is somehow misleading. Sorry about that. From the dnf logs on my system, I can

[Freeipa-users] Re: Need help with confusing query results

Hi, That setting was already set to 'off' # dsconf localhost config get nsslapd-ignore-virtual-attrs nsslapd-ignore-virtual-attrs: off # dsconf localhost config replace nsslapd-ignore-virtual-attrs=on Successfully replaced "nsslapd-ignore-virtual-attrs" # dsconf localhost config get

[Freeipa-users] Re: Need help with confusing query results

This is the version installed: 389-ds-base-1.4.3.23-12.module+el8.5.0+722+e2a0b219.x86_64 Thanks ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora

[Freeipa-users] Need help with confusing query results

Hi there. I'm using latest FreeIPA available on Rocky Linux 8.5 VERSION: 4.9.6, API_VERSION: 2.245 When I run the following LDAP query: ldapsearch -H "ldap://idm-host:389; -x -s sub \ -D "cn=Directory Manager" -w "dm-password" \ -b "cn=users,cn=accounts,dc=..." \

[Freeipa-users] Re: Squid proxy digest authentication

Ok. I'll finish some work I'm involved with right now and I'll be back. Thanks Rob.10:59, March 5, 2019, "Rob Crittenden via FreeIPA-users" :Edward Valley via FreeIPA-users wrote: So that's the way to go. Let me read some code and I'll be back with a proposal. Is that ok or sho

[Freeipa-users] Re: Squid proxy digest authentication

ing plugin, you'd justwant to do a lot of due diligence about memory handling, variablere-use, etc (coverity and clang can be very helpful).rob 10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>: Edward Valley via FreeIPA-users wr

[Freeipa-users] Re: Squid proxy digest authentication

You're right about that too. I think squid has that covered. Actually, it's a transition solution until I'm able to fully deploy kerberos.10:46, March 4, 2019, Rob Crittenden :Alexander Bokovoy wrote: On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: Thanks for your answer. Doing

[Freeipa-users] Re: Squid proxy digest authentication

architecture.10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" :Edward Valley via FreeIPA-users wrote: You're right, that's one of the options I've considered and tested, but going that way I need to setup several things, use a PAC file in order to Firefox and Chrome to work, take in

[Freeipa-users] Re: Squid proxy digest authentication

have the required hashes and the automated way for generating it every time users change their passwords. Thank you very much for your time.09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" :On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:Thanks for your ans

[Freeipa-users] Re: Squid proxy digest authentication

Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding.09:26, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" :On ma, 04 maalis 2019, Edward Valley via Fre

[Freeipa-users] Re: Squid proxy digest authentication

:27 PM Rob Crittenden via FreeIPA-users<freeipa-users@lists.fedorahosted.org> wrote: Edward Valley via FreeIPA-users wrote: > Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP > backend for user authentication. Everything works fine while using basic > authenticatio

[Freeipa-users] Re: Squid proxy digest authentication

change their passwords. Thanks again.Ed.08:26, March 4, 2019, "Rob Crittenden via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>:Edward Valley via FreeIPA-users wrote: Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Every

[Freeipa-users] Squid proxy digest authentication

Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Everything works fine while using basic authentication. In order to use digest authentication I need users to have an specific password storage scheme (MD5 of user:realm:password combination). Can