Use kerberos or grab credentials from a configuration file? 20:34, September 12, 2023, "Super Tony via FreeIPA-users" :Hi,I have an app that determines user access level by querying the IDM server for user group membership. I have been using anonymous bind, but that means I had to relax the ACI to
Have you checked connectivity from the enrolled host to TCP port 53 on the IPA server. 08:33, September 9, 2023, "dweller dweller via FreeIPA-users" :Hello everyone. I need some insight on a particular issue.Is it true that the command 'ipa-client-install'
Is it possible you are missing NS/A records for your IPA servers in the new zone?01:45, August 2, 2023, "Alan Latteri via FreeIPA-users" :Sorry, I posted the domain names wrong, but the problem still stands.If I setup FreeIPA with hostname ipaserver.ipa.1017.abc, in domain ipa.1017.abc and realm
Hi
Is there any good reason why you are trying to do this? Why would you need to
join a host to the domain through a proxy? I can ensure you that you can
reliably use the web UI and LDAP services through a proxy, but why would you
need anything else?
I can confirm that today, I traveled through the same problem, and fixed it the
same way you did, no other solution worked for me. I'm running IPA 4.9.6 on
Rocky Linux 8.5. I have no so big groups, the bigger around 300 users. I think
maybe there's still an unsolved problem a year later. I hope
Hi Thierry,
I commented on the issue and posted the link to the script I made on GitHub.
Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora
Hi,
Finally, I made a bash script that:
1. Receives as arguments a 'base' and a 'filter' (like the fix-up task)
2. Search for incomplete entries (no entryUUID attribute)
3. Patch dirsrv schema (99user.ldif) to make entryUUID attribute mutable
(Removes NO-USER-MODIFICATION)
4. Restarts dirsrv
Hi Thierry,
Here it go...
ldapsearch -LLL -o ldif-wrap=no -h localhost -x \
-D "cn=Directory Manager" -w "..." \
-b "cn=users,cn=accounts,dc=..." \
'(uid=user1)' nscpentrywsi
nscpentrywsi: cn;vucsn-5d77decd0004: Test User 1
nscpentrywsi:
Hi Thierry,
Do you want the output of:
ldapsearch -LLL -h localhost -x -D "cn=Directory Manager" -w "..." \
-b "cn=users,cn=accounts,dc=..." '(uid=user1)' '*'
Or are you talking about something else?
Thanks
___
FreeIPA-users mailing list --
Hi Thierry,
Manually creating the task makes it run, but not with the expected result:
DATE_NOW="$(date +%s)"
ldapmodify -h localhost -D "cn=Directory Manager" -w "..." -a < fixup
failed -> uid=user1,cn=users,cn=accounts,dc=... Operation
[...] - INFO - plugins/entryuuid/src/lib.rs:182 -
Hi,
Thanks for the tip.
Any workaround in the mean time?
I couldn't find one.
Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Hi,
I realized that only users created after certain date has an entryUUID
attribute, so query results are not confusing anymore, and as I can see it now,
in the process of hiding private information, my first post is somehow
misleading. Sorry about that.
From the dnf logs on my system, I can
Hi,
That setting was already set to 'off'
# dsconf localhost config get nsslapd-ignore-virtual-attrs
nsslapd-ignore-virtual-attrs: off
# dsconf localhost config replace nsslapd-ignore-virtual-attrs=on
Successfully replaced "nsslapd-ignore-virtual-attrs"
# dsconf localhost config get
This is the version installed:
389-ds-base-1.4.3.23-12.module+el8.5.0+722+e2a0b219.x86_64
Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora
Hi there.
I'm using latest FreeIPA available on Rocky Linux 8.5
VERSION: 4.9.6, API_VERSION: 2.245
When I run the following LDAP query:
ldapsearch -H "ldap://idm-host:389; -x -s sub \
-D "cn=Directory Manager" -w "dm-password" \
-b "cn=users,cn=accounts,dc=..." \
Ok. I'll finish some work I'm involved with right now and I'll be back. Thanks Rob.10:59, March 5, 2019, "Rob Crittenden via FreeIPA-users" :Edward Valley via FreeIPA-users wrote: So that's the way to go. Let me read some code and I'll be back with a proposal. Is that ok or sho
ing plugin, you'd justwant to do a lot of due diligence about memory handling, variablere-use, etc (coverity and clang can be very helpful).rob 10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>: Edward Valley via FreeIPA-users wr
You're right about that too. I think squid has that covered. Actually, it's a transition solution until I'm able to fully deploy kerberos.10:46, March 4, 2019, Rob Crittenden :Alexander Bokovoy wrote: On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: Thanks for your answer. Doing
architecture.10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" :Edward Valley via FreeIPA-users wrote: You're right, that's one of the options I've considered and tested, but going that way I need to setup several things, use a PAC file in order to Firefox and Chrome to work, take in
have the required hashes and the automated way for generating it every time users change their passwords. Thank you very much for your time.09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" :On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:Thanks for your ans
Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding.09:26, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" :On ma, 04 maalis 2019, Edward Valley via Fre
:27 PM Rob Crittenden via FreeIPA-users<freeipa-users@lists.fedorahosted.org> wrote: Edward Valley via FreeIPA-users wrote: > Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP > backend for user authentication. Everything works fine while using basic > authenticatio
change their passwords. Thanks again.Ed.08:26, March 4, 2019, "Rob Crittenden via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>:Edward Valley via FreeIPA-users wrote: Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Every
Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Everything works fine while using basic authentication. In order to use digest authentication I need users to have an specific password storage scheme (MD5 of user:realm:password combination). Can
24 matches
Mail list logo