[Freeipa-users] ipa trust-add Fails

ipa-client.x86_64 4.9.6-6.module+el8.5.0+12660+88e16a2c @rhel-8-for-x86_64-appstream-rpms ipa-client-common.noarch 4.9.6-6.module+el8.5.0+12660+88e16a2c @rhel-8-for-x86_64-appstream-rpms ipa-common.noarch

[Freeipa-users] Re: [EXTERNAL] FreeIPA Enterprise or Paid Support

This would be Red Hat Enterprise Linux Identity Manager __ Daniel E. White daniel.e.wh...@nasa.gov NASCOM Linux Engineer NASA Goddard Space Flight Center Science

[Freeipa-users] Re: [EXTERNAL] Separate Topic -- FreeIPA and RADIUS

Thanks for sharing. __ Daniel E. White daniel.e.wh...@nasa.gov NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC)

[Freeipa-users] Re: [EXTERNAL] Separate Topic -- FreeIPA and RADIUS

Mariusz, I do not want to hijack your thread, so I am starting another. I would be very interested to know your FreeIPA/RADIUS configuration. __ Daniel E. White

[Freeipa-users] Re: [EXTERNAL] Re: Can an IPA user be member of a local group

Please excuse a possible thread hijack Is this (IPA)global or can it be done on select hosts ? __ Daniel E. White daniel.e.wh...@nasa.gov NASCOM Linux Engineer NASA

[Freeipa-users] Re: [EXTERNAL] Re: Questions about DNS client names in a FreeIPA / Active Directory trust

White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain names Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp / idm.foo.bar.urp for DNS I am using 4 labels to parallel

[Freeipa-users] Questions about DNS client names in a FreeIPA / Active Directory trust

OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain names Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp / idm.foo.bar.urp for DNS I am using 4 labels to parallel the environment for which this is intended. The DNS domain for

[Freeipa-users] Looking for current Python API information

Most seems to be before Python 2's EOL including https://www.freeipa.org/page/API_Examples This one seems current: https://github.com/opennode/python-freeipa https://python-freeipa.readthedocs.io/en/latest/ Anyone recommend it or one better ?

[Freeipa-users] Re: [EXTERNAL] Re: It ain't easy to dig a user's last login time info out of IdM/FreeIPA

Thanks, Russel, I missed that, but you have to do it in a "for each user" loop. The single ldapquery would be easier. __ Daniel E. White mailto:daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard

[Freeipa-users] It ain't easy to dig a user's last login time info out of IdM/FreeIPA

I want to get createtimestamp, krbLastSuccessfulAuth, and krbLastPwdChange for all active users The "ipa user-find" or "ipa user-show" commands only give krbLastPwdChange and failed login count/date The "ipa user-status" command shows "Last successful authentication", but it has to be run

[Freeipa-users] Re: [EXTERNAL] Re: Re: Password Policy Question

Rob Crittenden wrote: >White, Daniel E. (GSFC-770.0)[NICS] wrote: >> For your amusement: >> >> Red Hat Support referred me to >> >> >

[Freeipa-users] Re: [EXTERNAL] Re: Re: Password Policy Question

Question On Mon, Jul 6, 2020 at 10:12 PM Rob Crittenden via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > Are there settings in FreeIPA similar to the setting available from the > chage command ? I

[Freeipa-users] Re: [EXTERNAL] Re: Re: Password Policy Question

Merci, François (I remember that much high school French) __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road

[Freeipa-users] Re: [EXTERNAL] Re: Password Policy Question

enbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden Date: Monday, July 6, 2020 at 16:12 To: FreeIPA Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Password Policy Question White, Daniel E. (GSFC-770.0)[NICS] via F

[Freeipa-users] Password Policy Question

Are there settings in FreeIPA similar to the setting available from the chage command ? I am specifically looking for a setting for the time after a password expires to allow the user to update it. I am looking for the same "grace period" that the non-IPA shell password has. From the change

[Freeipa-users] Re: [EXTERNAL] Re: Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

ate: Friday, March 13, 2020 at 10:43 To: FreeIPA Cc: Louis Abel , Daniel White Subject: Re: [Freeipa-users] Re: [EXTERNAL] Re: Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Thanks for respond

[Freeipa-users] Re: [EXTERNAL] Re: Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

Thanks for responding, Louis. Sadly, I did all that and got a bunch of queries looking for objectClass ipaNTTrustedDomain and other ipaNT* objectClasses I have opened a feature request with Puppet for FreeIPA support. https://tickets.puppetlabs.com/browse/ENTERPRISE-1323

[Freeipa-users] Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

Sad. https://puppet.com/docs/pe/2019.2/rbac_ldap_intro.html#connect_to_an_external_directory_service It has Example Active Directory settings and Example OpenLDAP settings I tried using the OpenLDAP side, but the queries I see in the access logs are looking for objectClasses like

[Freeipa-users] Re: So, I think I found a bug - Debian 10 ipa-client-install does not configure /etc/pam.d files properly (if at all)

Many thanks, Sam. That was exactly the problem. Now that I knew what to look for, I found it in the ipa-client-install output. It says "Local modifications to /etc/pam.d/common-*, not updating. Run pam-auth-update --force to override."

[Freeipa-users] A Shameless Plea for FreeIPA Community Support - "RSA should support FreeIPA / Red Hat Identity Manager as an Identity Source"

The end result (just today) for a support ticket opened on 10 Feb was the "suggestion" I create an "IDEA" in the RSA community. "Ideas on RSA Link provide a mechanism for requesting enhancements, per product, in one definitive area, and encourage registered RSA Link users to tap into the power

[Freeipa-users] SOLVED !! - A Debian Head-Scratcher

I found an answer - on a CACHED web page. The original link says, " This question was removed from Unix & Linux Stack Exchange for reasons of moderation." Here's the cached link:

[Freeipa-users] Re: A Debian Head-Scratcher

From: Jochen Kellner Date: Tuesday, March 3, 2020 at 11:06 To: FreeIPA Cc: Rob Crittenden , Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Re: A Debian Head-Scratcher "White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" mailto:freeipa-users@lists.fedorahosted.org>&g

[Freeipa-users] Re: A Debian Head-Scratcher

reenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden Date: Tuesday, March 3, 2020 at 08:10 To: FreeIPA Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] A Debian Head-Scratcher White, Daniel E. (GSFC-770.0)[NICS] via

[Freeipa-users] A Debian Head-Scratcher

Server: RHEL 7 IdM, ipa-server-4.6.5-11.el7_7.4.x86_64 Client: Debian 10, freeipa-client 4.7.2-3 amd64 Is this version difference a show stopper ? It sorta-kinda-mostly works. I created a test user to test the HBAC rules, and I cannot ssh into this Debian server as this test user. I can ssh

[Freeipa-users] Is this still viable ? HowTo/vsphere5 integration

https://www.freeipa.org/page/HowTo/vsphere5_integration It describes modification of the LDAP tree __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA

[Freeipa-users] Re: [EXTERNAL] Re: Looking for an update to "Setting up MediaWiki to run against FreeIPA"

86-6919 Mobile: (240) 513-5290 From: Rob Crittenden Date: Tuesday, February 18, 2020 at 12:04 To: FreeIPA users list Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Looking for an update to "Setting up MediaWiki to run against FreeIPA" White, Daniel E. (GSFC-770.0)[

[Freeipa-users] Looking for an update to "Setting up MediaWiki to run against FreeIPA"

Please ? https://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA It would appear that this page is over 6 years old. The link for the Auth_remoteuser tar-ball does not exist. and the extension installation instructions are obsolete.

[Freeipa-users] Re: Python-ing into FreeIPA - hit a glitch

ubject: [EXTERNAL] Re: [Freeipa-users] Python-ing into FreeIPA - hit a glitch On to, 13 helmi 2020, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Alexander, I followed your instructions and ran into a problem. These commands went as described: $ ipa service-add api-requester/`ho

[Freeipa-users] Re: Python-ing into FreeIPA - hit a glitch

.wh...@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: "White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" Reply-To: FreeIPA users list Date: Thurs

[Freeipa-users] Python-ing into FreeIPA - hit a glitch

Alexander, I followed your instructions and ran into a problem. These commands went as described: $ ipa service-add api-requester/`hostname` $ ipa service-allow-retrieve-keytab api-requester/`hostname` --users=me $ ipa service-allow-create-keytab api-requester/`hostname` --users=me $

[Freeipa-users] Re: FreeIPA and FreeRadius (or any RADIUS)

ml=DwMFaQ=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8=TbZhPB1r89xJYVTp61jWTAgxmmJ3DhEOIkB7K3_BFj0=AwX95dNoKRDw_b3OxK1w8h8qUGQYSrqXKdnn3ht1VGs=> --eZ On Wed, Feb 12, 2020, 20:03 White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users mailto:freeipa-users@lists.fedo

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

Many thanks. I will let the list know __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

My use case is RADIUS for network device auth, with IPA doing the underlying authentication. The group information is all the LDAP groups a user belongs to. This is for access control. Our current setup uses an ancient version of RADIUS that runs on an old Solaris 9 Sparc server. It uses the

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

Fantastic ! Many thanks. __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175

[Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)

Reference: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 What about setting it up so that RADIUS gets credentials and groups from FreeIPA without the OTP ?

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

xander Bokovoy Date: Wednesday, February 12, 2020 at 01:42 To: FreeIPA users list Cc: Daniel White , Rob Crittenden Subject: [EXTERNAL] Re: [Freeipa-users] Re: Is there any documentation for the ipapython library ? On ti, 11 helmi 2020, Rob Crittenden via FreeIPA-users wrote: White, Daniel E. (GSFC

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: I would like to create some python automation scripts using it. Only the limited docs within the file(s) themselves + usage found elsewhere within IPA. We are trying to keep the API more stable than the past by deprecating things w

[Freeipa-users] Is there any documentation for the ipapython library ?

I would like to create some python automation scripts using it. __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800

[Freeipa-users] Re: [EXTERNAL] Re: MediaWiki and FreeIPA ?

, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden Date: Thursday, February 6, 2020 at 15:31 To: FreeIPA users list Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] MediaWiki and FreeIPA ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users

[Freeipa-users] MediaWiki and FreeIPA ?

I have been trying various LDAP extensions without success. Most Google-able information is years old. Anyone use this : https://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA ? __

[Freeipa-users] Re: [EXTERNAL] Re: VMware vCenter Single Sign-On

I believe you have stated the issue very precisely, Alexander. Pretty much all LDAP-integrated applications have ability to specify attribute names and objectclass names in their configuration to be able to adopt to various LDAP schemas. I am pushing this idea at VMware Support. Ability to

[Freeipa-users] Re: [EXTERNAL] Re: VMware vCenter Single Sign-On

I am working on the issue from the VMware end, Let's see if I can get them to understand that their current OpenLDAP solution is unusable and needs to be updated. __ Daniel E. White

[Freeipa-users] VMware vCenter Single Sign-On

Reference Links: 12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - [RFE] support for RFC 4530 entryUUID attribute [NEEDINFO] Product: Red Hat Enterprise Linux 8 Reported:2006-12-19 19:40 UTC by Victoriano Giralt Modified:2020-01-17

[Freeipa-users] Does anyone use phpldapadmin on FreeIPA/RH-IdM ?

I am just curious to browse the LDAP information. Contrarywise, does anyone have any suggestions for a free, lightweight way to browse LDAP information in FreeIPA/RH-IdM ? __ Daniel E. White

[Freeipa-users] Re: [EXTERNAL] suggestion for password policy

Would you be willing to share the code on, say, a github gist ? __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800

[Freeipa-users] Re: [EXTERNAL] Re: Question about ipa group-add-member

ipa group-add-member On 1/15/20 6:17 PM, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Adding multiple users to one group is documented, but the other way around seems to be missing. Is there a way to add one user to multiple groups with one command ? Hi, with the GUI you can

[Freeipa-users] Question about ipa group-add-member

Adding multiple users to one group is documented, but the other way around seems to be missing. Is there a way to add one user to multiple groups with one command ? If not, I can deal with it. ___ FreeIPA-users mailing list --

[Freeipa-users] Re: [EXTERNAL] Re: Adding Hosts that are not ipa-clients ?

m E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden Date: Tuesday, January 14, 2020 at 14:21 To: FreeIPA users list Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Adding Hosts that are not ipa-clients ? White, Daniel E. (GSFC-770.0)[NICS] via F

[Freeipa-users] Adding Hosts that are not ipa-clients ?

I am considering the Host Based Access Control features to help manage things in our infrastructure that cannot be ipa-clients - like network hardware (switches, routers) With the understanding that my servers do not run the DNS, can I create such hosts to use in host groups and HBAC rules ?

[Freeipa-users] Re: [EXTERNAL] Re: Looking for a way to get a list of users that can log in to a server

Friday, December 27, 2019 at 21:33 To: FreeIPA users list Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Looking for a way to get a list of users that can log in to a server White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Ideally, a command/script I can run on eac

[Freeipa-users] Looking for a way to get a list of users that can log in to a server

Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host. I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation) and followed it upstream to this

[Freeipa-users] Replacing the self-signed cert/CA with an external one ?

I have two IdM/FreeIPA instances running in a test lab environment, built with self-signed certs and CA. Both have CA installed. I want to replace the self-signed with a real, external CA as it will be in production. Would I use this:

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

...@nasa.gov<mailto:daniel.e.wh...@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: "White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" Reply-To: FreeIPA

[Freeipa-users] Re: [EXTERNAL] have users reset password

A thought: If a user logs in to a laptop, then does a "kinit", can they then do a "kpasswd" to update their password ? __ Daniel E. White daniel.e.wh...@nasa.gov NICS

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

I agree with your response: user search base="cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" group search base = " cn=nnmi_access,cn=groups,cn=accounts, dc=PROJECT,dc=EXAMPLE,dc=ORG" AND change the roleBase from member to memberOf This is based on the results of tinkering with

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

We set roleContextDN to cn=nnmi-access And it still barfs, but I found stuff in the access log file: (redacted a bit) [06/Dec/2019:12:49:18.055641820 +] conn=2805 fd=110 slot=110 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.055983514 +] conn=2805 op=0 BIND dn=""

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

.wh...@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: "White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" Reply-To: FreeIPA users list Date: Thursday,

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

nyone using FreeIPA/IdM and MicroFocus Network Automation ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units

[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

nesday, December 4, 2019 at 17:55 To: FreeIPA users list Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP&q