[Freeipa-users] Re: Disable user password expiration immediately after password reset.

dmin side. > Then I change the password as the user, which will then obey whatever > password policies are applicable. > > On Mon, Jul 1, 2024, 21:10 luckydog xf via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Once the admin changes the user p

[Freeipa-users] Disable user password expiration immediately after password reset.

Once the admin changes the user password, it will expire immediately. Can we disable this policy? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedor

[Freeipa-users] Disable user password expiration immediately after password reset.

Once the admin changes the user password, it will expire immediately. Can we disable this policy? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedor

[Freeipa-users] Disable user password expiration immediately after password reset.

Once the admin changes the user password, it will expire immediately. Can we disable this policy? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedor

[Freeipa-users] Re: Replace external CA and certificates to self-signed ones.

ok. 1. certutil of httpd isn't used any more. Its certificate is tracking by certmon. Just change the settings of ssl.conf to default(self-signed) or our own. 2. Set system date time before August 3 and restart services. 3. run ipa-getcert request -d /etc/dirsrv/slapd-WINGON-HK/ -n ‘CN=*.win

[Freeipa-users] Re: Replace external CA and certificates to self-signed ones.

I installed a new IPA with self-signed CA and certificates. I didn't find anything related NSSDB under /etc/http/alias So they're no longer used ? Right ? All are within PEM and Key specified in the ssl.conf === SSLCertificateFile /var/lib/ipa/certs/httpd.crt SSLCertificateKeyFile /var/lib/ipa/

[Freeipa-users] Replace external CA and certificates to self-signed ones.

Hello, list, Our FreeIPA is 4.9.8 and the domain is wingon.hk. Initially, we installed external CA and certificates by following this link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And it works fine. The certificate expired on Aug 03 22:16:17 2023. We want to repl

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

Thanks a lot, flo, you're an expert in Dog-tag and freeIPA. Have a good day. :) On Thu, Jun 18, 2020 at 4:52 PM Florence Blanc-Renaud wrote: > On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote: > > One more questions, > > > > In this thread > > ( >

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

orrect or not ? > > Appreciate your help. > > > On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud > wrote: > >> On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: >> > [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

ted by the user.* -- Does my understanding correct or not ? Appreciate your help. On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud wrote: > On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: > > [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/ali

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

p://wocfreeipa.sap.wingon.hk> port 636 > *Error > netscape.ldap.LDAPException: Unable to create socket: > org.mozilla.jss.ssl.SSLSocketException: > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) > *Peer's > certificate issuer has been marked as not trusted by the user.* (-1)

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

wrote: > On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: > > Hi, As state in > https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 > > > > I cannot login in FreeIPA web page. > > > > So I u

[Freeipa-users] pki-tomcat fails to start after I update CA for dirsrv and httpd.

Hi, As state in https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 I cannot login in FreeIPA web page. So I update CA by : # delete everything except IPA CA of httpd and dirsrv certutil -d /etc/http/alias -D -n 'xxx' # ca-bundle.crt is 3 fi

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A new serial was generated and valid already. == # 268238851, certificateRepository, ca, ipaca dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: certificateR

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

I tried this way, but I have not found this entry. === ldapsearch -x -h localhost -D "cn=directory manager" -W > all.ldif grep revoke -i all.ldf returned nothing. My IPA is v4.6.4. ___ FreeIPA-users mailing list -- freeipa-users@lists.f

[Freeipa-users] Re: Max renew for Kerberos tickets

Interesting, why my post was intercepted by a new topic ? Lol. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedor

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

I'm confused. :) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

> On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote: > Hi, > > can you check if the cert is revoked with: > $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' > | grep -i Serial > (note the Serial number) > $ ipa cert-show > >

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

One more question to ask, 1. Both /etc/dirsrv/alias and /etc/http/alias store certificates for themselves. Right? 2. Dogtag is a cerfificate lifecycle management system, e.g issue/renew/rovke. Any CSR would validate by httpd first and then forward to dogtag subCA? per https://ftweedal.fedo

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

I reset system clock to Oct 27, while this certificate would expire in Nov 11. It's still valid and should be renewed by certmonger. So there is no reason it say the serial number was revoked. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedora

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

I see. Just curious about the following error, certificate serial number {0} to be renewed is revoked. Cannot renew a revoked Where does serial number store in the dogtag? Redhat docs say it's in 389 DS, but I cannot find it out. And would any stuff related certificate would store in

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

This is resolved by " getcert modify-ca -c dogtag-ipa-ca-renew-agent -e '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -N' and start-tracking The reason is that once certmonger renews a certificate, it would use old certificate request information to geneate a new one.

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

Forget to copy its error. :( ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-co

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

I find out why ipa didn't run even I reset system clock. Because dirsrv and httpd cetificate was valid "Not before Oct 26", and dogtag certificate was valid " Not After Nov 11", so I have to set clock during this period. :) What I try: 1. set clock to ensure pki-tomcat wo

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

I reset system clock to a proper point now IPA is working. Server-Cert cert-pki-ca was not tracked by certmonger somehow, I add it but it says # output of getcert list. - Request ID '20191101102140': status: MONITORING ca-error: Server at "h

[Freeipa-users] Server-Cert cert-pki-ca was expired and wasn't renewed automatically

Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node was expired unexpectedly. Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is for HTTS( pki-tomcat), AKA Dogtag website. As it was expired, Dogtag is OOS, either. Right now, t

[Freeipa-users] Re: pki-tomcatd failed to start after I replace the 3rd SSL certificate for httpd and dirsrv.

I removed everything including the original CA from /etc/dirsrv/slap-XXX, And I replaced it with Comodo's CA. When pki-tomcat try to authenticate dirsrv, it would use certificate singed by orginal CA, while there is NO CA for dirsrv to valid it( pki-tomcat). This is the root cause of this erro

[Freeipa-users] Re: pki-tomcatd failed to start after I replace the 3rd SSL certificate for httpd and dirsrv.

Holy shit, fixed, you must keep the original CA ( xxx.com IPA CA) under /etc/http/alias and /etc/dirsrv/slapd-XXX. Here is the step how I reverted it back. # as pki-tomcatd has the original. certutil -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -L -a >orginal.ca # do it agains

[Freeipa-users] Re: pki-tomcatd failed to start after I replace the 3rd SSL certificate for httpd and dirsrv.

But how could I revert it back? # I saw that page, probably I did something wrong, which makes it does not work. # Here ca.crt is ca bunlde and include Root and intermediate cert provided by Comodo? ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt and what NICKNAME is it sup

[Freeipa-users] Re: pki-tomcatd failed to start after I replace the 3rd SSL certificate for httpd and dirsrv.

Googled and found something. export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias export LDAPTLS_CERT='subsystemCert cert-pki-ca' ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL -Q -LLL dn namingcontexts ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

[Freeipa-users] pki-tomcatd failed to start after I replace the 3rd SSL certificate for httpd and dirsrv.

Hi, list, I replace http and dirsrv with the 3rd SSL certificated signed by Comodo, whose Root and intermediate certs are 3 files. Below is my step. 1. remove ALL certs against httpd and dirsrv, I'll write httpd only and skip dirsrv. # And I also removed /etc/pki/nssdb by the same way.

[Freeipa-users] Can OTP use as other datasource other than LDAP?

when I deploy freeipa with build-in LDAP( 389 DS), and create user with OTP password enabled, I can integrate into freeradius with LDAP module to authenticate against Network Access Service( Switch.etc) with user's password and OTP password. My question is that, our vpn only supports MSchap aut