Re: [Freeipa-users] question about generating certificates

Исаев Виталий Анатольевич has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/re

Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA

On 11/05/2013 02:05 PM, EP wrote: > Thanks for your answers so far. > > A question about cross realm trusts though: This requires the AD servers to > be available when doing a login via FreeIPA, right? Or is FreeIPA caching > information from AD? > > We don't want Linux logins to be dependent on

Re: [Freeipa-users] Revisiting ILO

On 11/05/2013 02:51 PM, KodaK wrote: > If I use the whole connection string: > > uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com > > I can authenticate. Does this count as SOLVED? If so can you please reply with the SOLVED in the subject? > > > On Tue, Nov 5, 2013 at 1:40 PM,

[Freeipa-users] New login procedure for FreeIPA wiki - need advice!

Hello, We are trying to make access to the FreeIPA wiki easier and allow contributions without addition overhead. In the past to make any change to wiki one had to have a special wiki account. The procedure of creating such account was cumbersome. We added support for OpenID. Among available provi

Re: [Freeipa-users] question about generating certificates

On Wed, 06 Nov 2013, Arthur Faizullin wrote: Исаев Виталий Анатольевич has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request -f /var/lib/certmonge

Re: [Freeipa-users] question about generating certificates

On 11/06/2013 07:01 AM, Arthur Faizullin wrote: > Исаев Виталий Анатольевич has give me advise that the > problem may be in Selinux. > so I has stoped tracking previous request by > $ sudo ipa-getcert stop-tracking -i 20131106075356 > > and has generated new request > # ipa-getcert request -f /var

Re: [Freeipa-users] ui login error and questions about replication

On 11/05/2013 10:16 PM, Rob Crittenden wrote: >> If you have deployed original IPA server with integrated CA, then your other replicas better to have at least one with CA configured to allow proper recovery in case primary one is destroyed. >> >> Is there any caveats to not deploy CA

Re: [Freeipa-users] ui login error and questions about replication

On 11/06/2013 02:08 AM, Rich Megginson wrote: > On 11/05/2013 04:23 PM, Tamas Papp wrote: >> On 11/05/2013 09:25 PM, Rich Megginson wrote: >>> On 11/05/2013 01:03 PM, Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: > On 11/05/2013 07:53 AM, Tamas Papp wrote: >> On 11/0

Re: [Freeipa-users] ui login error and questions about replication

On 11/06/2013 02:07 AM, Rich Megginson wrote: > On 11/05/2013 04:34 PM, Tamas Papp wrote: >> On 11/05/2013 03:58 PM, Rich Megginson wrote: >>> On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: > https://fedorahosted.org/389/ticket/47516 > > Th

Re: [Freeipa-users] rhel 5 client in a rhel 6 domain?

Armstrong, Kenneth Lawrence writes: hi.. has the problem fixed??? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ui login error and questions about replication

On 11/06/2013 04:16 AM, Rob Crittenden wrote: > >> > 5. If I have a network like this: > > A1__B1 > A2 B2 > > A2 and B1,2 are replicated from A1 > > If the connection gets lost between A and B site, are B1 and 2 (and > A1,2) replicated fine? >>

Re: [Freeipa-users] External CA

On 11/06/2013 06:32 AM, William Leese wrote: Hi, Trying to install freeIPA and have it a sub-ca of an existing one. Sadly I'm not getting anywhere. The version I have installed: ipa-server-3.0.0-26.el6_4.4.x86_64 This is what I run: ipa-server-install -U -a testtest -p testtest --external_c

Re: [Freeipa-users] question about generating certificates

Dmitri Pal wrote: On 11/06/2013 07:01 AM, Arthur Faizullin wrote: Исаев Виталий Анатольевич has give me advise that the problem may be in Selinux. so I has stoped tracking previous request by $ sudo ipa-getcert stop-tracking -i 20131106075356 and has generated new request # ipa-getcert request

Re: [Freeipa-users] External CA

William Leese wrote: Hi, Trying to install freeIPA and have it a sub-ca of an existing one. Sadly I'm not getting anywhere. The version I have installed: ipa-server-3.0.0-26.el6_4.4.x86_64 This is what I run: ipa-server-install -U -a testtest -p testtest --external_cert_file=/root/server.pe

Re: [Freeipa-users] ui login error and questions about replication

On 11/06/2013 06:41 AM, Tamas Papp wrote: On 11/06/2013 04:16 AM, Rob Crittenden wrote: 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? I assume fro

Re: [Freeipa-users] New login procedure for FreeIPA wiki - need advice!

Have you guys/gals considered using Sphinx , instead (perhaps, in conjunction with ReadTheDocs.org )? The documentation source can then be hosted on GitHub. For live examples, check out: - Salt Cloud's Documentation

Re: [Freeipa-users] New login procedure for FreeIPA wiki - need advice!

On Wed, 06 Nov 2013, Pablo Carranza wrote: Have you guys/gals considered using Sphinx , instead (perhaps, in conjunction with ReadTheDocs.org )? I'm not sure how it helps -- we need a wiki working on FreeIPA org, it is part of our development ro

[Freeipa-users] OpenLDAP migration issues

I'm attempting to migrate our OpenLDAP+Kerberos authentication scheme to FreeIPA. Running the following migration command: ipa migrate-ds --bind-dn="cn=admin,dc=foo,dc=com" --base-dn="dc=foo,dc=com" --user-container="ou=users" --group-container="ou=group" --user-objectclass="posixAccount" --gr

Re: [Freeipa-users] New login procedure for FreeIPA wiki - need advice!

On 11/06/2013 03:33 PM, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Pablo Carranza wrote: Have you guys/gals considered using Sphinx , instead (perhaps, in conjunction with ReadTheDocs.org )? Yes, we considered it. Sphinx and ReadTheDocs are

[Freeipa-users] trying to setup cert with an internal CA

Hi, We have our own in house CA>. I ran ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca It generated ipa.csr as expected.. I used opsenssl to sign it on our internal CA. I got the .crt file.. I assume I need the private KEY that the

Re: [Freeipa-users] rhel 5 client in a rhel 6 domain?

On 11/06/2013 12:15 AM, indira wrote: > Armstrong, Kenneth Lawrence writes: > > > > hi.. > has the problem fixed??? > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Was a ticket fi

Re: [Freeipa-users] OpenLDAP migration issues

On 11/06/2013 10:03 AM, Ryan M. Casey wrote: > > I'm attempting to migrate our OpenLDAP+Kerberos authentication scheme > to FreeIPA. Running the following migration command: > > > > ipa migrate-ds --bind-dn="cn=admin,dc=foo,dc=com" > --base-dn="dc=foo,dc=com" --user-container="ou=users" > --grou

Re: [Freeipa-users] OpenLDAP migration issues

Ryan M. Casey wrote: I’m attempting to migrate our OpenLDAP+Kerberos authentication scheme to FreeIPA. Running the following migration command: ipa migrate-ds --bind-dn="cn=admin,dc=foo,dc=com" --base-dn="dc=foo,dc=com" --user-container="ou=users" --group-container="ou=group" --user-objectclass

Re: [Freeipa-users] trying to setup cert with an internal CA

Mike Calautti wrote: Hi, We have our own in house CA>. I ran ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca It generated ipa.csr as expected.. I used opsenssl to sign it on our internal CA. I got the .crt file.. I assume I need t

[Freeipa-users] Installation issues with sub-ca.

Hi, i'm trying to install FreeIPA with an external CA, but the installation script throws this error: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p -d /tmp/tmp-rrhisg -r /ca/agent/ca/profileReview?requestId=6 ipa.dbmsrl.com:9443' returned non-zero exit status 4 H

Re: [Freeipa-users] Installation issues with sub-ca.

Andrea Bontempi wrote: Hi, i'm trying to install FreeIPA with an external CA, but the installation script throws this error: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p -d /tmp/tmp-rrhisg -r /ca/agent/ca/profileReview?requestId=6 ipa.dbmsrl.com:9443' returned

Re: [Freeipa-users] Revisiting ILO

On 11/05/2013 11:51 AM, KodaK wrote: If I use the whole connection string: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com I can authenticate. The HP iLO documentation doesn't list using the uid value as a supported form of specifying the login. You can use the CN value or

[Freeipa-users] reboot required after ipa-client-install?

After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? ___

Re: [Freeipa-users] question about generating certificates

В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет: > On Wed, 06 Nov 2013, Arthur Faizullin wrote: > >Исаев Виталий Анатольевич has give me advise that the > >problem may be in Selinux. > >so I has stoped tracking previous request by > >$ sudo ipa-getcert stop-tracking -i 20131106075356 > > >

Re: [Freeipa-users] question about generating certificates

В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет: > Dmitri Pal wrote: > > On 11/06/2013 07:01 AM, Arthur Faizullin wrote: > >> Исаев Виталий Анатольевич has give me advise that the > >> problem may be in Selinux. > >> so I has stoped tracking previous request by > >> $ sudo ipa-getcert stop-tr

Re: [Freeipa-users] question about generating certificates

I have done as You said! # ipa-getcert request -f /etc/pki/tls/certs/postgresql.crt -k /etc/pki/tls/private/postgresql.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com # ipa-getcert list Request ID '20131107050729': status: MONITORING

Re: [Freeipa-users] question about generating certificates

I have found what that means. It is again something with access rights. Rob Crittenden says that it is better to generate certificates at: /etc/pki/tls/private/postgresql.key /etc/pki/tls/certs/postgresql.crt and if these files owner is postgres then postgresql is starting well, but I do not know

Re: [Freeipa-users] External CA

> [root@vagrant-centos-6 CA]# cat /root/server.pem >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 2 (0x2) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, >> CN=vagrant.localdomain/emailAddress=t...@t

Re: [Freeipa-users] reboot required after ipa-client-install?

I have not rebooted whale machine. everything worked fine. May be just try to restart gdm? # systemctl restart gdm.service В Ср, 06/11/2013 в 22:13 -0600, Dean Hunter пишет: > After building a new VM and configuring the IPA 3.3.2 client, Gnome > seems to only perform a local log-in until the syste

Re: [Freeipa-users] reboot required after ipa-client-install?

On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Resta