On Thu, 2013-11-07 at 22:17 -0500, Dmitri Pal wrote:
> On 11/07/2013 06:20 PM, Dean Hunter wrote:
>
> > On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
> >
> > > On 11/07/2013 12:59 PM, Dean Hunter wrote:
> > >
> > > > On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
> > > >
> > > >
Исаев Виталий Анатольевич wrote:
Rob, I apologize, just one more question. We dealt with the editing of
attributes, but it is still not clear if it is possible to restrict the user
adding to isolated group in case of the user's membership in other isolated
group.
I'm not sure I follow. As yo
Rob, I apologize, just one more question. We dealt with the editing of
attributes, but it is still not clear if it is possible to restrict the user
adding to isolated group in case of the user's membership in other isolated
group.
-Original Message-
From: Rob Crittenden [mailto:rcrit..
Thank you, Rob! This example is very useful.
Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич; freeipa-users@redhat.com
S
Исаев Виталий Анатольевич wrote:
Dear colleagues, we faced with an issue of access differentiation for
junior IPA admins. Our idea was to create several (say, three – group1,
group2, group3) isolated groups with one junior admin per group.
The group isolation means that admin of group1 is not ab
On 11/08/2013 08:53 AM, John Dennis wrote:
> FWIW I've authored a set of Python utilities to work with pem files for
> OpenStack. They work just fine with PEM blocks embedded with non-PEM
> text. I was thinking the utilities would also be useful in FreeIPA (in
> fact my experience in IPA is what gu
Dear colleagues, we faced with an issue of access differentiation for junior
IPA admins. Our idea was to create several (say, three - group1, group2,
group3) isolated groups with one junior admin per group.
The group isolation means that admin of group1 is not able to add to his group
neither u
Andrea Bontempi wrote:
Here the log /var/log/pki/pki-tomcat/ca/debug
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to
> /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist?
Yes
> Does rpm -V pki-ca pass?
No response
> Can openssl x509 -text -in /path/to/ca.crt show the cert ok?
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1383914316 (0x527cdb4c)
Signature Algorithm: sha1WithRSA
Here the log /var/log/pki/pki-tomcat/ca/debug
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization fo
Andrea Bontempi wrote:
Hi, i'm trying to install FreeIPA with external CA (again)
Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA
certificate from CA":
2013-11-08T11:07:38Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
On 8 November 2013 13:46, Dmitri Pal wrote:
> On 11/08/2013 08:17 AM, Jonathan Underwood wrote:
>> Sooo I think that means the problem lies with apache and NSS, right?
>
>
> Or in the negotiated authentication.
> Is there anything in the kerberos logs on the server side?
Nothing error wise.
On 11/08/2013 04:56 AM, Petr Viktorin wrote:
> On 11/08/2013 09:01 AM, Martin Kosek wrote:
>> Thanks for heads up. You mean by the difference between "O=MW" and
>> "O=MELTWATER.COM"?
>> Petr, is this possible? Can it be validated in the the installer if this is
>> the
>> root cause?
Thats a good
On 11/08/2013 08:17 AM, Jonathan Underwood wrote:
> On 8 November 2013 12:50, Jonathan Underwood
> wrote:
>> On 7 November 2013 22:45, Rob Crittenden wrote:
>>> This is it trying to close a connection that was never made.
>>>
>>> Can you run ipa -vv ping?
>> # ipa -vv ping
>> ipa: INFO: trying ht
On 7 November 2013 22:45, Rob Crittenden wrote:
> This is it trying to close a connection that was never made.
>
> Can you run ipa -vv ping?
# ipa -vv ping
ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml
ipa: INFO: Forwarding 'ping' to server
u'https://nirvana.asteroids.phys.uc
On 8 November 2013 12:50, Jonathan Underwood
wrote:
> On 7 November 2013 22:45, Rob Crittenden wrote:
>> This is it trying to close a connection that was never made.
>>
>> Can you run ipa -vv ping?
>
> # ipa -vv ping
> ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml
> ipa: INFO
Hi, i'm trying to install FreeIPA with external CA (again)
Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA
certificate from CA":
>2013-11-08T11:07:38Z DEBUG File
>"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>622, in run_script
>
On 7 November 2013 22:43, Dmitri Pal wrote:
> What about Kerberos package?
# rpm -qa | grep krb
krb5-server-1.10.3-10.el6_4.3.x86_64
krb5-libs-1.10.3-10.el6_4.3.x86_64
krb5-workstation-1.10.3-10.el6_4.3.x86_64
pam_krb5-2.3.11-9.el6.x86_64
python-krbV-1.0.90-3.el6.x86_64
_
On 11/08/2013 09:01 AM, Martin Kosek wrote:
Thanks for heads up. You mean by the difference between "O=MW" and
"O=MELTWATER.COM"?
Petr, is this possible? Can it be validated in the the installer if this is the
root cause?
It is possible. It's hard to tell without the logs; looks like the
fail
On Thu, Nov 07, 2013 at 10:17:44PM -0500, Dmitri Pal wrote:
> On 11/07/2013 06:20 PM, Dean Hunter wrote:
> > On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
> >> On 11/07/2013 12:59 PM, Dean Hunter wrote:
> >>> On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
> On 11/07/2013 12:21 PM,
> You mean by the difference between "O=MW" and "O=MELTWATER.COM"?
Yes, but again I don't know for sure. I wasn't very diligent setting up my
test CA.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa
Thanks for heads up. You mean by the difference between "O=MW" and
"O=MELTWATER.COM"?
Petr, is this possible? Can it be validated in the the installer if this is the
root cause?
Martin
On 11/08/2013 01:55 AM, William Leese wrote:
> I was able to solve this by recreating my test CA. I believe the
22 matches
Mail list logo