Re: [Freeipa-users] Master level IPA server

On Wed, 29 Apr 2015, Aric Wilisch wrote: Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com , then have a secondary zone that is ipa2.sub1.domain.com

[Freeipa-users] PWM and IPA

Hi all, Just wondering if anyone has put together a guide for integrating PWM with IPA? I know there is a section on 389-ds, but that is kind of raw-389 and not the highly modified-for-IPA 389-ds. I would like to set this up for my users, but really don't want to do it using that guide unless

Re: [Freeipa-users] Master level IPA server

On 04/29/2015 08:38 PM, Aric Wilisch wrote: Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com , then have a secondary zone that is ipa2.sub1.domain.com

[Freeipa-users] Master level IPA server

Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com , then have a secondary zone that is ipa2.sub1.domain.com . We have 3 different environme

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On 04/29/2015 06:31 PM, Christopher Lamb wrote: Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first

Re: [Freeipa-users] ipa-replica-install fails at CA setup

ipareplica-install is big, folowing starts at around step 34/35 for directory server config (see red lines), and then CA steup sopped at second step. Relaevnt logs in error and access are attched too. It appears at the time when CA setup eed access to dirsrv, it was down? - ipareplica-install l

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: thierry bordaz [mailto:tbor...@redhat.com] > Sent: Wednesday, April 29, 2015 1:07 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 06:45 PM, Andy Thompson w

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: thierry bordaz [mailto:tbor...@redhat.com] > Sent: Wednesday, April 29, 2015 12:28 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 05:58 PM, Andy Thompson wr

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On Wed, 2015-04-29 at 18:31 +0200, Christopher Lamb wrote: > Hi all > > @Craig, and using the WebUI for that purpose is much more user friendly > then doing the same via a ssh terminal session. > > @Simo, as requested I have opened a ticket on this issue > https://fedorahosted.org/freeipa/ticket/

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first Fedora ticket, please forgive me If I didn't do it

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;

Re: [Freeipa-users] ipa-replica-install fails at CA setup

Qing Chang wrote: > mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap > service was available at all at installation stage. I think we'd need to see the full ipareplica-install.log. You might also want to see if a ns-slapd process is running and check /var/log/dirsrv/slapd-

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmit

Re: [Freeipa-users] deleting ipa user

> This is looking like that on the replica where the errors are logged. > The entry is a tombstone but can not be find with the nsuniqueid. > If on that server you do > > ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D "cn=directory > manager" -W -b "dc=..." > "(&(objectclass=nstombs

Re: [Freeipa-users] deleting ipa user

> > dn: > > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: dn: > > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: objectClass;vucsn-55364a4200050

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/2

Re: [Freeipa-users] thousands DSRetroclPlugin mesages

Am 29.04.2015 um 15:43 schrieb Ludwig Krispenz: > > On 04/29/2015 03:17 PM, Martin (Lists) wrote: >> Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: >>> On 04/26/2015 10:49 AM, Martin (Lists) wrote: Hallo after a reboot I get almost thousand of the following messages: DSRe

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 11:28 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 05:08 PM, Andy Thompso

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 0

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:59 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 04:49 PM, Andy Thomp

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you

Re: [Freeipa-users] deleting ipa user

did you run the searches as directory manager ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:51 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > did you run the searches as directory m

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:28 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > can you do the followin search on both

Re: [Freeipa-users] ipa-replica-install fails at CA setup

mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap service was available at all at installation stage. Thanks, Qing On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang wrote: > CentOS7.1 with IPA server 4.1. > > "ipa-replica-install --setup-ca --setup-dns ..." fails with this err

[Freeipa-users] ipa-replica-install fails at CA setup

CentOS7.1 with IPA server 4.1. "ipa-replica-install --setup-ca --setup-dns ..." fails with this error message: - [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-

Re: [Freeipa-users] deleting ipa user

can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" -w xxx -b "dc=xxx " "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass -Original Message-

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:07 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:40 PM, Andy Thomp

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/2

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On Wed, 2015-04-29 at 07:57 +0200, Christopher Lamb wrote: > HI Simo, Dmitiri, Rob and co. > > Simos "log in with a different user" suggestion is pretty much what I was > intending. I want to be able to log out of the web ui, then log back in > with a different user. e.g. to allow a newly added us

Re: [Freeipa-users] thousands DSRetroclPlugin mesages

On 04/29/2015 03:17 PM, Martin (Lists) wrote: Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: On 04/26/2015 10:49 AM, Martin (Lists) wrote: Hallo after a reboot I get almost thousand of the following messages: DSRetroclPlugin - delete_changerecord: could not delete change record 128755 (rc:

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 9:22 AM > To: thierry bordaz > Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:14 PM, thierry borda

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson;freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [F

Re: [Freeipa-users] thousands DSRetroclPlugin mesages

Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: > > On 04/26/2015 10:49 AM, Martin (Lists) wrote: > > Hallo > > > > after a reboot I get almost thousand of the following messages: > > > > DSRetroclPlugin - delete_changerecord: could not delete change record > > 128755 (rc: 32) > this message comes

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015

Re: [Freeipa-users] deleting ipa user

> -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, April 29, 2015 8:31 AM > To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry > Bordaz > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 01:26 PM, Andy Thompson wrote:

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On 29.4.2015 13:26, Petr Vobornik wrote: > On 04/28/2015 11:53 PM, Dmitri Pal wrote: >> On 04/28/2015 05:39 PM, Rob Crittenden wrote: >>> Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: > HI All > > I have just tested with the FreeIPA Web UI public demo > http

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 01:26 PM, Andy Thompson wrote: > I'm trying to delete an IPA account and I get a generic "operations error" > when trying to remove it. It looks like something is messed up with the > group object. The user doesn't show up in the ipausers group and there also > isn't a group obje

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On 04/29/2015 01:42 PM, Christopher Lamb wrote: HI Petr thanks. Can you qualify "has a valid Kerberos Ticket"? In my case, my user has a valid ticket on the LDAP server, but not on the OSX workstation from which I am using Firefox / Web UI. On the OSX workstation, if the user has a non-expir

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

HI Petr thanks. Can you qualify "has a valid Kerberos Ticket"? In my case, my user has a valid ticket on the LDAP server, but not on the OSX workstation from which I am using Firefox / Web UI. Cheers Chris From: Petr Vobornik To: d...@redhat.com, Rob Crittenden , Christop

[Freeipa-users] deleting ipa user

I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On 04/28/2015 11:53 PM, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out,

Re: [Freeipa-users] allow trust users to login without domain

> -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, April 29, 2015 7:05 AM > To: Andy Thompson; freeipa-users@redhat.com; Jakub Hrozek > Subject: Re: [Freeipa-users] allow trust users to login without domain > > On 04/29/2015 12:57 PM, Andy Thompson wrot

Re: [Freeipa-users] allow trust users to login without domain

On 04/29/2015 12:57 PM, Andy Thompson wrote: > In the environment I'm working on currently we have a single trusted AD > domain and will never have any additional domain trusts in place. Is there > a way to allow users to login without using @ad_domain in their username? > We use DB2 in the enviro

[Freeipa-users] allow trust users to login without domain

In the environment I'm working on currently we have a single trusted AD domain and will never have any additional domain trusts in place. Is there a way to allow users to login without using @ad_domain in their username? We use DB2 in the environment and it's from the dark ages and doesn't lik