[Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

Hi! I am running an IPA domain with two servers, one is a replica. Red Hat 6.6, with the following versions: libipa_hbac-1.11.6-30.el6_6.4.x86_64 ipa-server-selinux-3.0.0-42.el6.x86_64 libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 ipa-admintools-3.0.0-42.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noar

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw supersecretpassword --passsync supersecretpassword --cacer

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw supersecretpassword --passsync supersecretpassword --cacer

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

> On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.c

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

On 05/15/2015 02:44 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw supersecretpassword --passsync supersecretpassword --cacer

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

> On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.c

Re: [Freeipa-users] username case sensitivity

On (15/05/15 17:27), Andy Thompson wrote: >Is there a way to enforce case sensitivity for trusted AD users? I am trying >to use username for ssh chroots and I can authenticated with any case >combination of but if ssh is set to match on then the >chroot is not enforced and the user is dropped

[Freeipa-users] username case sensitivity

Is there a way to enforce case sensitivity for trusted AD users? I am trying to use username for ssh chroots and I can authenticated with any case combination of but if ssh is set to match on then the chroot is not enforced and the user is dropped to their usual home directory. I found a ca

Re: [Freeipa-users] more replication issues

> > On May 15, 2015, at 08:57, Ludwig Krispenz wrote: > > >> On 05/15/2015 02:45 PM, Janelle wrote: >>> On 5/15/15 3:30 AM, Ludwig Krispenz wrote: >>> On 05/13/2015 06:34 PM, Janelle wrote: > On 5/13/15 9:13 AM, Rich Megginson wrote: >> On 05/13/2015 10:04 AM, Janelle wrote: >

Re: [Freeipa-users] more replication issues

On 05/15/2015 09:53 AM, Janelle wrote: On May 15, 2015, at 08:57, Ludwig Krispenz wrote: On 05/15/2015 02:45 PM, Janelle wrote: On 5/15/15 3:30 AM, Ludwig Krispenz wrote: On 05/13/2015 06:34 PM, Janelle wrote: On 5/13/15 9:13 AM, Rich Megginson wrote: On 05/13/2015 10:04 AM, Janelle wrot

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson : > On 05/15/2015 08:46 AM, James James wrote: > > [root@ipa ~]# rpm -q 389-ds-base > 389-ds-base-1.2.11.15-50.el6_6.x86_64 > > > Ok. Looks like this is planned to b

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

On 05/15/2015 08:46 AM, James James wrote: [root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 Ok. Looks like this is planned to be fixed in RHEL 6.7 with version 389-ds-base-1.2.11.15-56.el6 I don't know if there are any workarounds. 2015-05-15 16:32 GMT+02:00 Rich

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 2015-05-15 16:32 GMT+02:00 Rich Megginson : > On 05/15/2015 08:22 AM, James James wrote: > > I think that : > > Starting replication, please wait until this has completed. > Update in progress, 127 seconds elapsed > Updat

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 That issue should have b

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 2015-05-15 16:00 GMT+02:00 Rich Megginson : > On 05/15/2015 07:55 AM

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycomp

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson >: On 04/15/2015 10:44 PM, James James wrote: The ipareplic

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? 2015-04-17 4:52 GMT+02:00 Rich Megginson : > On 04/15/2015 10:44 PM, James James wrote: > > The ipareplica-install.log file in attachment ... > > > Here are the pertinent bits: > > 2015-04-15T15:06:31Z DEBU

Re: [Freeipa-users] more replication issues

On 05/15/2015 02:45 PM, Janelle wrote: On 5/15/15 3:30 AM, Ludwig Krispenz wrote: On 05/13/2015 06:34 PM, Janelle wrote: On 5/13/15 9:13 AM, Rich Megginson wrote: On 05/13/2015 10:04 AM, Janelle wrote: On 5/13/15 8:49 AM, Rich Megginson wrote: On 05/13/2015 09:40 AM, Janelle wrote: Recent

Re: [Freeipa-users] more replication issues

On 5/15/15 3:30 AM, Ludwig Krispenz wrote: On 05/13/2015 06:34 PM, Janelle wrote: On 5/13/15 9:13 AM, Rich Megginson wrote: On 05/13/2015 10:04 AM, Janelle wrote: On 5/13/15 8:49 AM, Rich Megginson wrote: On 05/13/2015 09:40 AM, Janelle wrote: Recently I started seeing these crop up across

Re: [Freeipa-users] using pathlen:0 for freeipa's CA certificate?

On Fri, May 15, 2015 at 10:53:20AM +0200, Jan Cholasta wrote: > Dne 15.5.2015 v 09:31 Martin Kosek napsal(a): > >On 05/15/2015 09:22 AM, Fraser Tweedale wrote: > >>On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote: > >>>Hi, > >>> > >>>Dne 5.5.2015 v 10:43 Martin Kosek napsal(a): > On

[Freeipa-users] Securing IPA Redux

In the (apparently) first message to the list in 2014, https://www.redhat.com/archives/freeipa-users/2014-January/msg0.html addressed questions about securing IPA and I don't see much other talk about it. Now that 4.

Re: [Freeipa-users] more replication issues

On 05/13/2015 06:34 PM, Janelle wrote: On 5/13/15 9:13 AM, Rich Megginson wrote: On 05/13/2015 10:04 AM, Janelle wrote: On 5/13/15 8:49 AM, Rich Megginson wrote: On 05/13/2015 09:40 AM, Janelle wrote: Recently I started seeing these crop up across my servers: slapi_ldap_bind - Error: could

Re: [Freeipa-users] using pathlen:0 for freeipa's CA certificate?

Dne 15.5.2015 v 09:31 Martin Kosek napsal(a): On 05/15/2015 09:22 AM, Fraser Tweedale wrote: On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:43 Martin Kosek napsal(a): On 05/04/2015 01:19 PM, Harald Dunkel wrote: Hi folks, Instead of a self-signed certifi

Re: [Freeipa-users] Configuration of CA failed

On 05/14/2015 01:02 PM, Martin Kosek wrote: On 05/14/2015 11:58 AM, Remigio Moncayo Serrano wrote: Hello, I've been put in charge of implementing a solution that uses LDAP and kerberos authentication. At first thought I should use openLDAP and Kerberos but found freeIPA and looks really cool,

Re: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons)

On 04/27/2015 04:15 PM, Simo Sorce wrote: On Mon, 2015-04-27 at 12:51 +0200, Martin Kosek wrote: On 04/26/2015 08:23 AM, Alexander Bokovoy wrote: - Original Message - Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat document

Re: [Freeipa-users] using pathlen:0 for freeipa's CA certificate?

On 05/15/2015 09:22 AM, Fraser Tweedale wrote: On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:43 Martin Kosek napsal(a): On 05/04/2015 01:19 PM, Harald Dunkel wrote: Hi folks, Instead of a self-signed certificate I would like to use an external CA to sign

Re: [Freeipa-users] using pathlen:0 for freeipa's CA certificate?

On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote: > Hi, > > Dne 5.5.2015 v 10:43 Martin Kosek napsal(a): > >On 05/04/2015 01:19 PM, Harald Dunkel wrote: > >>Hi folks, > >> > >>Instead of a self-signed certificate I would like to use an external > >>CA to sign freeipa's CSR ("ipa-server