On Tue, Nov 10, 2015 at 5:04 PM, Fraser Tweedale
wrote:
> On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote:
> > No it didn't quite work.
> >
> > I ran ipa-server-certinstall -w /etc/letsencrypt/live/
> > example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem
> >
> > wh
On Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote:
> You are right in that the fullchain.pem doesn't have the root certificate.
> I ran "openssl x509 -in chain.pem -noout -text", and saw that it
> had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and Subject:
> C=US, O=Let's E
You are right in that the fullchain.pem doesn't have the root certificate.
I ran "openssl x509 -in chain.pem -noout -text", and saw that it
had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and Subject:
C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1. So I got the root
certificate
If you use the MSLSA credential cache MIT kerberos works.
kinit -c MSLSA: user@REALM
Not sure about the MIT ticket manager.
Am 11.11.2015 um 01:54 schrieb Loris Santamaria :
>
>
> El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
>> Yes they are in the same DNS domain as the IP
On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote:
> No it didn't quite work.
>
> I ran ipa-server-certinstall -w /etc/letsencrypt/live/
> example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem
>
> which gives The full certificate chain is not present in
> /etc/letsencr
El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
> Yes they are in the same DNS domain as the IPAserver. I am able to
> resolve the server address. Which side would you like more
> information
> on the server side or the client side. We are not running any AD
> domains, so this
No it didn't quite work.
I ran ipa-server-certinstall -w /etc/letsencrypt/live/
example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem
which gives The full certificate chain is not present in
/etc/letsencrypt/live/example.com/privkey.pem, /etc/letsencrypt/live/
example.com/fullch
On Tue, Nov 10, 2015 at 03:12:04PM -0800, Prasun Gera wrote:
> I tried using let's encrypt's certs manually, but I think I'm missing
> something. Let's encrypt creates the following files : cert.pem chain.pem
> fullchain.pem privkey.pem. I was trying to follow
> http://www.freeipa.org/page/Using
I tried using let's encrypt's certs manually, but I think I'm missing
something. Let's encrypt creates the following files : cert.pem chain.pem
fullchain.pem privkey.pem. I was trying to follow
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP but i
wasn't able to get it to w
On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote:
> hi,
>
> do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we
> purge them on a regular basis (say, keep 60 days dump the rest)?
>
> $ ls -l | wc -l
> 3621
>
> this is in a server installed 3 years ago.
>
> --
>
Removed the bad mapping. Krb5kdc service still will not start. Here is the
access log.
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="ou=Netscape Directory
Team,cn=monitor"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0
etime=0
[10/Nov/2015:14:12:16
This is the mappings from the Master...it looks very different from the replica
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mapping, sasl, co
I see that AD trust users don't get their posix shell set:
# getent passwd user
u...@ad.nwra.com:*:2260345:2260345:A User:/export/home/user:
I can fix this on the clients with override_shell, but that would apply to the
IPA domain users as well. Is there some way to configure this in the
trust/s
El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
> I am certain that everyone gets tired of answering the same questions
> over and over, so maybe an update to the documentation would be
> better.
> I am trying to get my Windows machines to authenticate against a
> FreeIPA
> serve
I want a periodic sync, the ldap is the center of our user management, all
credentials are stored there and updated by the HR dept.
But I need a kerberos server to deal with the windows clients to provide a kind
of SSO.
> Date: Tue, 10 Nov 2015 10:39:10 -0500
> From: rcrit...@redhat.com
> To: se
Gronde, Christopher (Contractor) wrote:
> Is it possible to delete the mapping and try it and if it doesn't work or
> breaks something else add it back? How would I go about deleting this
> mapping? Or adding the mapping for principal name in the right order?
>
So what I'd do is this:
Do the
I am certain that everyone gets tired of answering the same questions
over and over, so maybe an update to the documentation would be better.
I am trying to get my Windows machines to authenticate against a FreeIPA
server running IPA 4.2+ on RHEL 7. I have followed the documentation
listed on
hi,
do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we
purge them on a regular basis (say, keep 60 days dump the rest)?
$ ls -l | wc -l
3621
this is in a server installed 3 years ago.
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https:
On 11/10/2015 10:50 AM, Gronde, Christopher (Contractor) wrote:
Is it possible to delete the mapping and try it and if it doesn't work or
breaks something else add it back? How would I go about deleting this mapping?
Or adding the mapping for principal name in the right order?
http://www.po
On 11/10/2015 06:26 PM, Rich Megginson wrote:
On 11/10/2015 10:25 AM, Ludwig Krispenz wrote:
On 11/10/2015 06:08 PM, Gronde, Christopher (Contractor) wrote:
# Kerberos uid mapping, mapping, sasl, config
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsS
Is it possible to delete the mapping and try it and if it doesn't work or
breaks something else add it back? How would I go about deleting this mapping?
Or adding the mapping for principal name in the right order?
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freei
On 11/10/2015 10:25 AM, Ludwig Krispenz wrote:
On 11/10/2015 06:08 PM, Gronde, Christopher (Contractor) wrote:
# Kerberos uid mapping, mapping, sasl, config
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: Kerberos uid mapping
nsSaslMapReg
but going back to ipa-rewrite.conf, these 2 seem contradictory:
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}!^kdc01.unix.iriszorg.nl$ [NC]
RewriteRule ^/ipa/(.*) http://
On 11/10/2015 06:08 PM, Gronde, Christopher (Contractor) wrote:
# Kerberos uid mapping, mapping, sasl, config
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: Kerberos uid mapping
nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
nsSaslMapBaseDNT
hi,
On Tue, Nov 10, 2015 at 5:02 PM, Rob Crittenden wrote:
> Natxo Asenjo wrote:> Any ideas on how to fix this?
>
> You should have a sections like these in /etc/httpd/conf.d/ipa.conf:
>
>
> SetHandler None
>
> ...
> # For CRL publishing
> Alias /ipa/crl "/var/lib/ipa/pki-ca/publish"
>
>
>> # Kerberos uid mapping, mapping, sasl, config
>> dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
>> objectClass: top
>> objectClass: nsSaslMapping
>> cn: Kerberos uid mapping
>> nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
>> nsSaslMapBaseDNTemplate: dc=\2,dc=\3
>> nsSaslMapFilterTemplat
On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote:
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mapping, sasl, config
dn: cn=map
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mapping, sasl, config
dn: cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsContainer
c
On 11/10/2015 09:49 AM, Gronde, Christopher (Contractor) wrote:
Note comipa01 is the master and comipa02 is the replica that is having the KDC
issue
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(krbprincipalname=ldap/comipa01.itmodev.gov*)'
Enter LDAP
Gronde, Christopher (Contractor) wrote:
> This gave me a huge return! Appears to be a long list of all the servers and
> applications whose users authenticate to the IPA servers.
>
> ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
> "dc=itmodev,dc=gov" '(objectclass=krbprincipal
Note comipa01 is the master and comipa02 is the replica that is having the KDC
issue
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(krbprincipalname=ldap/comipa01.itmodev.gov*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
#
This gave me a huge return! Appears to be a long list of all the servers and
applications whose users authenticate to the IPA servers.
ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(objectclass=krbprincipal)'
# search result
search: 2
result: 0 Success
On 11/10/2015 09:39 AM, Martin Babinsky wrote:
On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wrote:
Neither came back with anything
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
Enter LDAP Password:
# extende
On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wrote:
Neither came back with anything
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# fi
what do you get if you search for "objectclass=krbprincipal" ?
On 11/10/2015 05:27 PM, Rich Megginson wrote:
On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote:
Neither came back with anything
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(
On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote:
Neither came back with anything
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# fi
Neither came back with anything
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (uid=ldap/comipa01.itmodev.gov)
# requesting: ALL
#
# searc
On 11/10/2015 08:18 AM, Gronde, Christopher (Contractor) wrote:
Thank you! I should have caught that...
I changed the log level and then restarted dirsrv and attempted to start
krb5kdc and got the following...
[10/Nov/2015:10:12:02 -0500] conn=5 fd=64 slot=64 connection from
172.16.100.208
Natxo Asenjo wrote:
> hi,
>
> I just noticed some stuff was not functioning properly and it's because
> the crl url is being redirected to https (centos 6.7).
>
>
> $ curl http://kdc01.unix.domain.tld/ipa/crl/
>
>
> 301 Moved Permanently
>
> Moved Permanently
> The document has moved href="h
so this search
conn=Internal op=-1 SRCH base="dc=itmodev,dc=gov" scope=2
filter="(uid=ldap/comipa01.itmodev.gov)"
doesn't return an entry.
but I think it look for something like "krbprincipal=ldap/"
what entries do you have below
cn=mapping,cn=sasl,cn=config
On 11/10/2015 04:18 PM, Gron
On 11/10/2015 08:39 AM, Rob Crittenden wrote:
Seike neg wrote:
Hello,
Is there a way to import users and password from SUN DS automatically (script,
sync, etc...).
I have a SUN DS LDAP in the office and I want to do a read only sync from him
to a brand new freeipa server.
The freeipa server is
hi,
I just noticed some stuff was not functioning properly and it's because the
crl url is being redirected to https (centos 6.7).
$ curl http://kdc01.unix.domain.tld/ipa/crl/
301 Moved Permanently
Moved Permanently
The document has moved https://kdc01.unix.domain.tld/ipa/crl/
">here.
Apache
Seike neg wrote:
> Hello,
> Is there a way to import users and password from SUN DS automatically
> (script, sync, etc...).
> I have a SUN DS LDAP in the office and I want to do a read only sync from him
> to a brand new freeipa server.
> The freeipa server is suppose to act as a kerberos, ldap s
Hello,
Is there a way to import users and password from SUN DS automatically (script,
sync, etc...).
I have a SUN DS LDAP in the office and I want to do a read only sync from him
to a brand new freeipa server.
The freeipa server is suppose to act as a kerberos, ldap slave and ntp server.
Thank you! I should have caught that...
I changed the log level and then restarted dirsrv and attempted to start
krb5kdc and got the following...
[10/Nov/2015:10:09:31 -0500] conn=Internal op=-1 ADD dn=""
[10/Nov/2015:10:09:31 -0500] conn=Internal op=-1 SRCH base="cn=mapping
tree,cn=config" sc
Hello,
just because I could answer my 2nd problem by myself. The truncated does
not come from user_find API. It came from the perl JSON module, this is
using this to write boolean variables. There is a special handling for
boolean values inside this module which I have to implement.
Regards
On 10.11.2015 15:53, Gronde, Christopher (Contractor) wrote:
Ran into an error trying to set that
# ldapmodify -a -D "cn=directory manager" -W
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-acesslog-level
nsslapd-acesslog-level: 260
it is
nsslapd-accesslog-level with
it was a typo, try
nsslapd-accesslog-level
On 11/10/2015 03:53 PM, Gronde, Christopher (Contractor) wrote:
Ran into an error trying to set that
# ldapmodify -a -D "cn=directory manager" -W
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-acesslog-level
: 260
modifying en
Ran into an error trying to set that
# ldapmodify -a -D "cn=directory manager" -W
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-acesslog-level
nsslapd-acesslog-level: 260
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info:
Hi Alexander,
sorry for responding you privately. This was not my intention; I just
recognized that my mail program has two reply buttons (replay and reply
to mailing list).
I've played a bit around with your code and implemented a small Perl
module and a test script. They both work in my en
On 11/10/2015 03:32 PM, Gronde, Christopher (Contractor) wrote:
How do I change that log setting? Is that done in LDAP? Using ldapmodify?
yes,
ldapmodify ...
dn: cn=config
changetype: modify
replace: nsslapd-acesslog-level
nsslapd-acesslog-level: 260
-Original Message-
From: freeipa
How do I change that log setting? Is that done in LDAP? Using ldapmodify?
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: Tuesday, November 10, 2015 9:03 AM
To: freeipa-users@redhat.com
Subject: Re: [
So I changed the hostnames in krb5.conf
[realms]
= {
kdc = :88
master_kdc = :88
admin_server = :749
default_domain =
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
Service still will not start however now in the access log instead of showing
the connection from master to replica it shows r
Hello folks,
I created a replica IPA host with version 4.1.0-18.el7.centos.4,
while the initial master is a FreeIPA 3.3.3.
Everything seems to work fine with the new host except for one thing:
We have a special IPA user, which has the rights for managing and enrolling
hosts.
I am able to add h
On 11/10/2015 02:40 PM, Alexander Bokovoy wrote:
On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
Where can I verify or change the credentials it is trying to use? Is
it my LDAP password?
No, according to your logs, it is your LDAP master trying to replicate
(push changes) to your
On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
Where can I verify or change the credentials it is trying to use? Is it my
LDAP password?
No, according to your logs, it is your LDAP master trying to replicate
(push changes) to your LDAP replica:
[09/Nov/2015:15:02:01 -0500] conn=
Where can I verify or change the credentials it is trying to use? Is it my
LDAP password?
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, November 10, 2015 8:18 AM
To: Gronde, Christopher (Contractor)
Cc: Rob Crittenden ; freeipa-users@redhat.com
On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
When I tried to start the service again I got no response from tail of the log,
but this is a repeating entry I see in the access log
[09/Nov/2015:15:01:04 -0500] conn=1 fd=64 slot=64 connection from 127.0.0.1 to
127.0.0.1
[09/Nov/20
When I tried to start the service again I got no response from tail of the log,
but this is a repeating entry I see in the access log
[09/Nov/2015:15:01:04 -0500] conn=1 fd=64 slot=64 connection from 127.0.0.1 to
127.0.0.1
[09/Nov/2015:15:01:04 -0500] conn=1 op=-1 fd=64 closed - B1
[09/Nov/2015:
On Mon, 09 Nov 2015, Natxo Asenjo wrote:
hi,
On Mon, Nov 9, 2015 at 6:58 PM, Oliver Dörr wrote:
Hi,
I'm completly new to this list and the product behind it. I'm trying to
use perl to get a list from my IPA installation of all users that are on
the server.
unfortunately I cannot help you
60 matches
Mail list logo