Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w << EOF ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 2016-04-27 19:29 GMT+08:00 :

Re: [Freeipa-users] IPA vulnerability management SSL

Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_

Re: [Freeipa-users] Question regarding modifying attributes

Thank you. Dan > On Apr 27, 2016, at 3:00 PM, Alexander Bokovoy wrote: > > On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote: >> Hi, >> >> I have a trusted AD domain that I am enumerating object via IPA. I >> wanted to know if i should be able to manipulate the uidNumber and >> gidNumber stor

Re: [Freeipa-users] does ptr records an admin have to take care of manually? testing!

sitest2 Regards, Sergey Ivanov | serge...@gmail.com bitmessage: BM-NBaNYkjtB5QBtoqvNYHvoEbNQqVMPBZD digitalnote: ddeDtD1zUPvLBsxC5K8NSiAiXJeKeGpH1fd4ad41UuBU\ EUyKzT7JoND26FrJNdsies7EwoiSTKhMi5KEqyn525ZD2LAA3JCjQ On Wed, Apr 27, 2016 at 9:12 AM, lejeczek wrote: > hi, > > regular server install

Re: [Freeipa-users] Question regarding modifying attributes

On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote: Hi, I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not

[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

Hi list, I am trying to renew expired certificates following the manual renewal procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with resetting the system/hardware clock to a time before expires, I am getting the error "ca-error: Error setting up ccache for local "h

[Freeipa-users] Question regarding modifying attributes

Hi, I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local): uid=u...@domain.edu

Re: [Freeipa-users] IPA server having cert issues

I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It looks logical to me, but I can't spot anything that looks like a root cause error. The selftests are all okay, I think. The debug log might have something, but it might also just be complaining about ldap not being up because i

Re: [Freeipa-users] IPA vulnerability management SSL

Hi Alex, Just wanted to make sure.. needed to know if I had to upgrade or spend more time trial and erroring this out. So since my nmap is showing this [bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT

Re: [Freeipa-users] krb5kdc service not starting

All good!!! Gady -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: April 27, 2016 1:19 PM To: Gady Notrica Cc: Ludwig Krispenz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On Wed, 27 Apr 2016, Gady Notrica wrote: >Hello

Re: [Freeipa-users] IPA vulnerability management SSL

On Wed, 27 Apr 2016, Sean Hogan wrote: Hello Alexander I knew the below which is why I added my DS rpm version in the orig email which made sense to me but per 389 DS docs alloowweakcipher starts in 1.3.3.2 in case anyone else reads this. At least thats what the docs say but you may know some

Re: [Freeipa-users] IPA vulnerability management SSL

Hello Alexander I knew the below which is why I added my DS rpm version in the orig email which made sense to me but per 389 DS docs alloowweakcipher starts in 1.3.3.2 in case anyone else reads this. At least thats what the docs say but you may know something where it actually does not work til

Re: [Freeipa-users] krb5kdc service not starting

On Wed, 27 Apr 2016, Gady Notrica wrote: Hello Ludwig, Is there a reason why my AD show offline? [root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : online CD-PRD : offline wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. You need to make sure that 'getent passwd CD-PR

Re: [Freeipa-users] IPA server having cert issues

Bret Wortman wrote: So in lieu of fixing these certs, is there an acceptable way to dump them all and start over /without losing the contents of the IPA database/? Or otherwise really screwing ourselves? I don't believe there is a way. We have a replica that's still up and running and we've s

Re: [Freeipa-users] IPA vulnerability management SSL

I ran the following: nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT Nmap scan report for bob Host is up (0.78s latency). PORTSTATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL

[Freeipa-users] Replication error

Hhi all I have issues with replication between to FreeIPA server In maters log [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain:389/o%3Dipaca) failed. [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2

Re: [Freeipa-users] IPA vulnerability management SSL

Hi Martin, Thanks for the response. We are at RHEL 6.7... getting the hits on 389 and 636 so its the Directory server ports which I assume is dse.ldif. Sean Hogan From: Martin Kosek To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users Date: 04/27/2016 01:43 AM Subje

Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 05:10 PM, Gady Notrica wrote: Oh! No… Is there a way I can pull those files from the secondary server and put them on the primary? do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try If you want to use a dse.ldif from another s

Re: [Freeipa-users] krb5kdc service not starting

On Wed, 27 Apr 2016, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/20

Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 04:36 PM, Gady Notrica wrote: *No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn’t generate any log, nothing. [root@cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv@IPA-CANDEAL-CA.servi

Re: [Freeipa-users] krb5kdc service not starting

No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn’t generate any log, nothing. [root@cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited with er

Re: [Freeipa-users] IPA server having cert issues

So in lieu of fixing these certs, is there an acceptable way to dump them all and start over /without losing the contents of the IPA database/? Or otherwise really screwing ourselves? We have a replica that's still up and running and we've switched everyone over to talking to it, but we're at

Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26^th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [

Re: [Freeipa-users] krb5kdc service not starting

Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,

Re: [Freeipa-users] does ptr records an admin have to take care of manually?

On 27.04.2016 15:12, lejeczek wrote: hi, regular server install with --setup-dns then clients to follow, but I see there: Missing reverse record(s) for address(es): does that mean that by default server install process does not include reverse zones? These need to be set up manually/indepe

[Freeipa-users] does ptr records an admin have to take care of manually?

hi, regular server install with --setup-dns then clients to follow, but I see there: Missing reverse record(s) for address(es): does that mean that by default server install process does not include reverse zones? These need to be set up manually/independently ? many thanks##SELECTION_END##--

Re: [Freeipa-users] IPA & Yubikey

On Wed, 2016-04-27 at 10:22 +0200, Martin Kosek wrote: > On 04/22/2016 10:40 PM, Jeremy Utley wrote: > > Hello all! > > > > I'm quite close to reaching the ideal point with our new FreeIPA > > setup, but one  > > thing that is standing in the way is 2FA.  I know FreeIPA has > > support for Google 

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

On 27/04/16 13:15, barry...@gmail.com wrote: Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>> 寫道： On 27/04/16 12:48, barry...@gmail.com wrote: Hi:

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

thx let me try as i dont want stop dirsrv but live disable nsslapd security. 2016年4月27日 下午7:26 於 "David Kupka" 寫道： > On 27/04/16 13:15, barry...@gmail.com wrote: > >> Do u meant use ldapmodify? >> I tried update the dse.ldif but it will fall back after a while. >> >> 2016年4月27日 下午7:10 於 "David Ku

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016年4月27日 下午7:10 於 "David Kupka" 寫道： > On 27/04/16 12:48, barry...@gmail.com wrote: > >> Hi: >> >> Without restarting dirsrv possible do that ? >> >> >> thx Regards >> >> barry >> >> >> >> > Hello Barry,

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

On 27/04/16 12:48, barry...@gmail.com wrote: Hi: Without restarting dirsrv possible do that ? thx Regards barry Hello Barry, this ldapsearch should list all attributes that needs restart after modification: $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config nsslapd-req

[Freeipa-users] can live turn off nsslapd-security: to off ?

Hi: Without restarting dirsrv possible do that ? thx Regards barry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

Was this at all informative? On 04/26/2016 02:06 PM, Bret Wortman wrote: On 04/26/2016 01:45 PM, Rob Crittenden wrote: Bret Wortman wrote: I think I've found a deeper problem, in that I can't update these because IPA simply won't start at all now. I mistyped one of these -- the 2016-03-11 i

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. > I > have followed >

Re: [Freeipa-users] IPA & Yubikey

On 04/22/2016 10:40 PM, Jeremy Utley wrote: > Hello all! > > I'm quite close to reaching the ideal point with our new FreeIPA setup, but > one > thing that is standing in the way is 2FA. I know FreeIPA has support for > Google > Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over

Re: [Freeipa-users] migration user passwords from openldap to freeipa

Are you sure that your bind dn has read access userPassword? A default OpenLDAP installation usually has a admin user. Gosa ACLs are only applied when using the web interface, they are not used for direct access via LDAP. > Am 27.04.2016 um 03:43 schrieb siology.io : > > I'm having issues migr

Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested real