Re: [Freeipa-users] Looking for documentation for Python API

2016-05-11 Thread Jan Cholasta
On 11.5.2016 10:52, Martin Kosek wrote: On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', descriptio

Re: [Freeipa-users] krb5kdc service not starting

2016-05-11 Thread Prasun Gera
Hi everyone, I had a pretty similar failure on my replica yesterday. The replica was not reachable, and I asked someone to have a look at the system. They presumably rebooted it. When it came back up, ipactl wouldn't start, and the symptoms were pretty similar to those described in this thread. I f

[Freeipa-users] getent passwd returns usern...@domain.com for username

2016-05-11 Thread Watson, Dan
Hi All, I've run into some strangeness and I just haven't been able to find a solution online. On my existing RHEL 6.5 servers everything runs fine. I do not use the IPA client install but rather manually setup SSSD, LDAP and Kerberos. We've got a RHEL 6.8 machine that just was added to IPA an

Re: [Freeipa-users] LDAP access for user authentication?

2016-05-11 Thread Rob Crittenden
Alexander Skwar wrote: Hello FreeIPA List :-) For protecting a web application, we are going to use a Web Application Firewall (SES from USP). This WAF appliance needs to have a user “database”. And for that, we would like to use FreeIPA 4.2 on RHEL 7.2. The WAF can access external authenticati

[Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?

2016-05-11 Thread Marc Boorshtein
I've got a potential use case where I want to authenticate users using their AD credentials, store accounts and permissions in FreeIPA but not have a cross forest trust. One way to do this is to have SSSD talk LDAP to a virtual directory which would route the bind to AD but all other operations to

[Freeipa-users] LDAP access for user authentication?

2016-05-11 Thread Alexander Skwar
Hello FreeIPA List :-) For protecting a web application, we are going to use a Web Application Firewall (SES from USP). This WAF appliance needs to have a user “database”. And for that, we would like to use FreeIPA 4.2 on RHEL 7.2. The WAF can access external authentication “adapters” over variou

[Freeipa-users] a user delegated to control a OU and realmd join - how..

2016-05-11 Thread lejeczek
.. if possible, would you know? hi everybody, I'm trying, and hoping it is possible to realm join an AD but is such a way so I tap my IPA into specific OU within that AD. The thing is - I'm thinking it would make user access control ideal from the start as I need only users from that OU, but also b

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Outback Dingo
On Wed, May 11, 2016 at 5:53 PM, Jan Pazdziora wrote: > On Wed, May 11, 2016 at 05:33:55PM +0200, Outback Dingo wrote: > > > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > > > > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > > > > > Also http://www.freeipa.org/page/

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Jan Pazdziora
On Wed, May 11, 2016 at 05:33:55PM +0200, Outback Dingo wrote: > > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > > > Also http://www.freeipa.org/page/Docker and > > https://github.com/adelton/docker-freeipa. > > great

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Outback Dingo
On Wed, May 11, 2016 at 4:31 PM, Jan Pazdziora wrote: > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > On 11.05.2016 16:13, Outback Dingo wrote: > > > > > >not to fork the subject, but it would be nice it there was a freeipa > > >server on docker > > > > https://hub.docker.

Re: [Freeipa-users] DHCP plugin (don't get your hopes up)

2016-05-11 Thread Jeffery Harrell
Thanks. It was a pretty long weekend’s work. As for easier, I’ll be honest: I was really only able to do what I did by thoroughly reading the IPA source code. There’s some quite good documentation embedded in some of the Python source files, so the Python side was pretty easy, but I found the J

Re: [Freeipa-users] Exposing LDAP attributes with hyphens in their names?

2016-05-11 Thread Jeffery Harrell
I’ve read Extending FreeIPA back to front (several times!) but I could spend more time alone with an iPad and a copy of the Guide. Thanks for the link. On May 11, 2016 at 3:28:55 AM, Martin Kosek (mko...@redhat.com) wrote: On 05/06/2016 07:12 PM, Jeffery Harrell wrote: > Hi. I’m very new to I

Re: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install

2016-05-11 Thread Zak Wolfinger
> On May 11, 2016, at 9:14 AM, Zak Wolfinger wrote: > > I’m trying to set up FreeIPA as a replica. I’ve followed the instructions in > section 4 here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Jan Pazdziora
On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > On 11.05.2016 16:13, Outback Dingo wrote: > > > >not to fork the subject, but it would be nice it there was a freeipa > >server on docker > > https://hub.docker.com/r/adelton/freeipa-server/ Also http://www.freeipa.org/page/Docke

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Outback Dingo
On Wed, May 11, 2016 at 4:19 PM, Martin Basti wrote: > > > On 11.05.2016 16:13, Outback Dingo wrote: > > > > On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora > wrote: > >> On Tue, May 03, 2016 at 09:27:44PM +, Hosakote Nagesh, Pawan wrote: >> > Our apps are running in a docker image based on U

[Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install

2016-05-11 Thread Zak Wolfinger
I’m trying to set up FreeIPA as a replica. I’ve followed the instructions in section 4 here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Martin Basti
On 11.05.2016 16:13, Outback Dingo wrote: On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora > wrote: On Tue, May 03, 2016 at 09:27:44PM +, Hosakote Nagesh, Pawan wrote: > Our apps are running in a docker image based on Ubuntu 14.04 that cannot

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Outback Dingo
On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora wrote: > On Tue, May 03, 2016 at 09:27:44PM +, Hosakote Nagesh, Pawan wrote: > > Our apps are running in a docker image based on Ubuntu 14.04 that cannot > be changed to redhat. We want to install freeipa-clietn within this docker > so that our a

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Jan Pazdziora
On Tue, May 03, 2016 at 09:27:44PM +, Hosakote Nagesh, Pawan wrote: > Our apps are running in a docker image based on Ubuntu 14.04 that cannot be > changed to redhat. We want to install freeipa-clietn within this docker so > that our app > Uses freeipa ldap as against default ldap. > > The f

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Fraser Tweedale
On Wed, May 11, 2016 at 12:06:39PM +, Andy Thompson wrote: > > Andy, you can install FreeIPA as a sub-CA of your offline root. > > Support for creating sub-CAs *within* FreeIPA, under the "main" > > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > > available but I

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Alexander Bokovoy
- Original Message - > > > > > >If I can get an exclusion for the sub-CA bits, can that be added at a > > >later time and just run with a root CA for now? Can it perform all of > > >the needs of an org CA outside of an IPA environment? > > Not through the IPA interfaces but standard Dogt

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Andy Thompson
> Andy, you can install FreeIPA as a sub-CA of your offline root. > Support for creating sub-CAs *within* FreeIPA, under the "main" > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > available but I am working on that. But if you only need one CA as a sub-CA > of an o

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Andy Thompson
> > > >If I can get an exclusion for the sub-CA bits, can that be added at a > >later time and just run with a root CA for now? Can it perform all of > >the needs of an org CA outside of an IPA environment? > Not through the IPA interfaces but standard Dogtag is there, with its (albeit > a > bit

Re: [Freeipa-users] DHCP plugin (don't get your hopes up)

2016-05-11 Thread Petr Vobornik
On 05/10/2016 09:39 PM, Jeffery Harrell wrote: > As promised yesterday, here’s the link to my bespoke DHCP plugin. It’s really > nothing, just a little thing I whipped up for my own use. > > https://github.com/jefferyharrell/IPA-dhcp > > Very nice. This is probably the most complex 'external'

Re: [Freeipa-users] Exposing LDAP attributes with hyphens in their names?

2016-05-11 Thread Martin Kosek
On 05/06/2016 07:12 PM, Jeffery Harrell wrote: > Hi. I’m very new to IPA; I only picked it up a couple weeks ago. So this may > be > a remedial question. > > I’d like to expose, both via the CLI and the GUI, certain LDAP attributes > which > have hyphens in their names — e.g., "apple-user-home

Re: [Freeipa-users] Automatic consistency checking

2016-05-11 Thread Martin Kosek
On 05/05/2016 04:35 PM, Martin Basti wrote: > > > On 05.05.2016 15:54, Andrew Holway wrote: > > Hello, > > We've been using Freeipa on Centos for a while and found one day that the > replication stuff was broken and that the LDAP database on our pair of IPA > servers was inconsi

Re: [Freeipa-users] Looking for documentation for Python API

2016-05-11 Thread Martin Kosek
On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: > On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >> >> So for example for caacl-add: >> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >> description") >

Re: [Freeipa-users] Get Creation Time / Last Login Time for Users

2016-05-11 Thread Martin Kosek
On 05/05/2016 03:23 AM, Jeff Hallyburton wrote: > Hello, > > We're looking for a way to get last login time and creation time for > users configured in FreeIPA. This information doesn't seem to be in > the WebUI and ipa user-status only provides limited information (last > failed/successful login