On 01/28/2011 10:39 AM, Simo Sorce wrote:
Rirst of all.
I am glad this was resolved, it looked puzzling indeed.
I just want to note that we do not support using the DS password policy
in ipa as we already have the kerberos pw policy, that's why the uid=kdc
was not "protected" against it.
In v2
On 1/28/11 8:28 AM, Simo Sorce wrote:
On Thu, 27 Jan 2011 19:20:02 -0500
James Roman wrote:
On 1/27/11 12:58 PM, Simo Sorce wrote:
On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
So it looks like the replication password issue was a red herring
as far as the kerberos is concerned. I
On 1/27/11 12:58 PM, Simo Sorce wrote:
On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
So it looks like the replication password issue was a red herring as
far as the kerberos is concerned. I issued the command
"ipa-replica-manage synch ipaserver1.domain.com" from the working ld
Rich Megginson wrote:
On 01/26/2011 09:32 AM, James Roman wrote:
Simo Sorce wrote:
On Tue, 25 Jan 2011 15:58:35 -0500
James Roman wrote:
On 1/25/11 2:44 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 14:33:14 -0500
James
Simo Sorce wrote:
On Tue, 25 Jan 2011 15:58:35 -0500
James Roman wrote:
On 1/25/11 2:44 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 14:33:14 -0500
James Roman wrote:
On 01/25/2011 12:42 PM, Simo Sorce wrote:
On
On 1/25/11 2:44 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 14:33:14 -0500
James Roman wrote:
On 01/25/2011 12:42 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 12:04:25 -0500
James Roman wrote:
I noticed today that one of our FreeIPA 1.2.2 servers has stopped
issuing tickets. When I attempt to
I noticed today that one of our FreeIPA 1.2.2 servers has stopped
issuing tickets. When I attempt to restart all the IPA services the
krb5kdc service failed to restart with the following error:
krb5kdc: Unable to access Kerberos database - while initializing
database for realm DOMAIN.COM
I d
On 10/08/2010 01:49 PM, Dan Scott wrote:
On Fri, Oct 8, 2010 at 13:18, Rich Megginson wrote:
Dan Scott wrote:
On Fri, Oct 8, 2010 at 11:39, James Roman wrote:
So does anyone have any more suggestions? Or should I just configure a
new replica with new hostname and IP?
Thanks,
Dan
I
On 10/07/2010 11:20 AM, Rich Megginson wrote:
20 is "type or value exists" - I think this means that it is
attempting to set a referral for the master, but there already is one.
Curie contains the same log entry.
But, none of the users contain the memberOf attributes on ohm.
Does IPA have its
Sorry about that, I now get:
adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf
task, cn=tasks, cn=config
ldap_add: Insufficient access
I have an admin Kerberos ticket and I know the password is correct
because otherwise I get 'ldap_simple_bind: Invalid credentials'.
Thanks,
On 09/15/2010 10:14 PM, Rob Crittenden wrote:
As Dmitri said, the problem is that kerberos uses a different password
attribute than LDAP. For passwords set within IPA we capture password
changes from both LDAP and kerberos and keep the two in sync.
When you migrate just the LDAP password you
From both a network and a security point of view, TACACS+ is
considered preferable to RADIUS; among other benefits, it enciphers
the entire conversation, rather than just portions of it, and can
provide more fine-grain authorization than RADIUS. Most Cisco shops
I've encountered consider RADIU
The bug outlines how to promote a replica to be the primary "master".
You basically just need to import the CA and setup the serial number
file.
So lets say you had a master and 2 replicas. In reality the only thing
that differentiates the first master is that it was installed first so
has
.
On 03/17/2010 04:00 PM, James Roman wrote:
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
I made a mistake interpreting the audit log initially. I realized
after I created the subject that the
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
I made a mistake interpreting the audit log initially. I realized after
I created the subject that the MemberOf changes reflect the changes
being m
To actually disable the plugin you need a restart after you change the
config, but please *do not* do that unless you want trouble :)
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
Just to clarify
Well, the current 389 memberOf is a bit more advanced than the
ipa-memberOf. We did the initial development of the plugin, then it
got moved into mainline 389-ds. The ipa plugin should work fine
though, I don't know of any reason to switch.
rob
Any idea why both are being executed? Even when
OK. I Think I've got this licked. I had to manually activate the account
on both the Active Directory and the FreeIPA server. I think what was
happening was this:
1. Admin activates the account on IPA server (moves cn=inactivated to
cn-activated)
2. IPA server schedules windows sync
I have a single account that keeps getting disabled by the memberOf
Plugin, even though it is disabled.
# MemberOf Plugin, plugins, config
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath:
Rob Crittenden wrote:
Виктор Сергеевич wrote:
Hi!
Thanks! It works!, but
In master-server I'm see users in groups, but in replica I'm see only
group, without users. If search users - i'm can find it. And one more:
Strange, that shouldn't happen. I'd search for them directly in LDAP
to ensure
If I remember correctly, I had to comment out the following entries in
the /etc/dirsrv/slapd-/schema/99user.ldif file:
# objectClasses: ( 2.16.840.1.113730.3.2.300 NAME 'nsAIMpresence' DESC
'Netscape
defined objectclass' SUP top AUXILIARY MAY (nsaimid $ nsaimstatusgraphic $
nsaimstatuste
Can't believe that time is up already. The third-party signed
certificate that I deployed my freeipa server with is about to expire.
Our certificate signer has now set the minimum key length to 2048 bit,
which means I have to re-key our primary freeipa SSL certificate.
Before I install the new
I am planning two customizations to our directory and wanted to find out
if they pose any risks with future migrations.
First we have a subtree in our directory
cn-applications,cn-accounts,dc=REALM,dc=com that contains application
based accounts. I plan to enforce a separate password policy fo
In case any one runs into this error while trying to create a replica:
Starting dirsrv:
REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in
file /etc/dirsrv/slapd-REALM-COM/schema/##xx.ldif is invalid, error
code 21 (Invalid syntax) - object class nsAIMpresence: Unknown
those, I was hoping that I could
go this route to provide a migration path. Perhaps not. This will be
subject of a new thread.
Rob Crittenden wrote:
James Roman wrote:
I installed the 1.2.2-1 version from the test repo. I get really
close to the end, but it is still bombing when trying to s
lledProcessError(p.returncode, ' '.join(args))
[r...@replica ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert
Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
Go Daddy Secure Certification Authority ,,
Go Daddy Class 2 Certification Authority
Can anyone elaborate on the options for the ipa-replica-prepare command?
I have a third party signed certificate for both my master and replica
server. Am I supposed to provide the PKCS12 file for the master server
or the replica? If it is looking for the master server, I really don't
want the
James Roman wrote:
Rob Crittenden wrote:
James Roman wrote:
Rob Crittenden wrote:
James Roman wrote:
First off, thanks Rob for the direction on creating a certificate.
After reading up on Mozilla's NSS, I think I've got a pretty fair
grounding.
So I successfully generated a CSR
Rob Crittenden wrote:
James Roman wrote:
Rob Crittenden wrote:
James Roman wrote:
First off, thanks Rob for the direction on creating a certificate.
After reading up on Mozilla's NSS, I think I've got a pretty fair
grounding.
So I successfully generated a CSR and had it signed.
Rob Crittenden wrote:
James Roman wrote:
First off, thanks Rob for the direction on creating a certificate.
After reading up on Mozilla's NSS, I think I've got a pretty fair
grounding.
So I successfully generated a CSR and had it signed. I imported my
certificate and CA chain in
31 matches
Mail list logo