, May 18, 2017 at 10:28 AM, Florence Blanc-Renaud
wrote:
> On 05/18/2017 03:49 PM, Michael Plemmons wrote:
>
>>
>>
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>> *
>> 614.427.2411
>> mike.plemm...@crosschx.com <mai
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud
wrote:
> On 05/15/2017 08:33 PM, Michael Plemmons wrote:
>
>> I have done more searching in my logs and I see the foll
mike.plemm...@crosschx.com
www.crosschx.com
On Thu, May 11, 2017 at 8:35 AM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> Thank you for the reply. Is there a specific order I should perform the
> DL upgrade? Should I upgrade the master first then the replicas? Do
...@crosschx.com
www.crosschx.com
On Thu, May 11, 2017 at 4:13 AM, Martin Bašti wrote:
>
>
> On 10.05.2017 22:42, Michael Plemmons wrote:
>
> I am currently running 4.4.0 on a three node cluster. My domain level is
> currently 0 on all three nodes. Is there a reason to keep the domain level
I am currently running 4.4.0 on a three node cluster. My domain level is
currently 0 on all three nodes. Is there a reason to keep the domain level
at 0? I do not plan on adding any older versions of IPA into the cluster.
Is there anything I need to worry about if I elevate the domain level to 1
user?
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Mon, May 8, 2017 at 4:47 PM, Sean Hogan wrote:
> Thanks Michael,
>
> Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with
> success via telnet.
>From the server running Qradar can you ping the IPA server? Are you able
to telnet to port 389 or 636 of the IPA server. The error says it can't
contact the LDAP server which usually means you have not gotten to the
point of authentication yet.
*Mike Plemmons | Senior DevOps Engineer | CROS
I just realized that I sent the reply directly to Rob and not to the list.
My response is inline
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons <
michael.plemm...@crosschx.com>
9560051000
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Wed, May 3, 2017 at 10:52 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> I ran another test. I started IPA with the ignore service failure
Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> I realized that I was not very clear in my statement about testing with
> ldapsearch. I had initially run it without log
neer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> I have a three node IPA cluster.
>
> ipa11.mgmt - was a master over 6 months ago
> ipa13.mgmt - current master
> ipa12.m
I have a three node IPA cluster.
ipa11.mgmt - was a master over 6 months ago
ipa13.mgmt - current master
ipa12.mgmt
ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have
agreements between each other.
It appears that either ipa12.mgmt lost some level of its replication
agreemen
tly appreciated.
Thank you,
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
/
--
*Michael Rainey*
Network Representative
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Maciej Drobniuch wrote:
> I see now what you mean.
>
> The SSHA decoding is handled on the client side by using acegi not on the
> ldap server
> side...
No, Jenkins sends a bind request with the user's bind-DN and clear-text
password.
Password check is done server-
lse
org.gnome.login-screen enable-password-authentication true
org.gnome.login-screen disable-restart-buttons false
org.gnome.login-screen logo '/usr/share/pixmaps/fedora-gdm-logo.png'
org.gnome.login-screen enable-fingerprint-authentication true
org.gnome.login-screen banner-message-text &#
Iulian Roman wrote:
> Michael Ströder wrote:
>> Being in your position I'd first compile a list of functional and security
>> requirements and ask then whether these requirements can be implemented with
>> FreeIPA. I'm curious to learn whether "some other
Iulian Roman wrote:
> On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <mailto:mich...@stroeder.com>> wrote:
>
> Iulian Roman wrote:
> > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <mailto:rcrit...@redhat.com>
> > <mailto:rcrit...@redhat.c
re any possibility to extend the existing schema with additional
> attributes/object
Do you really use this specific AIX schema?
If yes, which attributes for which purpose?
Last time I've checked this schema when integrating AIX clients my conclusion
was that
this schema is rather useless
multi-tenant confidentiality.
Ciao, Michael.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy wrote:
> On la, 11 helmi 2017, Michael Ströder wrote:
>> Alexander Bokovoy wrote:
>>> On la, 11 helmi 2017, Harald Dunkel wrote:
>>>> On 02/11/17 11:57, Alexander Bokovoy wrote:
>>>>> On la, 11 helmi 2017, Michael Ströder wrote:
>
Alexander Bokovoy wrote:
> On la, 11 helmi 2017, Harald Dunkel wrote:
>> On 02/11/17 11:57, Alexander Bokovoy wrote:
>>> On la, 11 helmi 2017, Michael Ströder wrote:
>>>>
>>>> (Personally I'd avoid going through PAM.)
>>> Any specific re
Alexander Bokovoy wrote:
> On la, 11 helmi 2017, Michael Ströder wrote:
>> Harald Dunkel wrote:
>>> On 02/10/17 15:07, Tomasz Torcz wrote:
>>>> On Fri, Feb 10, 2017 at 02:03:48PM +0100, Harald Dunkel wrote:
>>>>> did anybody succeed in using Freeipa fo
try to analyze 389-DS' logs to see whether Jenkins
contacts
your LDAP server and which queries it sends. Most times it's a trivial config
item missing.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
epl client which is of
course a lot of
work to get it right.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
main
> service and this creates a signed SAN cert that you can upload later to
> your LB.
>
> In simple words the service is assigned to all hosts but those hosts have
> also a service added(this is a hack).
>
> Hope that makes sense and helps solving your problem.
>
I am trying to get FreeIPA LDAP to work when behind a load balancer and
using SSL and I do not understand how I am supposed to get the server to
use a certificate I created that has a SAN created.
FreeIPA 4.4.0 on CentOS 7
Here is what I have:
ipa-master.dev.crosschx.com - master
ipa-replica.dev.
The error is telling you that a DNS entry already exists for the hostname
you want the CNAME. A DNS record can only have one record type. Meaning
is you have 1.2.3.4 points to test.example.com you cannot have
test.example.com also be a CNAME for foo.example.com.
*Mike Plemmons | Senior DevOps
Hello,
My existing FreeIPA 3.0 (CentOS 6) setup is as follows:
Kerberos Realm: test.com
I have several DNS zones
test.com
dev.test.com
stage.test.com
qa.test.com
prod.test.com
mgmt.test.com
ipa01.mgmt.test.com - FreeIPA 3.0 Master
ipa02.mgmt.test.com - FreeIPA 3.0 Replica
The FreeIPA servers ac
rt issuance.
=> If in doubt then revoke.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Michael Ströder wrote:
> I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to
> this container:
>
> cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com
>
> Selecting [Delete] as action really deletes the LDAP entry.
Ah, found it myself:
It
HI!
I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to this
container:
cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com
Selecting [Delete] as action really deletes the LDAP entry.
Likely I missed something.
Ciao, Michael.
smime.p7s
Description: S/MIME
BTW: Is there documentation describing the DIT in detail?
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-1.production.example.com:389}
57d33
nsds50ruv: {replica 86 ldap://ipa2.west-2.production.example.com:389}
5696e792
nsds50ruv: {replica 91 ldap://ipa2.west-2.production.example.com:389}
56941bab
nsds50ruv: {replica 97 ldap://ipa2.west-2.production.example.com:389}
569416ae
Any pointers would be greatly appreciated.
Th
ific Linux 7.2 64-bit
1.13.0-40.el7_2.12
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt,
Try the following...
# Get admin TGT
kinit ad...@realm.com
# Get keytab for user account
ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab
# Clear tickets
kdestroy
# Request TGT using the keytab
kinit -k -t ./cron_runner.keytab cron_run...@realm.com
# List tic
At my company, we are trying to setup a pilot with FreeIPA and we having some
issues. We would like to leverage our corporate AD infrastructure which mainly
lives in "somedom2.com", and is a member of "rootdom1.com" forest. Note the
different DNS naming between the root domain and the tree. O
Our environment has multiple FreeIPA servers and associated SRV records.
During client install, I can’t determine how each installation chooses the
value to be placed in the ipa_server property of sssd.conf.
Can Free IPA clients be configured to prefer an ldap server on its own subnet?
On a d
_ \ '__\ \ / / |/ __/ _ \ |\/| | \ \/ /
___) | __/ | \ V /| | (_| __/ | | | |> <
|/ \___|_|\_/ |_|\___\___|_| |_|_/_/\_\
Apache ServiceMix (7.0.0.M1)
Hit '' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '' or
tore=truststore
ssl.algorithm=PKIX
Michael Sean Conley--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
so if I am reading you correctly
connection.username=cn=ddfusr
should be
connection.username=uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com?
Michael Sean Conley
From: Rob Crittenden
To: Michael Sean Conley ,
freeipa-users@redhat.com
Date: 08/12/2016 04:13
..
Error 32.
Rassin Frassin! It's too Friday for this.
Michael Sean Conley--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[12/Aug/2016:11:05:34 -0500] conn=850 op=0 BIND dn="cn=binding"
method=128 version=3
[12/Aug/2016:11:05:34 -0500] conn=850 op=0 RESULT err=32 tag=97
nentries=0 etime=0
[12/Aug/2016:11:05:34 -0500] conn=850 op=-1 fd=112 closed - B1
Michael Sean Conley--
Manage your sub
Yep, did so right away. and yes, this is for the future state of IPA.
Michael Sean Conley
Hardware/Infrastructure
Intelligence, Information and Services
Raytheon Company
972-643-9887 (office)
michael.sean.con...@raytheon.com
From: Martin Kosek
To: Michael Sean Conley , Rob
Is there any indication of a timeframe for it to become FIPS compliant? If
we are talking weeks, rather than years...
Michael Sean Conley
From: Rob Crittenden
To: Michael Sean Conley ,
freeipa-users@redhat.com
Date: 08/04/2016 11:37 AM
Subject:Re: [Freeipa-users
Does ANYONE have any experience getting IPA to work with FIPS?
We're trying desperately to get this going, as we have some requirements
that the Identity Management Tool we choose must be FIPS 140-2 compliant.
GGHHH
Michael Sean Conley--
Manage your subscription for the Freeipa-
ou enough information to work the problem. Have
there been changes to the way freeIPA is configured for smartcard use?
Sincerely,
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
in advance.
--
*Michael*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
and GIDs, or should I set a new range to prevent
duplicate values?
At this point, I haven't found anything in my research which matches my
current scenario.
Thanks in advance.
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/ma
lse"
*}
]
}
headers = {*'referer'*: *'https://identity1.corp.actifio.com/ipa/
<https://identity1.corp.actifio.com/ipa/>'*,
*'Content-Type'*: *'application/json'*,
*'Accept'*: *&#
log me in with no problems when using ssh .
While other systems will prompt me for a password. Has anyone had
similar problems and what did they do to fix the problem?
*Michael Rainey*
On 05/31/2016 11:10 PM, Martin Basti wrote:
On 31.05.2016 17:36, Michael Rainey (Contractor) wrote
Your help is greatly appreciated.
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ll not let me delete the system. Is there a process somewhere that
will walk me through the process of demoting the server so I can delete
it from the directory?
Your help is greatly appreciated.
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.
._tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an external DNS, but I'm sure there are some instructions out there.-Mike-Original Message-
From: "Ben .T.George"
Sent: May 23, 2016 2:22 PM
To: Michael ORourke
Cc: freeipa-users
Subject: Re: [Freeipa-users] What
Did you try installing PWM on a separate instance, or are you trying to install
it on the FreeIPA server? I don't recall any issues with pki-tomcat when I
setup PWM (older version), but I installed it on a VM that was joined to
FreeIPA.
-Mike
-Original Message-
>From: Zak Wolfinger
ains with the same DNS zone name. So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message-
From: "Ben .T.George"
Sent: May 23, 2016 10:44 AM
To: M
you. Also, you will need to setup a separate DNS zone and some forwarding rules. Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George"
Sent: May 23, 2016 10:07 AM
To: Michael ORourke
Cc: freeipa-users
Subject: Re: [Freeipa-users] What id my AD
A couple of ways to go about this. If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password. You need to assure that the DNS forward/stub zones a
--location=default9). On the client machines, make sure the autofs service is enabled and running.systemctl enable autofssystemctl start autofs10). Test automount by logging into the client.That should do it!-Mike-Original Message-
From: "Ben .T.George"
Sent: May 18, 2016 10:03 A
What about using the pGina project on the Windows side?
Reference:
http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/
-Mike
-Original Message-
>From: John Meyers
>Sent: May 18, 2016 5:19 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] How
Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setti
Roderick,
Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab
Now we can leverage the keytab for that u
d
is ready.
Thanks,
*Michael Rainey*
On 04/29/2016 03:28 AM, Sumit Bose wrote:
On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote:
I am wondering if anyone out there is currently using freeIPA with smart
cards along with LightDM. I have systems running SL7.2 with GDM
What examples I have found do not work due to a missing
ScreenSaver object.
If anyone has any good solutions to this problem I would enjoy hearing them.
Thanks in advance.
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/fr
I'm just looking for some clarification from the documentation:
http://www.freeipa.org/page/Active_Directory_trust_setup
In the section that starts with "Edit /etc/krb5.conf", they mention a manual
configuration to the krb5.conf file for machines that will be leveraging AD
users:
[realms]
IPA_DO
I was able to get an older version of PWM (v.1.6.4 b1185) with an older FreeIPA v.3.0.0 working together. It's been a few years since I initially set it up, but I recall it was not easy getting PWM to cooperate with IPA. I do recall that I had to grant some extra privileges for the "proxy" user.
-Original Message-
>From: Michael ORourke
>Sent: Apr 8, 2016 11:01 AM
>To: Sumit Bose , freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] AD Integration change propagation timing
>
>-Original Message-
>>From: Sumit Bose
>>Sent: Apr 8, 20
-Original Message-
>From: Sumit Bose
>Sent: Apr 8, 2016 3:36 AM
>To: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] AD Integration change propagation timing
>
>On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote:
>> I have a question regar
I have a question regarding AD Integration with FreeIPA (CentOS
7.1/freeipa 4.2.0) and Windows Server 2008 R2 with a Functional Level
forest of 2008 R2. Given a simple scenario of a group in active
directory that is mapped to a POSIX group in FreeIPA, if a change is
made on the AD side such as
--Original Message-----
From: "Michael S. Moody"
Sent: Mar 31, 2016 6:22 PM
To: freeipa-users@redhat.com, jeff hallyburton
Subject: [Freeipa-users] FreeIPA Deployment Proposal (request for recommendations)
Hello FreeIPA Devs/Mailing List,We use FreeIPA to great success in several places,
Jeffrey,You will want to use the Sudo Option "!authenticate".-Mike-Original Message-
From: "Armstrong, Jeffrey"
Sent: Apr 1, 2016 1:14 PM
To: "freeipa-users@redhat.com"
Subject: [Freeipa-users] using sudo in ipa
Hi
I would like to know how to configure sudo in the IdM env
ine how to proceed in rolling out the packages.
Thanks again,
*Michael Rainey*
On 03/24/2016 05:09 AM, Sumit Bose wrote:
On Wed, Mar 23, 2016 at 12:25:50PM -0500, Michael Rainey (Contractor) wrote:
Hi Sumit,
I've trying to download the rpm via the Koji client and have been unable to
locate pack
st of
packages from Fedora Projects and nothing from the EL repo.
Thanks,
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
On 03/22/2016 07:25 AM, Sumit Bose wrote:
On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote
Hi Sumit,
It has been a week and I am following up with you on the lock screen
issue. Have you had any progress? If so, I am hoping implementing the
fix will be quick and easy.
Thanks,
*Michael Rainey*
On 03/11/2016 02:32 AM, Sumit Bose wrote:
On Thu, Mar 10, 2016 at 01:36:15PM -0600
making
it work. Does anyone have any suggestions as to what it would take to
enable locking the screen when the smart card is removed.
Thank you in advance.
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
to fall apart. On SL7.2, smart card login on GDM needs to disabled so
SSSD can do its job of authenticating. Does the same option need to be
disabled for SSSD perform the smart card login on Fedora 23? Are there
any other details that may vary from the RHEL7.2 release?
--
*Michael Rainey
don't know if this has been noted in the past, but I do feel it is
important to mention in either case.
*Thanks,
Michael Rainey*
On 02/11/2016 02:46 AM, Sumit Bose wrote:
On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote:
Greetings,
I'm curious as to how
roblem for the end-user or has this problem
been addressed?
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
me of
the configurations to get GDM to recognize the card with no luck. Is
there a checklist available that I could follow to make sure everything
is configured properly? All configurations work when using a username
and password.
--
*Michael Rainey*
--
Manage your subscription for the Freeipa-use
Please disregard this message. I discovered the answer after the
message was sent.
There is a locks file in /etc/dconf/db/distro.d/locks. I edited the
/etc/dconf/db/distro.d/10-authconfig and rebooted. It is recognizing
the smartcard now.
*Michael Rainey*
NRL 7320
Computer Support Group
ause
it tweaks the pam configuration to the point that an IPA client is
unable to authenticate using the smartcard.
Any suggestions?
--
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
--
Manage your subscription for the Freeipa-users mail
id pair
Feb 2 13:00:13 cabildo gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth):
pam_get_pwd() failed: Conversation error
Where do I go from here?
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
On 02/02/2016 09:56 AM, Martin Kosek wrot
me on the Card is not being
mapped to the proper attribute on the IPA server. So here's my question:
Is there a howto which explains how an where this mapping occurs? Is
this something I can configure myself, or is hard coded.
Sincerely,
--
*Michael Rainey*
--
Manage your subscripti
AP tree" really mean.
Does this only affect the IPA provider?
Ciao, Michael.
--
Michael Ströder
E-Mail: mich...@stroeder.com
http://www.stroeder.com
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com
What we do is create a non-posix group in FreeIPA and apply a custom password policy, then join the users to that group. Then login as the service account and reset the account's password to some random string. But if you reset it through the UI, it will set the password to expire in 1 hour. Als
What about the pGina project? I haven't tried this personally, but it
sounds like it might be something that could work with FreeIPA (using
the LDAP plugin).
Reference: http://pgina.org/
And this article looks helpful:
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Or perhap
ganization.
My questions are as follows:
1) Is there a guide/post that I can follow for setting up a one-way trust
between FreeIPA and AD?
2) What type of trust is being created on the AD side, is it a cross-forest
outgoing trust to the FreeIPA server from the AD server?
Thanks for your kind time
That did it.
Thank you.
On Thu, Sep 24, 2015 at 12:59 AM, Martin Kosek wrote:
> Hello Michael,
>
> It is possible that this problem comes from obsolete package in the
> mkosek/freeipa COPR repo, which was fixed in Fedora/RHEL, but not there.
>
> Can you please try to upda
2
result: 0 Success
# numResponses: 3
# numEntries: 2
On Wed, Sep 23, 2015 at 11:53 AM, Martin Kosek wrote:
> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
>> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
>> to
>> post completely non-IPA questions t
wrote:
>
> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
> to post completely non-IPA questions to this list...).
> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no
> matter wh
he sslscan is broken, but nmap and other scanners all
confirm that RC4 is still on.
-M
On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek wrote:
> On 09/23/2015 11:00 AM, Michael Lasevich wrote:
> > OK, this is most bizarre issue,
> >
> > I am trying to disable RC4 based TLS Cipher
Ok, something odd happened I would love some feedback/ideas on:
We had 4.1.2 running on Fedora that we used for, among other things, OTP
authentication. I have just upgraded these to CentOS 7 with 4.1.4 running
and our OTP setup suddenly became very unstable.
Things that have changed during upgra
Hi Martin,
thanks for your reply.
On 09/23/2015 09:07 AM, Martin Kosek wrote:
On 09/22/2015 12:41 PM, Michael Anderson wrote:
Hi All,
we're evaluation freeipa/dogtag as a pki management service and hoping to
replace our existing menagerie of bash/openssl scripts. I'm trying to e
OK, this is most bizarre issue,
I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and
for the life of me cannot get it to work
I have followed many nearly identical instructions to create ldif file and
change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough -
Ok, I just went through process of migrating our IPA setup from 4.1.2
running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek
Copr version) and run into a nasty bug. The replica-install crashes during
CA configuration with something like:
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/
gning cert?
* can I import existing server certs and keys?
* I'm using Fedora22. When I install dogtag-pki, the user page for
submitting csr's is available. But when I install the freeipa package, I
get a 404 when attempting to access the page. Is this functionality
available in freeipa
HI!
I'd be glad if this RFE could make it into 1.13.x:
https://fedorahosted.org/sssd/ticket/2411
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Endi,
Due to time constraints, we turned up another IPA server, migrated all DNS
and users and turned down this host. So, I think at this point installing
the package would be moot. Thanks for your help anyways.
*Michael Pawlak*
Web Systems Administrator | Colovore LLC
E: m...@colovore.com
C
Endi,
Any word on the build?
*Michael Pawlak*
Web Systems Administrator | Colovore LLC
E: m...@colovore.com
C: 408.316.2154
<http://www.colovore.com>
On Mon, Mar 23, 2015 at 2:55 PM, Michael Pawlak wrote:
> Endi,
>
> I could test that.
>
> *Michael Pawlak*
> W
Endi,
I could test that.
*Michael Pawlak*
Web Systems Administrator | Colovore LLC
E: m...@colovore.com
C: 408.316.2154
<http://www.colovore.com>
On Mon, Mar 23, 2015 at 1:36 PM, Endi Sukma Dewata
wrote:
> Thanks for the info. The transaction log doesn't indicate the cause of
1 - 100 of 223 matches
Mail list logo
