Hi all:
9444 port can be telnet ...Any idea ? the log show below as I don't have
more idea... If I plan to
migrate to same version of server what I have to copy ? as I saw
step of migration also similar to replica so now stuck on the steps.
Any Manual copy steps ? as I copy and paste the LDAP of A
8443 port already firewall open but still fail..1G memory only in web
hosting..free 600 M still
2017-03-15T01:36:47Z DEBUG The ipa-server-install command failed,
exception: NetworkError: cannot connect to '
https://centralaws.ABC.com:8443/ca/rest/account/login': Could not connect
to centralaws.ABC
Hi:
anyone has exp install freeipa in amazon linx base on fredora?
I tried install repo myself but it fail only say no such freeipa
which repo ishould use ...I already tried many difference source still fail.
it seem it has its own amaz limux repo.
thks
barry
--
Manage your subscription for
No expire cer prompt out ., All service ipa status oK.
and 9444 port can telent
Creating SSL certificate for the Directory Server
preparation of replica failed: cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
cannot
Hi:
I already done input new cert but ipa-replica-prepare central03.ABC.com (ipa
3.0) it fail with the error as below:
which "location" I should check the old cert still inside some where
Below I already input CA / server cert ..and nssdb poting is right
..already spent serveral days to check whe
I think I already input all ca cert and server cert
certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L
Trust Attributes
SSL,S/MIME,JAR/XPI
*.wisers.com < it is the server wild card cert
already
EXT-CA
same as as replica gpg making....Found this cert 2015 expired only,,?
but I follow manual here:
https://www.freeipa.org/page/Using_3rd_part_certificates_
for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
It imported as EXT-CA as Alias rather than sever cert by default...Is there
anywhere pointing wrong
Hi:
I have freeipa 3.0 server ...and want to make a new server ignore any cert
related.
eg I clean install a server using default free ipa server cert ..and copy
dirsrv data to new.
can I just copy /etc/dirsrv scheme..username /passwords and groups ?
Also if I copy these to 4.0 server any issue
gpg
Creating SSL certificate for the Directory Server
ipa : ERRORcert validation failed for "CN=central.ABC.com,O=
ABC.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profile
Hi :
I already follow the procedure to install new CA and add ca.crt to the
library I known ...where still missed ?
ABC-COM...[28/Jun/2016:15:45:53 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com of
family cn=RSA,cn=encryption,cn=config (Netscape Porta
Hi :
I renew External CA cert below ...seem server-cert ok.
But ca CERT FAIL..
I ALREADY PASTE ON
/etc/httpd/alias
/etc/dirsrv/slapd-PKI-IPA
/etc/dirsv/slapd-ABX-com
/var/lib/pki-ca/alias 's CA conf
any idea?
ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify
externaly signed CA - Godaddy Exppired.
Already add new to db /etc/https/alias / -L and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif
Start stop IP
hi all:
Thx ad title
ipa : ERRORcert validation failed for
"CN=server.abc.com,O=WISER
S.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944
4/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_E
Hi:
As stated in the guidline online.../root/ipa.crt is the server cert
generated by 3rd patry CA ? or the CA cert itself that need to pair with
server cert later. thx
Give the CSR to your external CA and have them issue you a new certificate.
We assume that the resulting certificate is saved in
Already change a new cert no.errror prompt when start server. But using
ipa-replica install.same error out. So.i.should miss some.folder not yet
replace.
2016年5月19日 上午2:01 於 "Rob Crittenden" 寫道:
> barry...@gmail.com wrote:
>
>> Hi:
>>
>> I type ipa-replica-install server --ip 192.168.1.3
>>
>> it
Hi:
I type ipa-replica-install server --ip 192.168.1.3
it show my cert expire nwhere location I should input the cert ?
trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_
Hi :
2 servers configured as multi master nut one of them cannot telnet 7389
how can I check and renable it ?
Server cannot telnet 7389 should I reinstall CA service ...is it
rerelated ?
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTT
Hi :
Before I use goddy cert and everything workfine for a year now the cert
expired.
and break the muial agreement .whatever command I type it shown cant
contact ldap server.
can I just fall back the ipa self sign cert if I have backup?
pls advise the detail procedure
Regards.
Barry
--
Manag
So now how can i restore the normal status.
Can i export those acc out and restore to new server if same schema.?
Manual backup restore i test before should work.
2016年5月10日 下午8:16 於 "Martin Basti" 寫道:
> There is no ipa-restore or ipa-backup commands even on RHEL6.7, centos6.7,
> so I have no i
Hi:
Restore form backup follow the procedure below:
http://www.freeipa.org/page/V3/Backup_and_Restore
Now server web page launch but canot access
Sorry you are not allowed to access this service.
Starting dirsrv:
PKI-IPA... [ OK ]
WISERS-COM.
Hi all:
I m using freeipa 3.0 ...is there a fast way to export username / password
and migrate to
new 4.0 server not inplace upgrade .?
Regards
Barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
Just wonder the freeipa package will have bugs if os too.old.
2016年5月10日 下午3:09 於 "Lukas Slebodnik" 寫道:
> On (10/05/16 08:19), barry...@gmail.com wrote:
> >Do u meant the error related to OS?
> I mean that there are known bugs in FreeIPA components.
> 389-ds, sssd
> CentOS 6.5 is quite old v
Do u meant the error related to OS?
2016年5月9日 下午7:17 於 "Lukas Slebodnik" 寫道:
> On (09/05/16 12:14), Barry wrote:
> > Hello Barry,
> >
> >Can you provide more info?
> >
> >What is your IPA version, OS?
> >
> >CENTOS 6.5
> >
> Please upgrade to latest CentOS 6.7
> there are known bugs in C
Hello Barry,
Can you provide more info?
What is your IPA version, OS?
CENTOS 6.5
server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64
server 2 - ipa-server-3.0.0-37.el6.x86_64
What are the symptoms you are experiencing?
server1 's update not transfer to server 2 but server 2 can transfer to
ser
Hi All:
I restore from backup but some lib / pki error come.
As the package is ipa-server-3.0.0-26.el6_4.4.x86_64
But now is ipa-server-3.0.0-47.el6.centos.2.x86_64 , it seem no harm ?
How to tune it ?
Starting KDC Service
Starting Kerberos 5 KDC: [ OK
Hi all:
I got master 1have ca and server 2 replicatiomng . Now master 1 fail all
lost.
Can i skip.it just make server 3 repliacted slaved or must recovered master
1.
Regards
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
U meant it fail start if update minor version only?
2016年5月4日 下午7:25 於 "Lukas Slebodnik" 寫道:
> On (04/05/16 13:17), barry...@gmail.com wrote:
> >Can speicific ninor version?
> Yes you can
>
> yum update ipa-server-3.0.0-37.el6.x86_64
>
> However, it can fail if this version is not available in r
Hi:
Before the server can start up if i disable nasslsecuiry in dse.ldif.
But now after I update to minor version from -3.0.0-26 to
ipa-server-3.0.0-47.el6.centos.2.x86_64 , it not allow me to start any idea
.
I think it not relate to ssl cert issue.
[04/May/2016:17:32:52 +0800] - SSL alert: CER
Can speicific ninor version?
2016年5月4日 下午1:15 於 "Devin Acosta" 寫道:
> Barry,
>
> Yes you should be able to just do a: "yum update ipa-server" and you
> should be good to go.
>
>
> --
> Devin Acosta, RHCE, LFCE
> Linux Certified Engineer
> e: de...@linuxguru.co
>
>
> On May 3, 2016 at 9:10:04 PM, b
Hi :
How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64
to ipa-server-3.0.0-37.el6.x86_64
This is minor version upgrade , can it just type update command?
Regards
Barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-us
server 1:
ipa-server-3.0.0-26.el6_4.4.x86_64
server2
ipa-server-3.0.0-37.el6.x86_64
2016-04-30 1:10 GMT+08:00 :
>
> ipa-server-3.0.0-37.el6.x86_64 << here
>
> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>
>> Please keep, user-list in CC
>>
>> You did not send all information I requested.
>>
>> P
ipa-server-3.0.0-37.el6.x86_64 << here
2016-04-29 19:36 GMT+08:00 Martin Basti :
> Please keep, user-list in CC
>
> You did not send all information I requested.
>
> Please use `rpm -ql ipa-server` to get exact version number
>
>
> On 29.04.2016 13:32, barry...@gmail.com wrote:
>
> Error.is from
Hi All:
Any method can fall back the default ipa cert if I didn't backup orginal?
Now the slapd and ipa cert storage quite a mess so they cant replicate even
disabled nsslapd:security to off
thx
Barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailma
thx let me try as i dont want stop dirsrv but live disable nsslapd security.
2016年4月27日 下午7:26 於 "David Kupka" 寫道:
> On 27/04/16 13:15, barry...@gmail.com wrote:
>
>> Do u meant use ldapmodify?
>> I tried update the dse.ldif but it will fall back after a while.
>>
>> 2016年4月27日 下午7:10 於 "David Ku
Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka" 寫道:
> On 27/04/16 12:48, barry...@gmail.com wrote:
>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
> Hello Barry,
Hi:
Without restarting dirsrv possible do that ?
thx Regards
barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
server 2 can syn update to server 1 but reverse fail
Any idea? error below:
Can't contact LDAP server
[26/Apr/2016:18:40:13 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[26/Apr/2016:18:40
Hi:
I have 2 servers clusters replicating ...server1 down server2 take up role
running,
if server 1 turn on again I found the differential ac/data created on
server2 not replicate back to server 1 ...any idea ?
Is it possible to syn back the different data manually or force syn?
if both servers o
Tried.noramlly it replicationg but if one fail and still add new users. The
recovered server not syn back.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
server 1
ipa-replica-manage list
Segmentation fault (core dumped)
server 2
ipa-replica-manage list
Can't contact LDAP server
but it seem still syn as i add new ac then server 2 have
i delete server2 's anme server 1 still delte.
--
Manage your subscription for the Freeipa-users mailing list:
any command make it refresh ? it seem still getiing old godaddy hisotry?
2015-07-06 21:45 GMT+08:00 :
> Do u meant this :
>
> i already add the cert to nss and even \etc\ipa\ ca.cert repalced
>
>
> [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L
>
> Certificate Nickname
Do u meant this :
i already add the cert to nss and even \etc\ipa\ ca.cert repalced
[root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
COMODO RSA Domain Validation Secure Server CA
the cert already in httpd / ldap side. but it prompt error
[06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
[06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.
*.wisers.com - COMODO CA Limited u,u,u
COMODO RSA Domain Validat
hi:
i changed cert lareadty but seemit still keep hisoty of godadday any help.??
www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8174 - s
hi aLL;
i have 2 free ipa in same cluster.
if a node1 fail stop... i found the connection of their replciation stop
after nod1 fail. now i directly input to the node 2 new accounts ,
will these new accounts syn back when node 1 start up again.?
my issue is that it seem no.
Regards
Barry
--
Ma
Hi:
i set max life no expiry already but still pomt reset password every 3
month
any idea to disable it ??? what happening
Regards
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the
Dear all:
I got 2 servers as cluster ... how can i redirect all logs server2 's
/var/log/dirsrv/slapd-abc.com/access to server 1 's /var/log/dirsrv/
slapd-abc.com/access
so i can view once ?what config should consider ? Or should i use syslog
to collect server2
and redirect all to server 1 ?
t
Hi all:
I have a buzilla intgrated with ldap ,,,is it poosible to check
when the user login through the access log of ldap free ipa server ..
What sentence should it look like ?
thks
barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/f
Hi:
I follow command found from here and want to del priate group but fail any
idea?
It said line 5 attribute error , any synta xwrong?
ldapsearch -LLL -Y GSSAPI cn=barry
ldapmodify -Y GSSAPI <--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listin
Hi :
Is it possible to read clear text of password of ipa users by admin ?
I m facing the issue of half rollout as half vol.of users changed
password already.
And if i deploy and reset all password then it may make issue for this half
and we dont have records which user password sent .
--
Ma
FYI..
160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
192.168.156.89 to 192.168.156.89
163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1 fd=73 closed - B1
There is not abt binding but i unsure how to fix ..
2014-07-09 2:01 GMT+08:00 Rich Megginson :
> On 07/08/2
FOUND something strange that server 1 replicate to itself rather than
server2
Server1 access log > Wrong
[04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
192.168.15.89( server1 ) to 192.168.15.89 (server1)
Server 2 access log > OK
[04/Jul/2014:12:35:30 +0800] conn=936208 f
Just sure now one side flow is broken, if u update server1 , it 100% work
server2 will upgrade.
but if u update server2 there is chance non-syn e.g it create username in
server1 with posfix grp >ok
but in server2 it only created posfix grp but no username /attribute it
occur serveral times. I have
Yes they are running. Server 1 can syn to server2 but error at server 2
like this.
2014/7/3 下午10:14 於 "Rob Crittenden" 寫道:
> Please keep relies on the list.
>
> barry...@gmail.com wrote:
> > I saw the error beloe and errpr log is it related ?
> >
> > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_in
Now
node1 can show ipa-replica-manage list
1.abc.com: master
2.abc.com: master
But at node 2 type ipa-replica-manage list
Can't contact LDAP server
It seem break on one side nod2 any method to rebuild?
the server trust build in self ca cert before but then it change to godaddy
cert.
--
Manage
Hi:
FOund master 1 and 2 not sysn, some acocunts not syn but try to delete
those account cannot be recreate as it pompt that the posix private group
present
and i found there is not ipa-group del coomands at my version freeipa 3 in
centos
any idea ?
barry
--
Manage your subscription for the Fre
Hi:
Any token method through email can allow user authorize by rest password
their own if password cannot retriveal?
What response attribute should be use ?
I tried use pwm ( password manager ) to ask the fereep ipa by generate a
token to it ,.
but no idea how freeipa accept the token and allow
Now cannot use ipa command line like ipa passwd, any missing ? need
reimport back the ipa cert?
ipa: ERROR: did not receive Kerberos credentials
certutil -d /etc/dirsrv/slapd-ABC-COM -L
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authori
dear all:
Is it possible to quiry freeipa 's account password and displan in plain
txt ?
or convert krbExtraData to plaintxt. rather than reset it.
Regards
barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/li
Dear all:
my host is abc.def.com
I import a cert *.def.com of godaddy to dirsrv and warning / error prompt
any idea?
is it i cannot use *.def cert and must use a full host cert . abc.def.com???
Shutting down dirsrv:
PKI-IPA... [ OK ]
def-COM.
Dear all:
http://heartbleed.com/ < openssl announced before.
We use 3rd part official cert ref. to this and convert to pck12 format by
openssl. ( centos 6.4 ipa 3.0)
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
any patch for ipa need to added or OS level ?
Regards
Ba
Dear all:
I added *.abc.net cet to certutil -d /etc/httpd/alias and
/etc/dirsrv/slapd-ABC-COM
But error comes out after when i login the UI of service and cick in entry .
cannot connect to 'https://cert1.abc.com:443/ca/agent/ca/displayBySerial':
[Errno -12276] (SSL_ERROR_BAD_CERT_DOMAIN) Unabl
Found a error today. when browse the cert serices ..is it realte to dog tag
system ...how to restart ?
Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found)
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://w
Dear all:
I did change usin g 3rd party cert and now i tried to reimport the orginal
self sign cert i backup before all in p12 format.
Server-cert,p12 and ipacert.p12 i follow here and import successful.
BUT it show error during restart httpd that say untrust source. even i
added to "NSSEnf
i want to extract the private key of the self sign cert
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Dear sir:
where can i set stop alias of /ipa/ui redirection...and let
it just use https://abc.com/ipa/ui/ absolute path?
thks
barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Dear all:
whe install it already genrate a self sign cert called mydomain.com . and
run ca service. now i want to check if it ok to install 3rd party
replcacing ..so
to httpd my ldap it will be https: my co domain (official cert ). and
replcabelow.
/etc/ipa/ca.crt
/usr/share/ipa/html/ca.crt
I
No export all func, ..but .it can export one account per time ..so i use a
while loop to do it with a txt file.
Is there a function to export/create report of these fields from the IPA?
I'm not finding anything in the guide. Thanks.
These are some of the fields we know will need in a list of
Dear all:
As title ?
I changed admin (uid) and then change back orginal passwd . It seem it also
syn to directoy manager. I wonder
Now all applications integrated wih using CN=directory manger all fail to
connect authroization fail.
Any idea ? should i also change the directory manager password
hi:
I accidently changed uid admin 's password ...and then change back orginal.
BUT it seem that it also modify CN+directory manager also can now conflcit.s
soem user cann not access using if cn= direcory manager.
any idea ? i tried the follwig command it says ssl conenection already
establsie
Dear all:
I created a account of operator and added roles of user admin with reset
/modify passwor priviges.
but when he login , the reset password button is grey ?
Any permission i should assign more...
Now can only add this operator to admin group so all full access right.
thks
Barry
__
Dear all:
Any attribute allow user to retrieve password and response to unlock and
allow to send plain text password.?
Regards
Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Is it possible to set allow password to send to user after user request.
I used one of the self password service pwm but it seem it is not
compatible to retriveal of password
using cert request / Answer and questions retrieval
thks
barry
___
Freeipa-us
Hi all:
Some doc said it already build in TLS on 389 ... is it nsslapd-minssf on
the dse.ldif?
Should i need to set 636 ldaps ? or set higher nsslapd-minssf enough?
What document tell the default secure connection of free ipa?
thks
barry
___
Freeipa-
Dear all:
Any one have exp to upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 to
ipa-server-3.0.0-37.el6_4.4.x86_64 ( jus t minor patch/upgrade it think )
Is it just yum install then ok ??? i notice some official document but they
are 3.3 free ipa of fedora ...just yum / run the rpm and not necessary
Dear all:
Which command can export /show all users a/c and info? better in table
format .
Regards
Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Hi:
I can make it show on ldap browser or the ui but finding where to add it in
command base.
ipa user-mod ---employeenumber no such parameter.
Moreover can i change the attribute just by name and make use of it.
E.g. i found car license no really useful for staff so i want to change the
labe
Any one knows how to add new attribute or object class to the user
accounts ...eg. added department and id creation date in those users info
field.
Can use 389 / redhat driectory console ? I tried to edit 99user.ldif seem
not shown up new attribute.
barry
2014-02-05 Martin Kosek :
> Good! Not
78 matches
Mail list logo