FreeIPA 4.5.0 CentOS 7 managed ldap.conf entries
by Dagan McGregor
Hi all,
We have a number of CentOS 7 hosts enrolled with FreeIPA, and I have noticed the ldap.conf on some hosts has two separate URI lines, similar to this:
URI ldaps://ipa.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/ipa/ca.crt
URI https://ipa.example.com
This caused our configuration management to complain about the URI value, because it is listed twice.
Looking at the man page for ldap.conf, it indicates the URI should be LDAP(S), but for some reason our older hosts have it set to HTTPS.
Should all FreeIPA hosts be using the same LDAPS URI value provided?
I can only assume the HTTPS URI is a legacy from the old version 3 FreeIPA install, as it pre-dates me supporting it.
Cheers,
Dagan McGregor
6 years, 2 months
web administration on secondary node
by Andrew Meyer
I was just checking the web admin on my secondary node (still in testing phase) but it won't resolve at all. I'm not sure why.
These are the only errors I have from the Apache logs:
[Tue Jan 30 09:49:54.429727 2018] [mpm_prefork:notice] [pid 3637] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Jan 30 09:50:05.307796 2018] [core:notice] [pid 28116] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Jan 30 09:50:05.309390 2018] [suexec:notice] [pid 28116] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jan 30 09:50:05.309439 2018] [:warn] [pid 28116] NSSSessionCacheTimeout is deprecated. Ignoring.
[Tue Jan 30 09:50:05.669064 2018] [auth_digest:notice] [pid 28116] AH01757: generating secret for digest authentication ...
[Tue Jan 30 09:50:05.670271 2018] [lbmethod_heartbeat:notice] [pid 28116] AH02282: No slotmem from mod_heartmonitor
[Tue Jan 30 09:50:05.670304 2018] [:warn] [pid 28116] NSSSessionCacheTimeout is deprecated. Ignoring.
[Tue Jan 30 09:50:05.751335 2018] [mpm_prefork:notice] [pid 28116] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Tue Jan 30 09:50:05.751387 2018] [core:notice] [pid 28116] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Jan 30 09:50:19.078769 2018] [:error] [pid 28125] ipa: INFO: *** PROCESS START ***
[Tue Jan 30 09:50:19.106813 2018] [:error] [pid 28124] ipa: INFO: *** PROCESS START ***
My Firewall is currently turned on - this won't happen in production. I am running the latest version on FreeIPA on Centos 7.x.
I tried restarting the IPA service, and that did nothing. I'm going to keep researching, but thought maybe this was caused by an update.
Thanks,
Andrew
6 years, 2 months
AD policies
by Daniele Liciotti
Hi,
I have connected my FreeIPA server with an AD in trust. Is it possible
to assign special permissions (sudo) to some AD users? I noticed that
the policies can only be set to AD group.
Thanks in advance,
Daniele
6 years, 2 months
Multi-site, multi-domain
by Alexandre Cardoso
Hi Guys,
Is that any configuration where I can set up 2 or 3 master replication in multi site and each of those master have different domain such as ipa.example-site1.com, ida.example2-site2.com?
Is this possible using the ida-server-replication?
Thanks in advance
Alex
6 years, 2 months
AD accounts unavailable from clients
by Henrik Johansson
Hi,
I have a working trust between my IPA server and an AD domain, I can lookup accounts and login to the IPA-server using AD accounts. I am however unable to to do the same when I connect a client to the IPA-server, the local IPA-accounts are available such as admin, but not AD accounts. I have tried to to a realm join and also using the ipa-client-install directly without success. Are there any additional steps that needs to be done to access accounts over the trust? I have some debug output on pastebin also: https://pastebin.com/xy9SbCw4 <https://pastebin.com/xy9SbCw4>
Regards
Henrik
6 years, 2 months
restricting shells
by Charles Hedrick
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
6 years, 2 months
any one have issue at centos7 ?
by barrykfl@gmail.com
Hi :
when reboot the server the certomenger.service always fail
It is not cluster just a signle server.
6 years, 2 months
centos7 with ipa always start fail
by barrykfl@gmail.com
hi:
Any one has such exp ,certomonger always fail after reboot.
Dbus service / other service seem working fine. Any systemctl cannot run
Also it is not cluster any hints.
systemctl daemon-reload
Error getting authority: Error initializing authority: Error calling
StartServiceByName for org.freedesktop.PolicyKit1:
GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Activation of
org.freedesktop.PolicyKit1 timed out (g-dbus-error-quark, 20)
Failed to execute operation: Connection timed out
thk
barry
6 years, 2 months