Fwd: WebUI ignore users ipaUsersAuthType.
by Qudu Duqu
Hi all,
ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
At some point in the WebUI Freeipa, the last known type of user
authorization is used.
Changing the type of authorization of the user does not change anything.
For example, if the user has set the OTP authorization type and change it
to a password, FreeIPA WebUI ignores this and waits for OTP input. And vice
versa.
If the user has set the password authorization type and change it to OTP,
logon only by password will work.
kinit and everything else works correctly.
I did not find any error messages in logs. (httpd, krb5, slapd)
Does anyone know how to fix this?
P.S. The official demo has the same problem.
6 years, 3 months
API 3005 Unknown option: <myAttrName>
by Matt .
HI Guys,
I have added my own userattribute which works perfectly fine from the webgui and the cli but not using the API where I get this error from as response:
3005 Unknown option: <myAttrName>
I thought this would lineup easily, what goes wrong ?
Thanks,
Matt
6 years, 3 months
Re: Request for input on installing IPA onto ARM/SoC boards
by Andrew Meyer
For the most part, yes. Its cheap, low-power. I actually have tried to do this w/ a Fedora build. It overloaded the RasPi 2 & or 3. I can't remember to be honest. But I feel like if i'm able to run something that does IDM on that, i'm good to go. I think it is probably just the hobbyist in me that wants to do this. But it looks like the storage is not a high enough calibur.
I wouldn't be upset if I had to buy something that was Atom processor and throw a SSD in it.
More to come as I think about it.
On Tuesday, January 23, 2018 7:45 AM, Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
> Agreed. I would love to run this on a raspberry pi or better.
But why?
Is it because the hardware is so cheap? Is it better/easier/cheaper than
running it in a VM on an existing box? Is it merely for the "fun" factor
(and I'm not disparaging it, I do lots of things just to see if it can
be done).
rob
>
> Get Yahoo Mail for Mobile
> <https://go.onelink.me/107872968?pid=InProduct&c=MailPP_sig_Dec17_sub1=E-...>
>
> On Mon, Jan 22, 2018 at 14:25, Alex Corcoles via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
6 years, 3 months
Request for input on installing IPA onto ARM/SoC boards
by Rob Crittenden
We get questions periodically on installing IPA onto SoC boards, mostly
ARM and usually a Pi (Banana or Raspberry).
We'd like to add a wiki page or howto with tips on known workarounds.
We'd also like to get some use cases on why you'd want to run IPA on
something like this. Is it just an experiment, using it on a home
network with just a few nodes, something else?
I'll take all the input and create a wiki page on it.
Note that up to now we don't recommend doing such an install. Maybe the
user stories will change our mind.
thanks
rob
6 years, 3 months
user_add post_callback doesn't seem to be called.
by Bryce Larson
We have function that are supposed to be called in a plugin from a post_callback
It's registered with:
user.user_add.register_post_callback(useradd_postcallback)
The plugin is at /usr/lib/python2.7/site-packages/ipaserver/plugins/csAccount.py
It doesn't seem to be called at all, it used to. I'm not sure if it was upgrading from 4.3 to 4.4, or from 4.4 to 4.5
that it stopped working, but I think it was the upgrade from 4.4 to 4.5. I'm pretty sure the pre_callback is still working.
Does anyone know why a post_callback would just stop working after upgrading?
This is the documentation that we found that covers post_callbacks:
https://abbra.fedorapeople.org/guide.pdf
6 years, 3 months
(no subject)
by jcccb
some new log insights from the client when a mount from the /storage/ fails:
Jan 23 19:41:10 ubuntu_client automount[825]: parse_mount: parse(sun): core of entry: options=, loc=NFS_Server.ipa.mydomain.example:/storage/media
Jan 23 19:41:10 ubuntu_client automount[825]: sun_mount: parse(sun): mounting root /storage, mountpoint media, what NFS_Server.ipa.mydomain.example:/storage/media, fstype nfs, options (null)
Jan 23 19:41:10 ubuntu_client automount[825]: mount_mount: mount(nfs): root=/storage name=media what=NFS_Server.ipa.mydomain.example:/storage/media, fstype=nfs, options=(null)
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: called with host NFS_Server.ipa.mydomain.example(IP_OF_UBUNTU_CLIENT) proto 6 version 0x30
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: nfs v3 rpc ping time: 0.000000
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: nfs v2 rpc ping time: 0.000000
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: host NFS_Server.ipa.mydomain.example cost 0 weight 0
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: called with host NFS_Server.ipa.mydomain.example(IP_OF_UBUNTU_CLIENT) proto 17 version 0x30
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: nfs v3 rpc ping time: 0.000000
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: nfs v2 rpc ping time: 0.000000
Jan 23 19:41:10 ubuntu_client automount[825]: get_nfs_info: host NFS_Server.ipa.mydomain.example cost 0 weight 0
Jan 23 19:41:10 ubuntu_client automount[825]: prune_host_list: selected subset of hosts that support NFS3 over TCP
Jan 23 19:41:10 ubuntu_client automount[825]: mount_mount: mount(nfs): calling mkdir_path /storage/media
Jan 23 19:41:10 ubuntu_client automount[825]: mount_mount: mount(nfs): calling mount -t nfs NFS_Server.ipa.mydomain.example:/storage/media /storage/media
Jan 23 19:41:10 ubuntu_client automount[825]: >> mount.nfs: access denied by server while mounting NFS_Server.ipa.mydomain.example:/storage/media
Jan 23 19:41:10 ubuntu_client automount[825]: mount(nfs): nfs: mount failure NFS_Server.ipa.mydomain.example:/storage/media on /storage/media
Jan 23 19:41:10 ubuntu_client automount[825]: ioctl_send_fail: token = 41
Jan 23 19:41:10 ubuntu_client automount[825]: failed to mount /storage/media
this brings no errors up on the NFS_Server logs
> Is it possible to try with apparmor disabled (or the equivalent of
> `setenforce 0`)? That might help narrow down where the problem is.
>
dont think apparmor is involved in this, because a mount of my home folders are working fine on the client
6 years, 3 months
ipa-client-install changed SELinux Booleans
by Eric Scholwin
I was wondering if anyone noticed while installing FreeIPA on any of their machines, whether or not their SELinux Booleans were affected? I installed this in a test environment and nothing broke. However, when installed in my production environment, an important SEBoolean was changed:
"authlogin_nsswitch_use_ldap --> on"
This particular boolean was changed to off, breaking logins for an application running on the server that required connecting to an ldap server.
i've figured out what broke, now I'm just trying to figure out what caused it to change. Is this something FreeIPA would normally change? I only ask because I've installed this on about 30 systems and only this one was affected, but ldap also isn't used on many of the other servers. Any insight would be appreciated.
Thanks
6 years, 3 months
ipa-restore: a bytes-like object is required, not 'str'
by Matt .
On a fresh installed IPA server where I do a backup and restore right after installation I get:
a bytes-like object is required, not 'str'
The ipa-restore command failed. See /var/log/iparestore.log for more information
2018-01-23T04:05:29Z DEBUG stderr=
2018-01-23T04:05:29Z DEBUG Creating log directories for dogtag
2018-01-23T04:05:29Z INFO Restoring from userRoot in MY-DOMAIN-TLD
2018-01-23T04:05:29Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_restore.py", line 396, in run
self.ldif2db(instance, backend, online=options.online)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_restore.py", line 554, in ldif2db
ldif_parser.parse()
File "/usr/lib64/python3.6/site-packages/ldif.py", line 470, in parse
return self.parse_entry_records() # parse()
File "/usr/lib64/python3.6/site-packages/ldif.py", line 460, in parse_entry_records
self.handle(dn,entry)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_restore.py", line 130, in handle
self.writer.unparse(dn, entry)
File "/usr/lib64/python3.6/site-packages/ldif.py", line 210, in unparse
self._unparseAttrTypeandValue('dn', dn)
File "/usr/lib64/python3.6/site-packages/ldif.py", line 158, in _unparseAttrTypeandValue
self._unfold_lines(': '.join([attr_type, attr_value.decode('ascii')]))
File "/usr/lib64/python3.6/site-packages/ldif.py", line 121, in _unfold_lines
self._output_file.write(line)
2018-01-23T04:05:29Z DEBUG The ipa-restore command failed, exception: TypeError: a bytes-like object is required, not 'str'
2018-01-23T04:05:29Z ERROR a bytes-like object is required, not 'str'
2018-01-23T04:05:29Z ERROR The ipa-restore command failed. See /var/log/iparestore.log for more information
What goes wrong here ?
6 years, 3 months
Freeipa / IDM on a VM
by Grace Thompson
Anybody running their freeipa / IDM cluster on a 100% virtualized environment? We are running the full stack - DNS, ldap, Certs etc and I’m wondering if we can run it all on a VM environment. My concern is the chicken/egg scenario in case of a full DC recovery. Thoughts? Thanks.
6 years, 3 months
