Re: certmonger upgrade failure
by Rob Crittenden
Harald Dunkel wrote:
> Hi Robert,
>
> On 6/26/18 4:45 PM, Rob Crittenden via FreeIPA-users wrote:
>> Harald Dunkel wrote:
>>>
>>> I see several files with a key_pin or Key_pin_file inside. I would prefer
>>> to send you these files in an encrypted EMail. What would you suggest? Do
>>> you have PGP?
>>
>> Except for the pin the rest of the content is generally safe. My key is
>> available in the MIT keyserver if you want to send it out of band.
>>
I don't see anything obviously wrong. I'd try launching certmonger from
a shell to see what you get:
# certmonger -d 9
rob
5 years, 9 months
AD overwrite not persistence
by Michael Gusek
Hi,
we use an Active Directory (Server 2012) and a FreeIPA 4.5.4
installation. FreeIPA runs under Centos 7, sssd version is
sssd-1.16.0-19.el7.x86_64. Between AD and FreeIPA we have set up a
one-way trust. For some AD users, we have set up a uid override under
"Default Trust View" in FreeIPA. This overwrite is regularly lost on the
FreeIPA server. If we clear the sssd cache (systemctl stop sssd; rm -rf
/var/lib/sss/{db,mc}/*; systemctl start sssd), the override takes effect
again. Here is a history for today:
2018-07-03 10:55:01
2018-07-03 11:05:01
2018-07-03 11:06:01
2018-07-03 11:10:01
2018-07-03 11:12:01
2018-07-03 11:15:01
2018-07-03 11:29:01
2018-07-03 11:31:01
2018-07-03 11:34:01
As you can see, there is no periodicality, from yesterday to today it
runs for about 11h without problems, and today since 11:34
How can fix the problem?
Michael
5 years, 9 months
(no subject)
by Pieter Baele
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA
domain for SSO auth.
No problems at all for internal FreeIPA users after they have a valid
ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an inetOrgPerson objectclass
(correct?).
So because AD users are only present in the compat tree after adding them
the "Default Trust View" , configuration of the application is a problem.
Because of the schema, I can only use posixAccount and membership is using
memberUid / RFC2307 (correct again?)
The absence of inetOrgPerson information (and memberOf) in the compat view,
gives me difficulties connecting this component to FreeIPA....
Anyone experience with connecting Spring to IPA - AND - being able to use
AD users?
5 years, 9 months
Spring LDAP connection to FreeIPA for AD trust users
by Pieter Baele
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA
domain for SSO auth.
No problems at all for internal FreeIPA users after they have a valid
ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an inetOrgPerson objectclass
(correct?).
So because AD users are only present in the compat tree after adding them
the "Default Trust View" , configuration of the application is a problem.
Because of the schema, I can only use posixAccount and membership is using
memberUid / RFC2307 (correct again?)
The absence of inetOrgPerson information (and memberOf) in the compat view,
gives me difficulties connecting this component to FreeIPA....
Anyone experience with connecting Spring to IPA - AND - being able to use
AD users?
Sincerely
Pieter
5 years, 9 months
