I tried to install a CA to the 2nd master a replicafile which was
created on the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import
EncryptedPrivateKeyInfo to token: (-8152) The key does not support the
What could be wrong here? - Please find the detailed debug log of
ipa-ca-install as attachment.
Thx & b/r
I have a set-up that has many Freeipa servers throughout various regions,
acting as DNS servers throughout these regions.
To set the stage, I, along with my colleagues, are competent in FreeIPA
administration, but we're not ldap experts. We've had a couple scenarios
wherein changes to our IPA environment (adding/removing a host, additions
of zones, etc) have caused momentary DNS outages.
In addition, we are concerned about LDAP issues that could cause named to
not function - we've already gone through an isolated incident where slapd
took a significant amount of time to start, during which that host was
running named, but was not serving any addresses.
For these and many more reasons we'd feel more comfortable running named
from flat files that pull DNS updates from FreeIPA.
My question to the group is whether there will be any impacts to the
FreeIPA system if we convert named to use files rather than bind as a
backend. Ideally, we'd like to avoid creating new machines to function as
DNS servers and just convert the existing FreeIPA servers to use files for
Any comments or questions on the above approach would be welcome - thanks
for your time.
The home directories of several servers in our company are IPA
automounted. About a week ago, this mechanism stopped working properly
on one server. The directory still gets mounted automatically but the
permissions are nobody:nobody.
I thought restarting idmapd or automount could solve the problem.
Neither did. Then I rebooted the machine hoping it could fix things.
That did not help either.
What steps do I need to take in order to find out what the problem is?
I am working on a script that as part of its function modifies some user
attributes. However, this gets run a few times at the beginning of a
semester since people add and drop classes sometimes before the deadline
prevents that. Because of this situation, some people have no modification
to be made when the API call goes out and FreeIPA throws the EmptyModlist
exception. For some reason I can't catch it with anything but catch all
exception. I need to catch it and just have the script proceed like
nothing really happened if no modification is made.
BYU Dept. of Chemistry and Biochemistry
Is there a built in/supported means of bypassing 2fa for non-kerberized services?
I'm in the last stages of migrating away from Active Directory, but have a few systems that do not integrate well with 2fa because they do not cache credentials in any useful form:
* Our enterprise WiFi (would prompt for a new credential every time the device roams to a new AP)
* Our Jabber IM service (would prompt for a password every time the computer wakes from sleep)
* Our IMAP mail service (would prompt for a password every time the connection drops due to idle)
I know Google use application specific passwords to mitigate this ( https://support.google.com/mail/answer/185833?hl=en ), which would be better than bypassing 2fa but I don't believe there's a mechanism to do this built into FreeIPA.
Any suggestions on how I could handle these services?
My FreeIPA (4.5.4) has a cross-forest trust with the AD of the company.
The requirement I have is to automatically add some AD Groups in the IdM Sudoers groups.
The documentation implies that this is possible only for the synchronized AD Users. Is that true?
If not, can I just create an automember rule that will include specific AD groups in the Sudoers membership?
If yes, what is the alternative I have?
I may be going about this in the hardest way possible, so let me stop
and roll everything back to my root need:
I have two IPA servers which manage our infrastructure. We used to have
three, but a catastrophic failure on one led to its total loss. And it
was our CA.
So now we have no CA -- is there a way to promote an existing system to
take over? I realize it may well mean distributing a new root CA cert to
everyone, but that seems less painful now than trying to set up a brand
new cluster of servers and try to port our data over to them...
President, Damascus Products LLC
855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> |
bret(a)damascusproducts.com <mailto:email@example.com> |
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
I'm trying to perform the equivalent of an ipa group-find command directly
So I use the api.Command :
What I would like to know is which parameter should I use if I am searching
for groups for which the name ends with the string "_toto" ?