> Use a sub-domain for at least on of the two realm and avoid yourself a lot of
> trouble.
Ah. I don't control the network. And it sounds to me like what you're saying is
that there's more than "trouble". Windows is completely unsupportable in this
environment because it can't adapt, and I can
The answer is probably going to be "you can't do that", but I figured I'd ask
anyway.
Parameter #1: I have been allocated a handful of non-routable IP subnets on a
university network where I am a guest.
Parameter #2: Associated with the above is a single DNS subdomain.
Parameter #3: The universi
My guess aligns with this response:
http://stackoverflow.com/questions/31153584/why-is-there-such-a-performance-difference-on-raspberry-pi-between-open-and-orac
Bryce
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
Sent: Thursday
Ummm,
Kinit should work from any host, whether that host is part of the domain or
not. It contains no inherent knowledge of any passwords. If it succeeds, then
you either picked a bad password, stored the password in a plaintext file, or
an actual authorized user ran it. It seems that it would
again,
Bryce
From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, April 25, 2016 1:09 AM
To: user@syncope.apache.org
Subject: Re: Orientation
Hi Bryce,
glad of your interest in Apache Syncope.
See my replies embedded below.
Regards.
On 2016-04-23 21:56 Nordgren, Bryce L
Hi,
I'm trying to set up a hybrid desktop/web identity solution outside the
corporate firewall. I'm essentially an enduser and this is well outside my
normal wheelhouse. I gather (from http://syncope.apache.org/iam-scenario.html)
that Syncope can be used to coordinate multiple identity technolo
What kind of network separates client and server? Conservatively assuming that
each point is only two 64-bit binary floats, your 56 points equals 9MB of
additional payload.
If you did something like “ST_AsText(geom)”, the additional payload is much,
MUCH larger.
I’d also be interested to k
Ahh, forgive stupid question:
ST_Rescale flipped the sign of my y pixel size. Changing to
ST_Rescale(rast_750, 375,-375) makes everything ducky.
Bryce
From: postgis-users [mailto:postgis-users-boun...@lists.osgeo.org] On Behalf Of
Nordgren, Bryce L -FS
Sent: Thursday, March 10, 2016 12:00 PM
I have a table with two raster columns, which I'm trying to combine into a
third column using the two raster MapAlgebra. The columns represent fire events
at different resolutions, which fortuitously are a simple factor of two
different. These are all 8BUI rasters interpreted as Boolean masks
An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty
container filesystem, but may have different users defined, particularly for
running services and for owning the files those services must touch. To what
extent do you want the same users to be enforced between the c
This reference may help:
https://fasterdata.es.net/host-tuning/background/
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to bareos-users+unsubscr...@googlegroup
I may be asking a question which exposes either my ignorance or lack of
imagination, but is there a reason a kx509 (RFC6717/RFC4556) certificate
wouldn't work? Wouldn't it be easier to add support for these previously
defined extensions?
As I understand it, the main difference between kx509 ce
>Trying to absolutely control the flow of information has a lousy track record.
>And not just in the US but FOIA means that the US examples are rather more
>obvious. Trying to lock everything down resulted in security systems so
>complicated,
>even an MIT professor was unable to figure them ou
> In a corporate context, this makes perfect sense. If I am downloading company
> confidential
> material to my laptop, I want to be able to read it on the laptop but I don't
> want to accidentally
> send a copy to someone else by doing an unfortunate 'reply all'.
So another thing to note in s
Please forgive my organizations' utter reliance on an email client that can't
even quote correctly. Not to mention it keeps trying to make hyperlinks in a
plain text message.
> The technical specs are in a separate draft. We modified S/MIME but there is
> nothing
> to stop this being applied t
> Or hack on the KDCs to implement AD-style case-insensitive/preserving
> realm matching. I'm starting to think that we ought to do this in Heimdal and
> MIT Kerberos, at least as an option.
This plus canonicalizing is how our corporate system might work. I don't think
there's a FEDIDCARD.GOV r
> Also, the venerably Russ Allberry created a lowercase realm for Stanford, and
> repeatedly has said that if he had to do it all over again he wouldn't have
> done a lowercase realm; too much software assumes an uppercase realm.
> Maybe that has changed in the intervening years.
Kind of moot. Th
> You could try the -C and -E options to kinit:
>
> -C canonicalize
> -E client is enterprise principal name
>
> — Luke
I could, but I'm not certain the MIT Kerberos KDC (to which kinit is
connecting) knows how to canonicalize. Boy if I could get user principal
mapping going, that
>>Or am I thinking wrong: Does kinit parse the user principal name into client
>>and realm?
>>Should I rename my realm to lowercase fedidcard.gov?
> Its either 12001000550...@fedidcard.gov or its 12001000550...@fedidcard.gov
That it is. Deleting the realm and recreating a lowercase realm fixed
o one will give them "good" codes. On the other hand,
secure delivery of "no strings attached" encrypted messages is something that
open source can do very well. Respecting this boundary line is an excellent
reason to split the spec into transport and DRM.
Just some thoughts.
Br
> $ kinit '12001000550281\@fedidcard@fedidcard.gov'
Thanks! Making progress!
It now prints a single backslash when describing the principal, both in errors
emitted from kinit and the "listprincs" command in kadmin.local. However, I'm
back to "client name mismatch" out of kinit, presumably b
Hi,
I'm trying to set up the MIT Kerberos server (1.12.2 / Fedora 21) to PKINIT
from my organizations' smart cards.
They have a MS user principal name of the form: 12001000550...@fedidcard.gov
I tried creating a realm "FEDIDCARD.GOV" with a user principal 12001000550281.
This resulted in a cli
> -Original Message-
> From: Benjamin Kaduk [mailto:ka...@mit.edu]
>
> You might have better luck on the endymail list, which is considering ways to
> improve email privacy. I don't recall whether a scheme substantially similar
> to your proposal has been discussed there, but there shoul
mailing lists.
No promises. It's not like I spend my life thinking about this stuff.
Bryce
From: Nordgren, Bryce L -FS
Sent: Friday, May 29, 2015 4:36 PM
To: kit...@ietf.org
Subject: Group/Enterprise encrypted email
This is a "what if" message, centered around trying to make emai
> Thanks. I think you're missing the "OU=Entrust Managed Services Root CA"
> root from that set of certs.
You've prompted me to draw a picture. The collection of "intermediate"
certificates is no such thing. I appear to have been given a bag of unrelated
fragments of CA chains. Many apologies f
[mailto:t...@mit.edu]
> Sent: Thursday, May 21, 2015 3:07 PM
> To: Nordgren, Bryce L -FS
> Cc: kerberos@mit.edu
> Subject: Re: PKINIT cert chains
>
> "Nordgren, Bryce L -FS" writes:
>
> > 1] Does my KDC cert have to chain back to the same anchor as my s
> On Thu, May 21, 2015 at 05:35:23PM +0000, Nordgren, Bryce L -FS wrote:
> > "Cannot create cert chain: unable to get local issuer certificate"
>
> What from?
kinit -X X509_user_identity=PKCS11:opensc-pkcs11.so:certid=01
12001000550...@fedidcard.gov
The KDC has a goo
Short version
===
Questions:
1] Does my KDC cert have to chain back to the same anchor as my smart card
certificates?
2] Is the error below related to the KDC's cert chain or the smart card's cert
chain?
Long version:
==
Digging thru my notes, I rediscovered the KRB5_TRACE en
Real quick, is there a common cause for the following message in the context of
PKINIT?
kinit: Invalid argument while getting initial credentials
Adding "-V" adds no information of value. KDC logs show that the correct
principal was located and preauth is required.
Wireshark shows a single AS_
Ken,
Thanks for the info and the perspective!
> We've done that here, but to answer your question ... no, you can't do it with
> a plugin. Well, technically, you CAN ... the answer is "write a whole new
> PKINIT plugin, or modify the existing one". We did the latter.
Your code doesn't happen
Hi all,
I'm looking to set up a KDC to issue TGTs from my organization's smart cards.
Establishing a trust is a non-starter. My target environment is outside the
firewall, all corporate infrastructure is inaccessible and will stay that way.
However, CA bundles are public information. Looking at
Hi Carl,
I may be reading too much into your message, but my spidey sense tells me you
might be using ST_Value inside a loop to get values to put in an equation (or
to evaluate thresholds), thereby constructing an output raster. If this is the
case, a more efficient way to proceed may be to use
e NFS with sec=host)?
Thanks,
Bryce
> -Original Message-
> From: Alexander Frolushkin [mailto:alexander.frolush...@megafon.ru]
> Sent: Sunday, April 12, 2015 9:27 PM
> To: Nordgren, Bryce L -FS; 'Martin Kosek'; freeipa-users@redhat.com
> Subject: RE: [Freeipa-u
> RedHat's FreeIPA may provide some similar functionality, but I'm not familiar
> with it. Ditto Samba.
If I'm not mistaken, FreeIPA 4.1+ should have the ability to overwrite or add
user attributes locally (including "username", uidNumber, group membership).
However, it can only do trusts with
> > It is purely because noone has stepped up to do the maintenance. It is
> > not explicitly excluded. That would only really happen if RHEL itself
> > ships the package or if there are licensing problems
> >
>
> See
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1136051
>
> which has had some p
I notice that ipython has not been released in epel7, but has a release version
for epel6 and Fedora 20-22. Was there a decision to exclude it from epel, or is
this due to lack of resources/interest?
https://apps.fedoraproject.org/packages/python-ipython-notebook
Thanks,
Bryce
This electron
> But if one understands the protocols involved, one gets very dubious
> about the idea that exposing the file servers is safe and exposing Kerberos is
> not.
Ah, that's the problem.
Here, anyway, the model where "one" person/entity makes self-consistent
decisions concerning the entire enterpris
> But desktop/workstation logins and fileservers are generally *also* not
> allowed outside of a VPN, so I don't understand what you're gaining.
There simply is no one VPN to cover all the actors.
I am not speaking hypothetically or "generally". The meat and potatoes of this
research organizatio
> So using Kerberos for authorization and SAML for authentication is really
> unintuitive to me, and I think is maximizing your pain levels. :) Whereas
> using
> Kerberos for authentication and then exposing that information via SAML is
> well-trod ground.
I'm not certain where using Kerberos fo
> > In the spirit of choosing our battles wisely, I sense that convincing
> > my CIO to expose corporate identities to the internet is certainly a loser.
>
> Given that you cannot outsource any IT service without doing this, my
> experience is that CIOs are not only willing but eager to find ways o
Renaming thread.
> Not sure what you mean by that; been doing cross-organization SSO for over
> 15 years with a wide variety of organizations; it works just fine.
>The specific implementation of Active Directory may require LDAP (or other
>protocol) access for Windows clients, but it is important
> >Domain controllers and AD FS servers should never be exposed
> >directly to the Internet and should only be reachable through the
> >VPN connection.
>
> This is a very general statement, and is too broad to conclude that the
> Kerberos5 p[ao]rt should be confined to a LAN.
Kerberos
> > implemented/supported/documented. It would require the KDC to be out
> > in the open (to get the ticket used for the VPN auth) and most folks
> > aren't going to do that.
>
> ... can you say more about *why* most folks aren't going to do that?
Caveat: I'm not at all involved with security de
> The hostname put by ipa-client-install corresponds to the server to which this
> client is enrolled. You enroll with a single server, after all.
How would one enroll with multiple IPA servers? For instance, a standard
configuration for a Rocks HPC cluster is to have at least two and usually th
More tidbits:
"Globus toolkit 6" implements the grid security infrastructure. [1] It includes
a modified version of openssh (which accepts PKI certificates) and a
per-machine DN-to-local-user mapping file. RPMs have been released for Fedora
19/20 and RHEL/Centos 5,6,7.
As I understand it, grid
> > I would be very happy to learn that this is a mistake, but their page is
> > clear
> to the point of being emphatic.
>
> First they talk about S4u2proxy and s4u2self at the same time on the same
> page and it might be a bit confusing.
> S4u2proxy works as i described. S4u2self allows a servic
> > If I understand GSS proxy right, I provide a keytab with my password in it
> > so
> that it can get a TGT as me whenever it wants. The keytab may not be human
> readable, but it is directly usable by kinit. This seems too much like typing
> my
> passwd into a plain text file.
>
> You do not
> > I guess a fundamental question is: how would a FreeIPA/sssd compute
> > cluster handle a "batch job/queue submission workflow"? For instance,
> > I submit my job now, with my active ticket. It runs tomorrow, when
> > ticket is expired. Some available GSSAPI integration hooks in "Son of
> > Grid
> -Original Message-
> From: sssd-users-boun...@lists.fedorahosted.org [mailto:sssd-users-
> boun...@lists.fedorahosted.org] On Behalf Of Nordgren, Bryce L -FS
> Sent: Thursday, September 25, 2014 4:13 PM
> To: d...@redhat.com; End-user discussions about the System Secu
> The configs do not talk about SSSD at all. This area definitely requires some
> face lift.
> I wounder if they are aware about SSSD and IdM? Any chance someone can
> ask them to consider SSSD and IdM using SSO as you described above?
https://lists.sdsc.edu/pipermail/npaci-rocks-discussion/2014-S
> Hi
> How about deleting the user called root in AD, choosing another domain user
> called adroot. Then use:
> username map = /some/file
> to make adroot map to root in /some/file?
>
> adroot is now a domain user with uid 0
> HTH,
> Steve
Has anyone mentioned dropping a .k5login file in root's ho
This is kind of a tangent, as we're moving off into discussing authentication
solutions for rocks, so I renamed the thread.
> Wouldn't using constrained delegation (s4u2proxy) + HBAC would be a better
> solution for this use case?
> Then you do not need to manage SSH keys. You would need to defin
A novel approach used in rocks clusters is to manage ssh keys for all users
including root. Clearly this isn't a solution which allows you to login from
anywhere to anywhere (their architecture is that one logs into a headnode, then
from there you log into the compute node of your choice.) It al
> I am not sure this is the best list for this question. May be you should ask
> systemd guys.
Helpful soul on freeipa list pointed me to
https://bugzilla.redhat.com/show_bug.cgi?id=915912#c19
Summarized as: Running a service as a domain user will not be supported by
systemd as system users mu
> Also opened https://fedorahosted.org/freeipa/ticket/4544
Tried to summarize this thread on that ticket.
Back to the OP's concern, whenever I use NFS as a documentroot for apache (even
a WebDAV server), I make a separate mountpoint, fall back to sec=sys, set
"all-squash", and specify the webs
> -Original Message-
> I went through this thread:
> https://www.redhat.com/archives/freeipa-users/2014-
> January/msg00177.html
Since January, I've been turning this problem over and over. A good summary of
my functional requirements is here:
http://www.freeipa.org/page/External_Colla
Hi Rob,
How does the NFS server map the apache user to “something” it recognizes? I
would suggest that the easiest solution may be to use an IPA account called
“apache”, so that the mappings would just work, but currently I’m having
trouble running a service as a domain user via systemd.
(http
rc/pylsce
[Install]
WantedBy=multi-user.target
[bnordgren@lugosi ~]$ getent passwd bnordgren
bnordgren:*:10001:1:Nordgren, Bryce L -FS:/home/bnordgren:/bin/bash
[bnordgren@lugosi ~]$ /bin/ipython notebook
[NotebookApp] Using existing profile dir:
u'/home/bnordgren/.ipython/profile_default'
You can bring over password hashes for LDAP, but not Kerberos...provided your
389-ds is new enough to have a recently added configuration switch. If your
system is in "migration mode", then authenticating via LDAP creates Kerberos
hashes transparently.
If you're running 4.0.x, see here for some
Overwriting certain attributes may be more directly addressed by:
https://fedorahosted.org/freeipa/ticket/3979
You are to some extent describing a feature that we call "views" that is
currently in works.
But there are two parts:
a) Ability to overwrite POSIX attributes for AD users - this is v
> However, I'd still like to understand the underlying mechanics to explain my
> original scenarios and why I can't reproduce your example above.
The following suggests that spoofing a user as root may require running
rpc.gssd with -n...I think I'd suggest su-ing to the user account because
ge
> I am unable to reproduce this. I tried both KEYRING:persistent:myuid, and
> KEYRING:user:myusername. In both cases, when I run klist after setting this
> variable, it says:
>
> klist: No credentials cache found while retrieving principal name
>
> However, if I export KRB5CCNAME=FILE:/tmp/krb5c
I'm trying to determine whether this is a known feature, a dumb user problem
with a known workaround, or a problem.
I don't seem to be able to run a systemd service as a user provided by sssd? I
joined my Fedora 19 analysis machine to my freeipa domain and configured sssd
to allow logins from m
> Per Oracle support this is not quite correct: if you have multiple tickets in
> a
> DIR: then the NFS client is either required to negotiate with the server (RFC
> 3530) or try the credentials in order until one works.
"negotiate" appears to mean select a security mechanism, such as Kerberos v
> What I call "authentication 2" is the actual user- and file-level
> permissions, i.e.
> who can see what file. The share is mounted regardless. But at this point,
> under what circumstances is root allowed to see various users' files? How is
> it that root can "authenticate" as user XYZ wit
Sweet! Yes I am apparently talking about that. Consider this an independent
request for that. :)
You are talking about this, right?
https://fedorahosted.org/freeipa/ticket/4509
This electronic message contains information generated by the USDA solely for
the intended recipients. Any una
> OK. Do we have a ticket to expose the filter and allow user to override it or
> parts of it?
> If not please file.
Didn't see one, so:
https://fedorahosted.org/sssd/ticket/2434
Tried to summarize impacted deployment scenarios, describe the request, and
link back to the two distinct email thre
> We had this discussion before:
>
> https://lists.fedorahosted.org/pipermail/sssd-users/2014-May/001630.html
>
> With lots of fine-grained ACLs in the LDAP server (like in my setup) each
> additional assertion attribute type is a performance penalty (without
> additional benefit in my setup).
S
> Are you sure it would help in your environment? Did you check that
> searching with:
> (&(uidNumber=10008)(objectClass=posixAccount))
> is faster than:
>
> (&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(
> !(uidNumber=0
Yup. Checked before I posted. Actually, the cri
Is it sane to request that freeipa store ssh keys for users who come into the
environment via a trust? Not all of them, of course, but those who want to
store public keys there.
My freeipa server is mostly there to manage machines, and users (incl. me)
mostly come in over trusts from the corpor
ls -l is very slow, as is "getfacl".
Is there any reason that a call to getpwuid(10008) should produce an ldap query
filter like this?:
(&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0
Clearly, if uidNumber=10008, it is both present and not zero so the last
> -Original Message-
> From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On
> Behalf Of Greg Hudson
> Sent: Thursday, August 28, 2014 10:30 AM
> To: Cedric Blancher;
> Subject: Re: Multiple principals from different realms via kinit?
>
> NFS is a special case, as the program
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: Monday, August 25, 2014 3:04 AM
> To: Nordgren, Bryce L -FS
> Cc: 'freeipa-users@redhat.com'; 'sssd-us...@lists.fedorahosted.org'
> Subject: Re: [Freeipa-users]
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: Monday, August 25, 2014 3:04 AM
> To: Nordgren, Bryce L -FS
> Cc: 'freeipa-us...@redhat.com'; 'sssd-users@lists.fedorahosted.org'
> Subject: Re: [Freeipa-users]
Over the past month, I rearranged my local systems for our collaboration
environment. The essence of the work is to combine employee identities (defined
in AD) with identities for external users (defined in FreeIPA), massage them so
that they look the same, and export them to every posix desktop
Over the past month, I rearranged my local systems for our collaboration
environment. The essence of the work is to combine employee identities (defined
in AD) with identities for external users (defined in FreeIPA), massage them so
that they look the same, and export them to every posix desktop
I’ve got a prototype setup for cross-realm operations. I don’t know if that’s
useful for you or not. I don’t have control over “my” AD, and I’m managing this
during our CIO’s migration from one AD realm to another (so duplicate users
having distinct DNs and Kerberos principals are the norm, rath
> Yes, sssd silos each identity domain completely, the only 'exception' is local
> groups but that's almost an accident of how nsswitch worked historically.
Would you consider an RFE to add a "posix domain" group definition (or perhaps
"global groups")? That way, group info brought in via indivi
I have an external LDAP metadirectory acting as an identity provider for my
linux domain. The metadirectory overrides and supplements the upstream identity
source (e.g., it passes thru sn, givenName, mail, telephoneNumber; but
overrides or adds uidNumber, gidNumber, loginShell, etc.) The directo
> >> Let me elaborate. We haven't had time to work on this but it would be
> >> really valuable if you could experiment with it a little bit.
> >>
> >> Simo, Alexander, could you propose some dirty tricks to try?
> > The thread mentioned above has all needed information already.
> Should we turn i
> Assume that FQDN is constructed as static hostname.domainname from
> DHCP or via reverse DNS lookup. What happens if the machine (laptop)
> moves from one network to another? What if the machine have multiple
> interfaces?
>
> As a result, any change in FQDN will break your Kerberos setup.
The
Only one local user needs access? Can it be owned by apache and writeable by
the LDAP group?
Filesystem ACLs let you specify two groups, will that work?
Intentionally creating a GID collision at the scope of the local machine does
not appear to have solved your problem, so I'd undo that right a
> Hmm, sorry for incomplete instructions then. I updated the instructions to
> cope with that situation better (details in
> https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free
> to report more findings or even better help us enhance the page even
> further :-)
Hmm, I though
> Can you please open a selinux bug and attach info on how you fixed it ?
http://bugs.centos.org/view.php?id=7458
Presumably a corresponding bug could be opened for Fedora 19 and/or RHEL 7, but
I could be wrong.
Bryce
This electronic message contains information generated by the USDA solely
Spoke too soon. I needed the following "extra" selinux policy module to make
all the AVCs go away.
BTW: the instructions on http://www.freeipa.org/page/PKI really only work if
you leave the password blank when you create a new database with certutil.
Otherwise, the "ipa-getcert request" command
Hey all,
On CentOS 7 (presumably RHEL7 too), the tutorial on
http://www.freeipa.org/page/PKI breaks (when applied to installing a
certificate in /etc/openldap/certs). The offending line is "ipa-getcert request
-d /etc/openldap/certs ...", and the failure message is "/etc/openldap/certs
must be
> > Oh, and if the service is httpd, slapd, or nfs using principal
> "host/example.com", how does one figure out which service to contact?
>
> The KDC would have to know how to contact them, or infer it from the
> principal name. As for _how_ to communicate the revocation, one possibility
> would
> No, the only way in which a revocation protocol for Kerberos makes any
> sense to me is one that involves propagating notices to those services (TGSes
> included) for which the principal in question got extant tickets.
Good. :) Do that.
Seems that the KDC would have to be upgraded with connecti
Beware the asymmetry.
When considering schemes like this, please be on the lookout for new
connectivity requirements. Consider an organization with a tightly guarded KDC
on their intranet, to which all the employees authenticate. Outside their
firewall is another KDC with "supplemental" extern
> Well, the users are definitely going to be in IPA (or AD via IPA). However,
> they *will* exist in both IPA and locally during the migration period. If
> they
> have the same UID/GIDs in both places (local and IPA), then I will need to
> prefer IPA to 'files' in nsswitch.conf. The main reaso
> We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our
> UNIX infrastructure. All of our Linux hosts currently have standard and
> consistent UID/GIDs for at least all of our administrative users. I'm looking
> for advice on how to migrate these users into IPA.
>...
> Event
Hello list,
Using openldap 2.4.39 on Centos 7, I've been trying to set up a metadirectory
which proxies "my" current AD server, "my" future AD server, and my FreeIPA
server (note: I only have control over the FreeIPA server). I have configured
idassert-bind with my AD credentials so web apps ca
> Note that fixed 389-ds-base is now available in Fedora 20 updates-testing
> repo:
>
> https://admin.fedoraproject.org/updates/FEDORA-2014-8709/389-ds-base-
> 1.3.2.20-1.fc20
>
> If you install that + switch cn=config's nsslapd-allow-hashed-passwords
> attribute to "on", you will be able to fini
One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the servers.
I'm running it on F20 because it seemed like the dependencies would make
running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catchi
Hi,
Now that I have a fileserver with CentOS 7 on it, I was wondering if there were
plans to build the current release for RHEL7/centos 7.
Failing that, what is the gap between "experimental" and the current release?
How much is likely to break if I introduce an "experimental" file daemon into
> I will work with DS team to backport the switch option to Fedora 20 389-ds-
> base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem
> ASAP, ideally this week.
Thanks much, Martin!
This electronic message contains information generated by the USDA solely for
the int
> So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords
> via ldapmodify to the 389 server using directory manager as the bind dn? I
> just can't use the ipa command line tool/script.
The short answer is "no". Trying to add the userPassword attribute with
ldapmodify bind
> > It didn't. My message to the list was the initial "is this a bug or am I
> > being
> dumb?" question. Until now, there was no response.
>
> There were two responses, from Petr and myself in the thread titled
> "Migrating from a hybrid web/posix LDAP"
My bad. I missed them somehow. The centos
> > That was me, but the context was 'ipa user-add' with a password hash
> rather than migrate-ds. Although it makes sense that 389 ds would act the
> same regardless of how I attempt to store the password. How can I check to
> see whether the passwords made it to freeipa? The migrate-ds script di
> Someone has reported an issue with password migration where 389-ds is
> rejecting the passwords with: passwords with storage scheme are not
> allowed. That may be part of the problem.
That was me, but the context was 'ipa user-add' with a password hash rather
than migrate-ds. Although it make
1 - 100 of 183 matches
Mail list logo
