October 2018 - FreeIPA-users - Fedora Mailing-Lists

Diagnose cause of Directory Services failure

by Mike Conner

I've configured FreeIPA with an AD trust that is handling workstation logins at my organization. Things have been going well, but I've noticed a couple of times that the Directory Services process is consuming a lot of CPU. This morning, after receiving reports of users not being able to log in, I ran `ipactl status` which reported Directory Services as STOPPED. I'm looking for help on where to begin with a root cause analysis. Here is a snippet from /var/log/dirsrv/error that seems to me to indicate a critical error; I just can't decipher what is happening. ***** [16/Oct/2018:22:25:43.562185858 -0500] - ERR - accept_and_configure - PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.) [16/Oct/2018:22:25:43.563825169 -0500] - ERR - ns_handle_new_connection - PR_PROC_DESC_TABLE_FULL_ERROR: File Descriptor exhaustion has occured! Connections will be silently dropped! [16/Oct/2018:22:25:43.565434972 -0500] - ERR - accept_and_configure - PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.) [16/Oct/2018:22:25:43.567125116 -0500] - ERR - ns_handle_new_connection - PR_PROC_DESC_TABLE_FULL_ERROR: File Descriptor exhaustion has occured! Connections will be silently dropped! [16/Oct/2018:22:25:43.568974177 -0500] - ERR - libdb - BDB0060 PANIC: fatal region error detected; run recovery [16/Oct/2018:22:25:43.580095520 -0500] - CRIT - deadlock_threadmain - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) ***** Thanks!

5 years, 1 month

2
2
0 / 0

Limit LDAP communication to one Active Directory site

by Torvund, Vegard

Hi, Is it possible to limit our ipa servers to only communicate with domain controllers within one particular active directory site? I have tried to add: dns_discovery_domain = NameOfADSite in /etc/sssd/sssd.conf and also by specifying each domain controller with these options: ad_server = ad_backup_server = without any success. Best, Vegard Torvund

5 years, 1 month

1
0
0 / 0

RBAC in FreeIPA: Conflicts while adding permissions to a role.

by Aditya kamat

I am configuring RBAC in my current FreeIPA setup. There is a requirement wherein each host can only belong to a particular host group. If a host is already a part of some host group, a particular role which I create should not be able to add it to any other host group. Let me clarify this with an example: Let us say host1 is a part of hostgroup1. There is a role which has modify access to hostgroup2 (i.e he can add or delete hosts from this group). Can I restrict this role from being able to add hosts which already belong to some other hostgroup?

5 years, 1 month

2
2
0 / 0

Export CA from FreeIPA to new FreeIPA

by Ralph Crongeyer

Hello, I have a FreeIPA server that is currently running as a CA only, no clients connect, no LDAP entries have ever been made, no DNS etc... The original ipa CA is how it was setup during the initial install. A second CA was created, company.com CA, and certs have been created from this CA. I've setup two new freeipa boxes and have them replicated and migrated our openldap users and groups. What we would like to do now is to export the company,com CA from the "freeipa CA only" and import it into the new freeipa environment. I haven't been able to find anything about doing this in my web searches so far. Can somebody help me with this? Thanks, Ralph

5 years, 1 month

2
1
0 / 0

Re: Modify default dirsrv/LDAP certificate (add SAN)

by Andrew Bruce

Hi David - how did you create the IPA service for ldap failover? I have the same setup - multiple LDAP servers, a single "ldap.xxx" DNS record pointing to haproxy loadbalancers. However, I do not understand if you used "ipa service-add" or what to setup in freeipa. Could you paste in your freeipa setup commands? Thanks, Andy

5 years, 1 month

1
0
0 / 0

IPA Replicate Re-Initialize fails, only one sane IPA server left

by Karl Dag Gursli

Hi We experienced issues with one of our IPA server(svgipa02) as it did not receive updates. It was the decided to run on svgipa02 ipa-replicate-manage re-initialize --from=svgipa01 [root@svgipa02 slapd-NO-EP-CORP-LOCAL]# date; ipa-replica-manage re-initialize --from=svgipa01.no.ep.corp.local;date Mon Oct 15 10:33:26 CEST 2018 Directory Manager password: Update in progress, 15 seconds elapsed [ldaps://svgipa01.no.ep.corp.local:636] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] Mon Oct 15 10:33:52 CEST 2018 [root@svgipa02 slapd-NO-EP-CORP-LOCAL]# From the dirsrv errors log [15/Oct/2018:10:33:34.192011467 +0200] - DEBUG - schema-compat-plugin - searching from "cn=mapping tree,cn=config" for "(&(|(&(objectClass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=no,dc=ep,dc=corp,dc=local))(objectClass=nsDSWindowsReplicationAgreement))(nsDS5ReplicaHost=svgipa01.no.ep.corp.local))" with scope 2 (sub) [15/Oct/2018:10:33:34.192823822 +0200] - DEBUG - cos-plugin - cos_cache_vattr_types - Failed to get class of service reference [15/Oct/2018:10:33:34.193697399 +0200] - DEBUG - schema-compat-plugin - searching from "cn=schema" for "(objectClass=*)" with scope 0 (base) [15/Oct/2018:10:33:34.456582623 +0200] - DEBUG - schema-compat-plugin - searching from "cn=mapping tree,cn=config" for "(&(|(&(objectClass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=no,dc=ep,dc=corp,dc=local))(objectClass=nsDSWindowsReplicationAgreement))(nsDS5ReplicaHost=svgipa01.no.ep.corp.local))" with scope 2 (sub) [15/Oct/2018:10:33:34.457479057 +0200] - DEBUG - cos-plugin - cos_cache_vattr_types - Failed to get class of service reference [15/Oct/2018:10:33:34.736019484 +0200] - DEBUG - schema-compat-plugin - searching from "cn=mapping tree,cn=config" for "(&(|(&(objectClass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=no,dc=ep,dc=corp,dc=local))(objectClass=nsDSWindowsReplicationAgreement))(nsDS5ReplicaHost=svgipa01.no.ep.corp.local))" with scope 2 (sub) [15/Oct/2018:10:33:34.736561662 +0200] - DEBUG - cos-plugin - cos_cache_vattr_types - Failed to get class of service reference The procedure did not finish and svgipa02 was left in an empty state What is the producedure to solve this issue? rgds Karl Dag

5 years, 1 month

2
1
0 / 0

Multiple CA certs

by Andrey Bondarenko

Hello, If anyone can point me in the right direction how to remove CA's certs I don't need from the freeipa safely? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B

5 years, 1 month

2
6
0 / 0

need help to install letsencrypt in freeipa on ubuntu 16.04

by Anush Jayan

im currently using freeipa 4.3.1 on ubuntu 16.04 im having trouble installing letsencrypt ssl key for https can anyone help me fix this

5 years, 1 month

2
18
0 / 0

Re: named fails to start

by Bret Wortman

Never mind. NTP wasn't working properly so the time had drifted too far. Easy fix. photo *Bret Wortman* Founder, Damascus Products, LLC 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co <mailto:bret@wrapbuddies.co> http://wrapbuddies.co/ 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://www.linkedin.com/in/bretwortman> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies> On 10/15/2018 06:47 AM, Bret Wortman wrote: > > I was out two days last week and one of my coworkers thought we were > having a password problem on our admin account. This morning, my users > were claiming an inability to log in, so I cycled our main IPA server, > but named won't start. > > 2018-10-15T10:43:14.blah named-pkcs11[26250]: LDAP error: Invalid > credentials: bind to LDAP server failed > 2018-10-15T10:43:14.blah named-pkcs11[26250]: couldn't establish > connection in LDAP connection pool: permission denied > 2018-10-15T10:43:14.blah named-pkcs11[26250]: dynamic database 'ipa' > configuration failed: permission denied > 2018-10-15T10:43:14.blah named-pkcs11[26250]: loading configuration: > permission de4nied > 2018-10-15T10:43:14.blah named-pkcs11[26250]: exiting (due to fatal > errror) > : > > and so on. Thoughts? Places to look for changes? > > > -- > photo > > *Bret Wortman* > Founder, Damascus Products, LLC > > 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co > <mailto:bret@wrapbuddies.co> > > http://wrapbuddies.co/ > > 10332 Main St Suite 319 Fairfax, VA 22030 > > <http://facebook.com/wrapbuddiesco> > <http://www.linkedin.com/in/bretwortman> > <http://twitter.com/wrapbuddiesco> > <http://instagram.com/wrapbuddies> >

5 years, 1 month

1
0
0 / 0

Fwd: named fails to start

by Bret Wortman

I was out two days last week and one of my coworkers thought we were having a password problem on our admin account. This morning, my users were claiming an inability to log in, so I cycled our main IPA server, but named won't start. 2018-10-15T10:43:14.blah named-pkcs11[26250]: LDAP error: Invalid credentials: bind to LDAP server failed 2018-10-15T10:43:14.blah named-pkcs11[26250]: couldn't establish connection in LDAP connection pool: permission denied 2018-10-15T10:43:14.blah named-pkcs11[26250]: dynamic database 'ipa' configuration failed: permission denied 2018-10-15T10:43:14.blah named-pkcs11[26250]: loading configuration: permission de4nied 2018-10-15T10:43:14.blah named-pkcs11[26250]: exiting (due to fatal errror) : and so on. Thoughts? Places to look for changes? -- photo *Bret Wortman* Founder, Damascus Products, LLC 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co <mailto:bret@wrapbuddies.co> http://wrapbuddies.co/ 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://www.linkedin.com/in/bretwortman> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies>

5 years, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users October 2018