Hello everyone, Recently I sent an e-mail because I couldn't get access to freeipa on any machine other than the one with freeipa installed. I reinstalled the MIT Kerberos client, and am now able to authenticate on a Windows machine. However, I can still not get the webpage to display on either a Windows or a Linux platform (other than the virtual machine freeIPA is installed on). I have reinstalled several times, and don't know what I could be missing. All of my machines are on one subnet, and I temporarily disabled firewalls to see if that could be the issue. Thanks for any tips! -Mark <div class="gmail_quote">On Sat, Jun 7, 2008 at 9:00 AM, <<a href="mailto:freeipa-devel-request@redhat.com">freeipa-devel-request@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Send Freeipa-devel mailing list submissions to <a href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> or, via email, send a message with subject or body 'help' to <a href="mailto:freeipa-devel-request@redhat.com">freeipa-devel-request@redhat.com</a> You can reach the person managing the list at <a href="mailto:freeipa-devel-owner@redhat.com">freeipa-devel-owner@redhat.com</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-devel digest..." Today's Topics: 1. Re: [PATCH] be clearer about what is being configured (Rob Crittenden) 2. AD and freeIPA synch (Karl Wirth) 3. Re: AD and freeIPA synch (Rich Megginson) ---------------------------------------------------------------------- Message: 1 Date: Fri, 06 Jun 2008 15:27:21 -0400 From: Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is being configured To: freeipa-devel <<a href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a>> Message-ID: <<a href="mailto:48498F99.5090903@redhat.com">48498F99.5090903@redhat.com</a>> Content-Type: text/plain; charset="iso-8859-1" Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin</a> ------------------------------ Message: 2 Date: Fri, 06 Jun 2008 15:32:29 -0400 From: Karl Wirth <<a href="mailto:kwirth@redhat.com">kwirth@redhat.com</a>> Subject: [Freeipa-devel] AD and freeIPA synch To: <a href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a>, <a href="mailto:freeipa-interest@redhat.com">freeipa-interest@redhat.com</a> Message-ID: <<a href="mailto:484990CD.30206@redhat.com">484990CD.30206@redhat.com</a>> Content-Type: text/plain; charset=ISO-8859-1 Hello, Many organizations have given feedback that they want to make sure that freeIPA can synch with AD. We want to provide more than what is available in the winsynch that is in fedora directory server. Here are my thoughts on what the features should be in this area. I would love your feedback. Does this sound right? What is missing? Longerterm, we hope to enable kerberos trust between AD and IPA but even then some folks will want synch as well. Thoughts? AD and freeIPA synch requirements ---proposal for your review and feedback 1. Keep password in AD same as PW in IPA - If changed in AD, bring change over to IPA - If changed in IPA, bring change over to AD 2. Synch userid and attributes - Configurable which attributes - If full posix available then make this available - Configurable translation between attributes (i.e transform data such as middle name length or whatever) - Configurable mapping between attribute names - Generate attributes if not present in AD with flexible rules for doing this and vice versa 3. Which subsets of users to keep in synch - Make it possible to define which AD/IPA users should be kept in synch 4. Topology - Password synch is only supported with 1 AD domain. Not multiple. - Identity/attribute synch is supported across multiple domains. ---If the same user is in multiple domains, there is a problem ---- Not supported ---If the same userid in different domains but different user, resolve - Need to support PW change on any IPA server - Need to support PW change on an AD server 5. Failover - Support for failover AD DC - Support for failover IPA 6. Install and Packaging - Separate install of synch tool - Preconfigured synch tool with easy to point to IPA and AD - Predefined - Requires passsynch on domain controllers - Proposal 1: Requires password to only change on AD. Probably not ok. - Proposal 2: Make changes to IPA to hand PW to AD 7. Groups. Allow four options that an administrator can choose between: - One option: Synchronize all users from AD into one IPA group - Second option: Synchronize all users according to filter defined in #3 above and bring along all of their groups and keep their memberships in them. - Third option: No group synch at all - Fourth option: No support for nested groups Best regards, Karl ------------------------------ Message: 3 Date: Fri, 06 Jun 2008 13:38:50 -0600 From: Rich Megginson <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> Subject: Re: [Freeipa-devel] AD and freeIPA synch To: <a href="mailto:kwirth@redhat.com">kwirth@redhat.com</a> Cc: <a href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a>, <a href="mailto:freeipa-interest@redhat.com">freeipa-interest@redhat.com</a> Message-ID: <<a href="mailto:4849924A.40303@redhat.com">4849924A.40303@redhat.com</a>> Content-Type: text/plain; charset="iso-8859-1" Karl Wirth wrote: > Hello, > > Many organizations have given feedback that they want to make sure that > freeIPA can synch with AD. We want to provide more than what is > available in the winsynch that is in fedora directory server. Here are > my thoughts on what the features should be in this area. I would love > your feedback. Does this sound right? What is missing? Longerterm, we > hope to enable kerberos trust between AD and IPA but even then some > folks will want synch as well. Thoughts? > > AD and freeIPA synch requirements ---proposal for your review and feedback > > 1. Keep password in AD same as PW in IPA > - If changed in AD, bring change over to IPA > - If changed in IPA, bring change over to AD > One problem with this is password policy - min length, complexity, history, etc. How to sync password policy between IPA and AD? > 2. Synch userid and attributes > - Configurable which attributes > - If full posix available then make this available > - Configurable translation between attributes (i.e transform data such > as middle name length or whatever) > - Configurable mapping between attribute names > - Generate attributes if not present in AD with flexible rules for doing > this and vice versa > > 3. Which subsets of users to keep in synch > - Make it possible to define which AD/IPA users should be kept in synch > > 4. Topology > - Password synch is only supported with 1 AD domain. Not multiple. > - Identity/attribute synch is supported across multiple domains. > ---If the same user is in multiple domains, there is a problem ---- Not > supported > ---If the same userid in different domains but different user, resolve > - Need to support PW change on any IPA server > - Need to support PW change on an AD server > Support for uni-directional sync - many Fedora DS users have asked for the ability to sync changes only from Fedora DS to AD, or vice versa, but not both ways. Or perhaps uni-directional for passwords (due to password policy) and bi-di for other data. > 5. Failover > - Support for failover AD DC > - Support for failover IPA > > 6. Install and Packaging > - Separate install of synch tool > - Preconfigured synch tool with easy to point to IPA and AD > - Predefined > - Requires passsynch on domain controllers > - Proposal 1: Requires password to only change on AD. Probably not ok. > - Proposal 2: Make changes to IPA to hand PW to AD > > 7. Groups. > Allow four options that an administrator can choose between: > - One option: Synchronize all users from AD into one IPA group > - Second option: Synchronize all users according to filter defined in #3 > above and bring along all of their groups and keep their memberships in > them. > - Third option: No group synch at all > - Fourth option: No support for nested groups > Support for AD memberOf (if not already fully supported by ipa-memberof). > Best regards, > Karl > > _______________________________________________ > Freeipa-devel mailing list > <a href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin</a> ------------------------------ _______________________________________________ Freeipa-devel mailing list <a href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> End of Freeipa-devel Digest, Vol 13, Issue 11 ********************************************* </blockquote></div>