English 中文(简体)
自由工联
原标题:FreeIPA Docker Compose WEB UI

After spending hours searching why I cannot access to my webUI, I turn to you. I setup freeipa on docker using docker-compose. I opened some port to gain remote access using host-ip:port on my own computer. Freeipa is supposed to be run on my server (lets say 192.168.1.2) and the webui accessible with any other local computer on port 80 / 443 (192.168.1.4:80 or 192.168.1.4:443)

当我管理我的<代码>.yaml文档时,自由党获得“ipa-server-install突击”的信号。

我认为,这可以来自我的严格规则,并试图把所有政策付诸东流。 它没有这样做。

我对我如何解冻或找到如何纠正这一问题失去了一点点。

OS : ubuntu 20.04.3 Docker version: 20.10.12, build e91ed57 freeipa image: freeipa/freeipa:centos-8-stream Docker-compose version: 1.29.2, build 5becea4c

My yaml file:

version: "3.8"
services:  
  freeipa:
    image: freeipa/freeipa-server:centos-8-stream
    hostname: sanctuary
    domainname: serv.sanctuary.local
    container_name: freeipa-dev
    ports:
      - 80:80
      - 443:443
      - 389:389
      - 636:636
      - 88:88
      - 464:464
      - 88:88/udp
      - 464:464/udp
      - 123:123/udp
    dns:
      - 10.64.0.1
      - 1.1.1.1
      - 1.0.0.1
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: serv.sanctuary.local
      IPA_SERVER_IP: 192.168.1.100
      TZ: "Europe/Paris"
    command:
      - -U
      - --domain=sanctuary.local
      - --realm=sanctuary.local
      - --admin-password=pass
      - --http-pin=pass
      - --dirsrv-pin=pass
      - --ds-password=pass
      - --no-dnssec-validation
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --unattended
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - ./data:/data
      - ./logs:/var/logs
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    labels:
      - dev

我试图用部署档案(去除或去除互联网上所发现的conf,如添加/移走投资促进机构_SERVER_IP,添加/移走外部桥梁网络)

非常感谢您的任何帮助=

最佳回答

诚然,对于那些可能面临同样问题的人,我将解释一下我为推翻这一点所做的一切。

我广泛依靠这里的答案:https://floblanc.wordpress.com7/09/11/troublefireing-freeipa-pki-tomcatd-fails-to-start/

首先,我用<代码>ipactl status核对每个服务的现状。 视问题而定,你的产出可能不同,但我国的情况一样:

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

因此,我检查了目录的标识:/var/log/pki/pki-tomcat/ca/debug-xx。 我在阅读了<代码>后拒绝与证书相关的内容。

这里,我首先检查了我的证书见/etc/pki-tomcat/alias。 Cert cert-pki-ca 。

## output : 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        ...
        ...

Then I made sure that the private key can be read using the password found in /var/lib/pki/pki-tomcat/conf/password.conf (with the tag internal=…)

grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt

certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n  subsystemCert cert-pki-ca

我仍然没有什么奇怪之处,因此我假定:

  1. pki-tomcat is able to access the certificate and the private key
  2. The issue is likely to be on the LDAP server side

I tried to read the user entry in the LDAP to compare it to the certificate using ldapsearch -LLL -D cn=directory manager -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso but had an error after entering the password. Because my certs were OK and LDAP service running, I assumed something was off with the certificates date.

Indeed, during the install freeipa setup the certs using your current system date as base. But it also install chrony for server time synchronization. After reboot, my chrony conf were wrong and set my host date 2 years ahead.

我可以直截了眼镜,这样我就停止了这项服务,并用<密码>实时定点代码“yyy-mm-d hh:mm:s”

I restarted freeipa services amd my pki-tomcat service was working again.

之后,我把自由党安排在我的航道上。 我恢复了当地网络的服务和计算机,从而恢复了国家航天中心会议。 之后,网络倡议可以上网!

时间:2022-04-16 13:25:18
问题回答

我认识到,这是一座超老的read子,但你不会为此而有经过更新和工作的亚穆拉?

I m试图获得一台DNS服务器和LDAP在码头工作

时间:2024-02-03 02:54:20


上一篇:
下一篇:


相关问题
how do you fix the clients outgoing port number using php?

I m using php (the sockets extension) to handle sending and receiving xml files. I d like to be able to fix the outgoing clients port number as the server has a set amount of incoming connections. I ...

时间:2010-01-04 17:07:29 回答:2 展示:1
Making a Ruby server work on port 80

I m creating a simple web server in Ruby, which display s the text LOLZ in the browser. I have this now: #!/usr/bin/ruby require socket server = TCPServer.open(2000) loop do client = server....

时间:2009-12-18 12:39:02 回答:1 展示:1
C# Discover the LocalEndPoint AddressFamily port number

When I establish a tcp connection to a server using the TcpClient class, is there any way to find out the source port of this connection? I am trying to implement the exec protocol and stderr port ...

时间:2009-11-19 03:28:58 回答:2 展示:1
Listen to a port that is in use [duplicate]

Possible Duplicate: Get connecting IP from specified ports that using by other program. If a port is used by a program, is there any way I can listen that port and get the connected IP on that ...

时间:2009-11-15 22:02:25 回答:3 展示:1
Can t access locally hosted project via the internet?

I m currently developing a Java Servlet Project in Eclipse. The project is compiled via Tomcat 5.5 and hosted in localhost:8080(alternatively 127.0.0.1:8080 AND 192.168.1.10:8080 which also happens ...

时间:2009-11-14 11:11:27 回答:2 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全