Thanks for the clarification. I tried again, but no luck. The stdout/err was:
[root@ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-ipa.example.com.local.gpg
Directory Manager (existing master) password:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/21]: creating certificate server user
[2/21]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
And the ipareplica-ca-install.log is:
[root@ipa log]# cat ipareplica-ca-install.log
2016-06-06T17:59:37Z DEBUG /sbin/ipa-ca-install was invoked with argument
"/var/lib/ipa/replica-info-ipa.example.com.local.gpg" and options:
{'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type':
None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None,
'debug': False, 'external_ca': False, 'skip_conncheck': False}
2016-06-06T17:59:37Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1
2016-06-06T17:59:37Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-06-06T17:59:37Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2016-06-06T17:59:37Z DEBUG importing all plugin modules in ipalib.plugins...
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.aci
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.automember
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.automount
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.baseldap
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.baseuser
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.batch
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.caacl
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.cert
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.certprofile
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.config
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.delegation
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.dns
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.domainlevel
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.group
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacrule
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacsvc
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbactest
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.host
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hostgroup
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.idrange
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.idviews
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.internal
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.kerberos
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.krbtpolicy
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.migration
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.misc
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.netgroup
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otpconfig
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otptoken
2016-06-06T17:59:37Z DEBUG importing plugin module
ipalib.plugins.otptoken_yubikey
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.passwd
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.permission
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.ping
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.pkinit
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.privilege
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.pwpolicy
2016-06-06T17:59:37Z DEBUG Starting external process
2016-06-06T17:59:37Z DEBUG args='klist' '-V'
2016-06-06T17:59:37Z DEBUG Process finished, return code=0
2016-06-06T17:59:37Z DEBUG stdout=Kerberos 5 version 1.13.2
2016-06-06T17:59:37Z DEBUG stderr=
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.radiusproxy
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.realmdomains
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.role
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.rpcclient
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.selfservice
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.selinuxusermap
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.server
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.service
2016-06-06T17:59:37Z DEBUG importing plugin module
ipalib.plugins.servicedelegation
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.session
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.stageuser
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudocmd
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudorule
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.topology
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.trust
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.user
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.vault
2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.virtual
2016-06-06T17:59:37Z DEBUG importing all plugin modules in ipaserver.plugins...
2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.dogtag
2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.join
2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.ldap2
2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.rabase
2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2016-06-06T17:59:37Z DEBUG SessionAuthManager.register:
name=jsonserver_session_42663248
2016-06-06T17:59:37Z DEBUG SessionAuthManager.register:
name=xmlserver_session_42686160
2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at
'/session/json'
2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at
'/json'
2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.login_password() at
'/session/login_password'
2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.change_password() at
'/session/change_password'
2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at
'/session/xml'
2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.sync_token() at
'/session/sync_token'
2016-06-06T17:59:38Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at
'/session/login_kerberos'
2016-06-06T17:59:38Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:38Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml'
2016-06-06T17:59:38Z DEBUG session_auth_duration: 0:20:00
2016-06-06T17:59:40Z DEBUG Starting external process
2016-06-06T17:59:40Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir'
'/tmp/tmpm9cf7Xipa/ipa-cLLKJh/.gnupg' '--daemon' '/usr/bin/gpg' '--batch'
'--homedir' '/tmp/tmpm9cf7Xipa/ipa-cLLKJh/.gnupg' '--passphrase-fd' '0' '--yes'
'--no-tty' '-o' '/tmp/tmpm9cf7Xipa/files.tar' '-d'
'/var/lib/ipa/replica-info-ipa.example.com.gpg'
2016-06-06T17:59:41Z DEBUG Process finished, return code=0
2016-06-06T17:59:41Z DEBUG Starting external process
2016-06-06T17:59:41Z DEBUG args='tar' 'xf' '/tmp/tmpm9cf7Xipa/files.tar' '-C'
'/tmp/tmpm9cf7Xipa'
2016-06-06T17:59:41Z DEBUG Process finished, return code=0
2016-06-06T17:59:41Z DEBUG stdout=
2016-06-06T17:59:41Z DEBUG stderr=
2016-06-06T17:59:41Z DEBUG Installing replica file with version 300 (0 means no
version in prepared file).
2016-06-06T17:59:41Z DEBUG Check if ipa.example.com is a primary hostname for
localhost
2016-06-06T17:59:41Z DEBUG Primary hostname for localhost: ipa.example.com
2016-06-06T17:59:41Z DEBUG Search DNS for ipa.example.com
2016-06-06T17:59:41Z DEBUG Check if ipa.h5c.local is not a CNAME
2016-06-06T17:59:41Z DEBUG Check reverse address of 10.55.10.31
2016-06-06T17:59:41Z DEBUG Found reverse name: ipa.example.com
2016-06-06T17:59:41Z DEBUG Created connection context.ldap2_42662608
2016-06-06T17:59:41Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-06-06T17:59:41Z DEBUG Checking if IPA schema is present in
ldap://ipa-replica.example.com:7389
2016-06-06T17:59:41Z DEBUG retrieving schema for SchemaCache
url=ldap://ipa-replica.example.com:7389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x28b41b8>
2016-06-06T17:59:41Z DEBUG Check OK
2016-06-06T17:59:41Z DEBUG Destroyed connection context.ldap2_42662608
2016-06-06T17:59:41Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-06-06T17:59:41Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-06-06T17:59:41Z DEBUG Configuring certificate server (pki-tomcatd).
Estimated time: 3 minutes 30 seconds
2016-06-06T17:59:41Z DEBUG [1/21]: creating certificate server user
2016-06-06T17:59:41Z DEBUG group pkiuser exists
2016-06-06T17:59:41Z DEBUG user pkiuser exists
2016-06-06T17:59:41Z DEBUG duration: 0 seconds
2016-06-06T17:59:41Z DEBUG [2/21]: configuring certificate server instance
2016-06-06T17:59:41Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-06-06T17:59:41Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-06-06T17:59:41Z DEBUG Contents of pkispawn configuration file
(/tmp/tmpD3cjWu):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_profiles_in_ldap = True
pki_client_database_dir = /tmp/tmp-jUfjcK
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O= EXAMPLE.COM
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O= EXAMPLE.COM
pki_ssl_server_subject_dn = cn=ipa.example.com,O= EXAMPLE.COM
pki_audit_signing_subject_dn = cn=CA Audit,O= EXAMPLE.COM
pki_ca_signing_subject_dn = cn=Certificate Authority,O= EXAMPLE.COM
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm = SHA256withRSA
pki_security_domain_hostname = ipa-replica.example.com
pki_security_domain_https_port = 443
pki_security_domain_user = admin
pki_security_domain_password = XXXXXXXX
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 7389
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri = https://ipa-replica.example.com:443
2016-06-06T17:59:41Z DEBUG Starting external process
2016-06-06T17:59:41Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpD3cjWu'
2016-06-06T17:59:41Z DEBUG Process finished, return code=1
2016-06-06T17:59:41Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160606135941.log
Loading deployment configuration from /tmp/tmpD3cjWu.
2016-06-06T17:59:41Z DEBUG stderr=Traceback (most recent call last):
File "/usr/sbin/pkispawn", line 717, in <module>
main(sys.argv)
File "/usr/sbin/pkispawn", line 523, in main
parser.compose_pki_master_dictionary()
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
line 573, in compose_pki_master_dictionary
instance.load()
File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in
load
subsystem.load()
File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in
load
lines = open(self.cs_conf).read().splitlines()
IOError: [Errno 2] No such file or directory:
'/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'
2016-06-06T17:59:41Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu'' returned non-zero exit
status 1
2016-06-06T17:59:41Z CRITICAL See the installation logs and the following
files/directories for more information:
2016-06-06T17:59:41Z CRITICAL /var/log/pki-ca-install.log
2016-06-06T17:59:41Z CRITICAL /var/log/pki/pki-tomcat
2016-06-06T17:59:41Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-06-06T17:59:41Z DEBUG [error] RuntimeError: CA configuration failed.
2016-06-06T17:59:41Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732,
in run_script
return_value = main_function()
File "/sbin/ipa-ca-install", line 202, in main
install_replica(safe_options, options, filename)
File "/sbin/ipa-ca-install", line 150, in install_replica
ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in
install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in
install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1543, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
486, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2016-06-06T17:59:41Z DEBUG The ipa-ca-install command failed, exception:
RuntimeError: CA configuration failed.
[cid:image001.jpg@01D1BFFD.A8A3E740]<http://www.high5games.com/>
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>,
Twitter<https://twitter.com/High5Games>,
YouTube<http://www.youtube.com/High5Games>,
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this message.
If you are not the intended recipient, please notify the sender by return
email, and delete or destroy this and all copies of this message and all
attachments. Any unauthorized disclosure, use, distribution, or reproduction of
this message or any attachments is prohibited and may be unlawful.
From: Rob Crittenden <rcrit...@redhat.com>
Date: Monday, June 6, 2016 at 11:44
To: Daniel Finkestein <dan.finkelst...@high5games.com>,
"freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA
3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to
master
dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote:
Swing and a miss: when setting up the replicas, we always use the
—setup-ca and end the command with the replica gpg file, but it's the
—setup-ca that fails as per the earlier messages. If we proceed without
—setup-ca, it's fine. I'll try it without skipping the connection check,
but I don't think the replica file is the issue.
I meant to say: ipa-ca-install replicafile
When running ipa-ca-install without a replicafile then it assumes you
are trying to set up a brand new CA which isn't allowed if one already
exists. The messaging has been improved upstream.
Skipping the conncheck can mask odd problems and should be used sparingly.
rob
Thanks,
Dan
<http://www.high5games.com/>
*Daniel Alex Finkelstein*| Senior Dev Ops Engineer
_dan.finkelst...@h5g.com<mailto:_dan.finkelst...@h5g.com>
<mailto:dan.finkelst...@h5g.com>_|<mailto:dan.finkelst...@h5g.com%3E_|>
212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com <http://www.high5games.com/>
Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>
Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>
//
/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./
*From: *Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>>
*Date: *Monday, June 6, 2016 at 09:51
*To: *Daniel Finkestein
<dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com>>,
"freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>"
<freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master
I think I figured out what is wrong. It is trying to add a NEW CA, not
creating a replica of the CA on this host. You need to pass in the
replica install file as an argument:
# ipa-replica-install foo.example.com
Not sure skipping the conncheck is a great idea either.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
