[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Paul Calabro via FreeIPA-users]

Also, I think one of the replicas got interrupted during the installation. I 
see this:

ipa server-find --all

...
 Managed suffixes: domain
  Min domain level: 0
  Max domain level: 1
  Enabled server roles: NTP server
...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Paul Calabro via FreeIPA-users]

I just bumped into this as well. I think I've tried every permutation of 
commands+options, but I'm getting the "invalid 'PKINIT enabled server': all 
masters must have IPA master role enabled" message as well when running 
"ipa-replica-manage del --force -c ". Any ideas on how to resolve 
this?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP module configuration

[Boudjoudad Abdelkader via FreeIPA-users]

Thank you very much for your help, i will post the solution when fixed.

On Fri, Mar 15, 2019 at 4:28 PM Rob Crittenden  wrote:

> Boudjoudad Abdelkader wrote:
> > Hi Rob,
> > Thank you for the quick response, i;m looking to write an ldap query to
> > get the group name of the user, do you have any idea about that ?
>
> Like I said, I know literally zero about radius. I don't know how it
> constructs its queries.
>
> rob
>
> >
> >
> > On Fri, Mar 15, 2019 at 2:44 PM Rob Crittenden  > > wrote:
> >
> > Boudjoudad Abdelkader via FreeIPA-users wrote:
> > > Hello Alexander and all,
> > > Can you someone please let me know what's the group object in LDAP
> 389
> > > DS ? I have this path to search the groups but it's not returning
> > results:
> > >
> > > |In /etc/raddb/mods-enabled/ldap: ldap { server =
> > > 'freeipa.dc=server,dc=example,dc=com # port = 389 # identity =
> > > 'cn=admin,dc=server,dc=example,dc=com' # password = mypass base_dn
> =
> > > 'cn=users,cn=accounts,dc=server,dc=example,dc=com' ... } group {
> > base_dn
> > > = 'cn=groups,cn=accounts,dc=server,dc=example,dc=com'
> > dc=example,dc=com
> > > name_attribute = cn membership_filter =
> > >
> >
>  
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> > > membership_attribute = memberOf ... }
> > >
> > > |
> > >
> > > |What i'm missing in group base_dn path ?
> >
> > I know zero about radius but...
> >
> > You are mixing RFCs here.
> >
> > For the filter the memberuid will never return anything because that
> > schema is not used. I don't know what the variables mean so can't
> > suggest a fix.
> >
> > I also don't know what membership_attribute means in this context. If
> > you are looking for members of the group you want member.
> >
> > memberOf denotes that this group is a member of another group.
> >
> > rob
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP module configuration

[Rob Crittenden via FreeIPA-users]

Boudjoudad Abdelkader wrote:
> Hi Rob,
> Thank you for the quick response, i;m looking to write an ldap query to
> get the group name of the user, do you have any idea about that ?

Like I said, I know literally zero about radius. I don't know how it
constructs its queries.

rob

> 
> 
> On Fri, Mar 15, 2019 at 2:44 PM Rob Crittenden  > wrote:
> 
> Boudjoudad Abdelkader via FreeIPA-users wrote:
> > Hello Alexander and all,
> > Can you someone please let me know what's the group object in LDAP 389
> > DS ? I have this path to search the groups but it's not returning
> results:
> >
> > |In /etc/raddb/mods-enabled/ldap: ldap { server =
> > 'freeipa.dc=server,dc=example,dc=com # port = 389 # identity =
> > 'cn=admin,dc=server,dc=example,dc=com' # password = mypass base_dn =
> > 'cn=users,cn=accounts,dc=server,dc=example,dc=com' ... } group {
> base_dn
> > = 'cn=groups,cn=accounts,dc=server,dc=example,dc=com'
> dc=example,dc=com
> > name_attribute = cn membership_filter =
> >
> 
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> > membership_attribute = memberOf ... }
> >
> > |
> >
> > |What i'm missing in group base_dn path ?
> 
> I know zero about radius but...
> 
> You are mixing RFCs here.
> 
> For the filter the memberuid will never return anything because that
> schema is not used. I don't know what the variables mean so can't
> suggest a fix.
> 
> I also don't know what membership_attribute means in this context. If
> you are looking for members of the group you want member.
> 
> memberOf denotes that this group is a member of another group.
> 
> rob
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP module configuration

[Boudjoudad Abdelkader via FreeIPA-users]

Hi Rob,
Thank you for the quick response, i;m looking to write an ldap query to get
the group name of the user, do you have any idea about that ?


On Fri, Mar 15, 2019 at 2:44 PM Rob Crittenden  wrote:

> Boudjoudad Abdelkader via FreeIPA-users wrote:
> > Hello Alexander and all,
> > Can you someone please let me know what's the group object in LDAP 389
> > DS ? I have this path to search the groups but it's not returning
> results:
> >
> > |In /etc/raddb/mods-enabled/ldap: ldap { server =
> > 'freeipa.dc=server,dc=example,dc=com # port = 389 # identity =
> > 'cn=admin,dc=server,dc=example,dc=com' # password = mypass base_dn =
> > 'cn=users,cn=accounts,dc=server,dc=example,dc=com' ... } group { base_dn
> > = 'cn=groups,cn=accounts,dc=server,dc=example,dc=com' dc=example,dc=com
> > name_attribute = cn membership_filter =
> >
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> > membership_attribute = memberOf ... }
> >
> > |
> >
> > |What i'm missing in group base_dn path ?
>
> I know zero about radius but...
>
> You are mixing RFCs here.
>
> For the filter the memberuid will never return anything because that
> schema is not used. I don't know what the variables mean so can't
> suggest a fix.
>
> I also don't know what membership_attribute means in this context. If
> you are looking for members of the group you want member.
>
> memberOf denotes that this group is a member of another group.
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP module configuration

[Rob Crittenden via FreeIPA-users]

Boudjoudad Abdelkader via FreeIPA-users wrote:
> Hello Alexander and all,
> Can you someone please let me know what's the group object in LDAP 389
> DS ? I have this path to search the groups but it's not returning results:
> 
> |In /etc/raddb/mods-enabled/ldap: ldap { server =
> 'freeipa.dc=server,dc=example,dc=com # port = 389 # identity =
> 'cn=admin,dc=server,dc=example,dc=com' # password = mypass base_dn =
> 'cn=users,cn=accounts,dc=server,dc=example,dc=com' ... } group { base_dn
> = 'cn=groups,cn=accounts,dc=server,dc=example,dc=com' dc=example,dc=com
> name_attribute = cn membership_filter =
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> membership_attribute = memberOf ... }
> 
> |
> 
> |What i'm missing in group base_dn path ?

I know zero about radius but...

You are mixing RFCs here.

For the filter the memberuid will never return anything because that
schema is not used. I don't know what the variables mean so can't
suggest a fix.

I also don't know what membership_attribute means in this context. If
you are looking for members of the group you want member.

memberOf denotes that this group is a member of another group.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] LDAP module configuration

[Boudjoudad Abdelkader via FreeIPA-users]

Hello Alexander and all,
Can you someone please let me know what's the group object in LDAP 389 DS ?
I have this path to search the groups but it's not returning results:

In /etc/raddb/mods-enabled/ldap:

ldap {
 server = 'freeipa.dc=server,dc=example,dc=com
#   port = 389
#   identity = 'cn=admin,dc=server,dc=example,dc=com'
#   password = mypass
 base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
 ...
}

group {
  base_dn = 'cn=groups,cn=accounts,dc=server,dc=example,dc=com'
  dc=example,dc=com
  name_attribute = cn
  membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
  membership_attribute = memberOf
  ...
}

What i'm missing in group base_dn path ?

Thanks,
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: No group membership attribute(s) found in user object

[Boudjoudad Abdelkader via FreeIPA-users]

Thank you very much Alexander.

On Thu, Mar 14, 2019 at 1:04 PM Alexander Bokovoy 
wrote:

> Hi Boudjoudad,
>
> On ke, 13 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
> >Starting radiusd -X to check the config i got many errors so i did :
> >- Changing the key file in  /etc/raddb/mods-enabled/eap:
> >From
> >private_key_file = ${certdir}/server.pem
> >To
> >private_key_file = ${certdir}/radius.key
> ># cp /etc/pki/tls/certs/radius.pem /etc/raddb/certs/server.pm
> ># chmod 0640 /etc/raddb/certs/server.pem
> ># chown root:radiusd /etc/raddb/certs/server.pem
> ># cp -r /etc/raddb/certs.bak/ca.pem /etc/raddb/certs/
> ># chown root:radiusd /etc/raddb/certs/ca.pem
> ># cp /etc/pki/tls/private/radius.key /etc/raddb/certs/
> ># chmod 0640 /etc/raddb/certs/radius.key
> ># chown root:radiusd /etc/raddb/certs/radius.key
> >
> >And now i got this error:
> >rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> >used
> >rlm_ldap (ldap): Connecting to ldap://freeipa.example.com:389
> >TLSMC: MozNSS compatibility interception begins.
> >tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is
> >present.
> >tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> >initialization. Continuing with OpenSSL only.
> >TLSMC: MozNSS compatibility interception ends.
> >rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> >SASL/GSSAPI authentication started
> >rlm_ldap (ldap): Bind with (anonymous) to ldap://freeipa.example.com:389
> >failed: Local error
> >rlm_ldap (ldap): Opening connection failed (0)
> >rlm_ldap (ldap): Removing connection pool
> >/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
>
> Looks like something wrong with the configuration. Unfortunately, right
> now I'm not able to set up a reproducer environment myself, too many
> things ad $dayjob.
>
> >
> >
> >
> >On Wed, Mar 13, 2019 at 11:52 AM Alexander Bokovoy 
> >wrote:
> >
> >> On ke, 13 maalis 2019, Boudjoudad Abdelkader wrote:
> >> >Thank for the quick reply, i followed this steps
> >> >  but
> it
> >> >seems that its missing some steps, after moving certs the certs.back
> and
> >> >creating a new certificate:
> >> >- The private key and certificate files should be copied in the new
> certs
> >> >directory created
> >> >Or
> >> >- Changing the path in /etc/raddb/mods-enabled/eap   for each files ?
> >> For those please follow existing documentation for FreeRADIUS. These
> >> steps are just showing FreeIPA-specific changes. You can always change
> >> the paths in the configuration.
> >>
> >> >
> >> >
> >> >
> >> >On Wed, Mar 13, 2019 at 11:38 AM Alexander Bokovoy <
> aboko...@redhat.com>
> >> >wrote:
> >> >
> >> >> On ke, 13 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
> >> >> >Hi Alexander and thank you for the documents,
> >> >> >
> >> >> >Right i din't configure freeradius to use kerberos authentication
> but
> >> >> >question please: with the radtest command above the authentication
> is
> >> >> >performed and if i see Accept-Accept so it does mean the password
> >> provided
> >> >> >in the command matches the password in ldap ?
> >> >> Perhaps it matches the password but your problem (as I understood)
> was
> >> >> that you weren't able to pull the group membership out of LDAP. These
> >> >> are two different steps -- RADIUS server ldap plugin uses user's
> >> >> password for authentication but it should also use own credentials to
> >> >> bind to ldap for authorization step.
> >> >>
> >> >> >
> >> >> >On Tue, Mar 12, 2019 at 2:59 PM Alexander Bokovoy <
> aboko...@redhat.com
> >> >
> >> >> >wrote:
> >> >> >
> >> >> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote:
> >> >> >> >Hi Alexander,
> >> >> >> >Thank you for yourquick reply and sorry i very new with
> freeradius.
> >> >> >> >I did:
> >> >> >> >- Changing in /etc/raddb/sites-enabled/default and
> >> >> >> >/etc/raddb/sites-enabled/inner-tunnel
> >> >> >> >  -ldap
> >> >> >> >to:
> >> >> >> >   ldap
> >> >> >> >if ((ok || updated) && User-Password) {
> >> >> >> >update {
> >> >> >> >control:Auth-Type := ldap
> >> >> >> >}
> >> >> >> >}
> >> >> >> >
> >> >> >> >- /etc/raddb/mods-enabled/ldap
> >> >> >> >ldap {
> >> >> >> >server = 'ldapserver.example.com'
> >> >> >> >#   port = 389
> >> >> >> >#   password = mypass
> >> >> >> > base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
> >> >> >> >}
> >> >> >> So, above you aren't using any credentials to authenticate to LDAP
> >> >> >> server. You need to define *some* credentials here that radius
> server
> >> >> >> would use to bind to LDAP before checking what it needs.
> >> >> >>
> >> >> >> For basic explanation see
> >> >> >>
> >> >>
> >>
> https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html
> >> >> >>
> >> >> >> For some example, one can look at
> >> >> >> 

[Freeipa-users] Re: Resolution issues (SERVFAIL)

[Dmitry Perets via FreeIPA-users]

Responding to myself - for future reference.

I found in /var/named/data/named.run that my parent zone
(ims.example.com) failed to load.
Turns out I had to implement a proper delegation: in the zone
"ims.example.com" I had to add A entries for "rhel-ipa-replica.ams"
and "rhel-ipa-newreplica.ams".
Without it, the zone "ims.example.com" was considered incomplete, so
IPA servers wouldn't load it...

The fact that my 2nd replica didn't show this problem was just a
co-incidence - I didn't restart DNS on it since I've defined multiple
zones like this.
Otherwise it would fail to load that zone either.

I've added the two missing A records, reloaded the zones, and now it works!

--
Regards,
Dmitry Perets.

"The more one knows, the less opinions he shares"
-- Wilhelm Schwebel

On Thu, Mar 14, 2019 at 6:11 PM Dmitry Perets  wrote:
>
> Hi,
>
> I am experiencing a strange issue with DNS resolution between my replicas, 
> could you please help me to figure it out?
>
> My topology is:
>
> rhel-ipa.ims.example.com => rhel-ipa-replica.ams.ims.example.com => 
> rhel-ipa-newreplica.ams.ims.example.com
>
> All three are IPA servers with DNS.
> And I've created two zones: "ims.example.com" and "ams.ims.example.com".
>
> It worked fine while I had just two first IPA servers, both servers could 
> resolve any host in any of the two zones. But now I added the third IPA 
> server (rhel-ipa-newreplica), and that new host cannot resolve anything in 
> the parent domain "ims.example.com"...
>
> $ dig rhel-ipa.ims.telekom.de
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> rhel-ipa.ims.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;rhel-ipa.ims.example.com. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Mar 14 18:02:46 CET 2019
> ;; MSG SIZE  rcvd: 52
>
> What am I missing here...? As per my understanding, each IPA server should 
> "feel" authoritative for each of the two zones, because they are replicated. 
> So even forwarding should not take place here... Btw I tried to play with 
> forwarder configuration, but so far - no luck.
>
> What am I missing for this setup to work...?
> How to make rhel-ipa-newreplica to resolve hosts from parent domain...?
>
> --
> Regards,
> Dmitry Perets.
>
> "The more one knows, the less opinions he shares"
> -- Wilhelm Schwebel
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: change default freeipa settings for password change/expire and otp timeout

[Dmitry Perets via FreeIPA-users]

Hi,

I saw another solution for your problem - you can define a user as
"passSyncManager".
Then that particular user will be able to set passwords for other
users without having them immediately expired.
This is especially handy when you have periodic synchronization with
some external account management system, from which you get passwords.

This was described here, but I think it was removed from later
versions of RHEL documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/pass-sync

Anyway, I tested it, and I think it worked... maybe one day it stopped
working (or will stop).
Example:
```
# ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password:
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs:
uid=ext-provisioner,cn=users,cn=accounts,dc=ims,dc=telekom,dc=de
```

--
Regards,
Dmitry Perets.

"The more one knows, the less opinions he shares"
-- Wilhelm Schwebel
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] error 32 (No such object)

[Günther J . Niederwimmer via FreeIPA-users]

Hello,

I found on the logs this Error, but I can't say what it mean?

I have a primary IPA Server (ipa.example.com) and a secondary IPA Server 
(ipa1.example.com) I mean this is running now a long time. But on the "older" 
primary now I have this Errors.


[15/Mar/2019:09:55:36.268953631 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:00:36.523786880 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:05:36.658511034 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:10:36.262165631 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:15:36.375852651 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:20:36.318006003 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:25:36.443969376 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:30:36.431541771 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)
[15/Mar/2019:10:35:36.411241412 +0100] - ERR - slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No 
such object)

Can any please help for this Problem
 
-- 
mit freundliche Grüßen / best regards,

  Günther J. Niederwimmer


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org