Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?
On 06/27/2012 01:56 AM, Joe Linoff wrote: Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # # bootstrap # def bootstrap(): Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # # cmd # def cmd(cmd): Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street=123 Main Street --city=Anytown --state=AK --postalcode=12345' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe *From:*Joe Linoff *Sent:* Tuesday, June 26, 2012 3:04 PM *To:* freeipa-users@redhat.com *Cc:* Joe Linoff *Subject:* What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using “ipa user-mod” in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for ad...@idm.lab.bos.redhat.com: # python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Lets see custom user fbar api.Command['user_show'](u'admin') {'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'6520',), 'gidnumber': (u'6520',), 'memberof_group': (u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',), 'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin', 'summary': None} # See that result is a native Python dictionary, i.e. very easy to manipulate later # Now lets try to modify user's address: api.Command['user_mod'](u'fbar', street=u'221B Baker Street', l=u'London', st=u'UK', postalcode=u'NW1 6XE') {'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid': (u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'6521',), 'l': (u'London',), 'st': (u'UK',), 'gidnumber': (u'6521',), 'memberof_group': (u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory': (u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',), 'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary': u'Modified user fbar'} The user is now modified, I can verify it with standard CLI command: # ipa user-show fbar --all dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar ... Street address: 221B Baker Street City: London State/Province: UK ZIP: NW1 6XE ... Our source code is a good source of information (I used it to find out exact names of the command attributes). Besides that, you can check: http://www.freeipa.org/page/DocumentationPortal There are several doc guides, including Extending IPA guide which should provide you with more info about additional extensions of FreeIPA. HTH, Martin ___
[Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS 9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC 4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM 3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF RHoSd77BcxF3B929Bi8P =3vaB -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica re-install
george he wrote: Hello, I re-installed fedora 17 on my machine, did yum update, and then tried to install ipa-replica on myreplica. I got the same error message as before: # ipa-replica-install --setup-ca /var/lib/ipa/replica-info-myreplica.gpg [24/30]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpj3jpOC -x -D cn=Directory Manager -y /tmp/tmpXfgq7D' returned non-zero exit status 1 [25/30]: initializing group membership [26/30]: adding master entry ipa : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpjAXJjq -x -D cn=Directory Manager -y /tmp/tmpHEZmhv' returned non-zero exit status 1 [27/30]: configuring Posix uid/gid generation creation of replica failed: entry=dn: cn=CA,cn=my.replica.edu,cn=masters,cn=ipa,cn=etc,dc=my,dc=replica,dc=edu cn: CA ipaconfigstring: enabledService ipaconfigstring: startOrder 50 objectclass: nsContainer objectclass: ipaConfigObject Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. The same error message was displayed after running /usr/sbin/ipa-server-install --uninstall and then re-run the installation. Here is what at the end of /var/log/ipareplica-install.log: File /sbin/ipa-replica-install, line 494, in module main() File /sbin/ipa-replica-install, line 437, in main util.realm_to_suffix(config.realm_name)) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 311, in ldap_enable self.admin_conn.addEntry(entry) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 496, in addEntry self.__handle_errors(e, arg_desc=arg_desc) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 312, in __handle_errors raise errors.NotFound(reason=arg_desc) Any suggestions? It would appear the previous uninstall didn't remove the CA. Did you have to run pkiremove in order to get the CA to install the second go-around? What I would do is do the uninstall again. Do an ldapsearch on cn=my.replica.edu,cn=masters,cn=ipa,cn=etc,dc=my,dc=replica,dc=edu on another master and confirm that it is empty. If it isn't then use ldapdelete to remove that entry and its children. Then verify that the CA is gone, see if /var/lib/pki-ca exists. If it does use pkiremove to delete the instance. I think the next install will work. I believe the replica-s4u2proxy failure can be ignored, we have a ticket open on that. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to add service principle from F17
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 22:37, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 19:53, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I have a RHEL 6.2 ipa domain and I am running through one of my known working kickstarts for kerberised squid but instead of using RHEL i'm setting it up on Fedora 17. I get the following error on the fedora system which has freeipa-admintools installed [root@proxy02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com [root@proxy02 ~]# ipa service-add HTTP/$(hostname) ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# Nothing appears in the logs apart from == /var/log/messages== Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1428 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1013 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1230 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Any ideas? This doesn't block me from what I am trying to achieve as I can add the service principle from the IPA server. Just thought I might ask the question. What version of client and server? rob Server details [root@ds01 ~]# yum info ipa-server Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Installed Packages Name : ipa-server Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 3.2 M Repo : installed - From repo : Red Hat Enterprise Linux Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Client details [root@proxy02 ~]# yum info freeipa-client Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name : freeipa-client Arch : x86_64 Version : 2.2.0 Release : 1.fc17 Size : 239 k Repo : installed - From repo : fedora Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. [root@proxy02 ~]# yum info freeipa-admintools Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name : freeipa-admintools Arch : x86_64 Version : 2.2.0 Release : 1.fc17 Size : 43 k Repo : installed - From repo : fedora Summary : IPA administrative tools URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). This package provides command-line tools for : IPA administrators. [root@proxy02 ~]# Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. # ipa --delegate service-add HTTP/$(hostname) rob ah.. good to know. thanks for the info. it does get past the tgt aspect, now its just a version conflict. may or may not be a work around for that. [root@proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com ipa: ERROR: 2.34 client incompatible with 2.13 server at u'https://ds01.example.com/ipa/xml' Oh, right, sorry I didn't mention this yesterday. You can generally talk with an older client with a newer server, but not the other way around. We don't have per-command versioning (yet), which would make this possible. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rfe: ldap for dhcp
On 06/27/2012 12:14 AM, Simo Sorce wrote: On Tue, 2012-06-26 at 15:54 +0200, Natxo Asenjo wrote: On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: hi, recently it was brought to my attendtion that isp-dhcpd version 4.2 supports getting its database information from ldap. Earlier versions support it as well with a patch. It would be awesome if this could be integrated in IPA. I am aware you guys have your hands full with plenty of stuff, but if this could get integrated IPA would be even further than AD (that as far as I know cannot do this). Natxo, would you be interested in contributing this functionality? If you are familiar with Python, an excellent primer on FreeIPA development can be found at http://abbra.fedorapeople.org/guidnatxoe.html The core FreeIPA team has a lot on their plate right now, so any major new features like this would probably need to be contributed from wider community or else deferred until the current crop of functionality is complete. We'd be happy to help you along if you (or anyone else on this mailing list) wants to take this feature on. Not familiar with Python (Perl guy, basic), but I can always try stuff. I am just a sysadmin :-) I have read the link you posted, and I think I would need a *lot* of hand holding to get it in the web-ui. What I can try is see if it works outside of the web ui. Importing the dhcp schema in the directory and filling in the dhcp objects. Then get it to work with a dhcp server. If that works, then we can see how we get from there. I already appreciate you take this seriously. Thanks! Hi Naxto, take a look at the freeipa-devel list, William Brown is working on basic integration and has sent a few mails, where he points at a git tree with some work. Maybe you can coordinate to do some testing, that would be useful. I'm CCing him. Simo. Hi all, Find my work here : https://bitbucket.org/Firstyear/freeipa-dhcp I currently have a large set of changes sitting on my laptop awaiting push / formation of a patch for review. I'll try to send this in at some stage today. Take a look at https://bitbucket.org/Firstyear/freeipa-dhcp/src/f63a7e505705/TODO.DHCP for my todo list, and at http://www.freeipa.org/page/DHCP_Integration_Design for some of my planning about this integration. Both are subject to change in the near future however. At this stage, if you just pull my changes, the Schema for isc-dhcp is included and will work in a default install of FreeIPA if you feel like manually adding in your objects. However, the risk is that in the future the work I am doing will clobber the efforts you make in setting this up by hand. If you are still interested in doing a setup by hand, look at the file /usr/share/doc/dhcp-4.2.4/ldap/README.ldap from the dhcp package on fedora. I'm still a way from being able to run the ipa-dhcp-install command, or even testing this, but once I get to that point, I'll let you know so you can test this out. My first goal is getting the command line tools to be solid then turning my attention to the WebUI. Feel free to chat to me about this more, on the FreeIPA-devel list, or the #freeipa irc channel. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?
Hi Martin: Excellent! Thank you. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, June 26, 2012 11:34 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] What is the best way to make batch changes to the LDAP? On 06/27/2012 01:56 AM, Joe Linoff wrote: Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # # bootstrap # def bootstrap(): Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # # cmd # def cmd(cmd): Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street=123 Main Street --city=Anytown --state=AK --postalcode=12345' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe *From:*Joe Linoff *Sent:* Tuesday, June 26, 2012 3:04 PM *To:* freeipa-users@redhat.com *Cc:* Joe Linoff *Subject:* What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using ipa user-mod in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for ad...@idm.lab.bos.redhat.com: # python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Lets see custom user fbar api.Command['user_show'](u'admin') {'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'6520',), 'gidnumber': (u'6520',), 'memberof_group': (u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',), 'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin', 'summary': None} # See that result is a native Python dictionary, i.e. very easy to manipulate later # Now lets try to modify user's address: api.Command['user_mod'](u'fbar', street=u'221B Baker Street', l=u'London', st=u'UK', postalcode=u'NW1 6XE') {'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid': (u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'6521',), 'l': (u'London',), 'st': (u'UK',), 'gidnumber': (u'6521',), 'memberof_group': (u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory': (u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',), 'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary': u'Modified user fbar'} The user is now modified, I can verify it with standard CLI command: # ipa user-show fbar --all dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar ... Street address: 221B Baker Street City: London State/Province: UK ZIP: NW1 6XE ... Our source code is a good source of information (I used it to find out exact names of the command
Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the masterso it seems pretty robust. In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.electronics might as well.in which case swapping one half (I assume you have a raid1) to a new box and syncing it might workthen drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water 1 to 4 looks OK to mesomething I want to fully try. There are some interesting tech like gluster which give you a distributed raid1Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gbnot much disk useuse kvm and gluster might work well. The second machine could be a reasonable spec'd desktoplike $2k should be good enough I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expenseso 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's disk. Another way might be rsyncing the ldif over ssh to a remote site..maybe even email it to say googleit shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS 9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC 4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM 3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF RHoSd77BcxF3B929Bi8P =3vaB -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] strange gss failures in RHEL 6.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Evening all I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and installed a new ipa server in a test network. I get the following errors now despite having a valid tgt. This worked perfectly a few hours ago (before I updated the repos) [root@ds01 ~]# date Wed Jun 27 22:31:01 BST 2012 [root@ds01 ~]# kinit admin Password for ad...@example.com: [root@ds01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 06/27/12 22:31:06 06/28/12 22:31:04 krbtgt/example@example.com [root@ds01 ~]# date Wed Jun 27 22:31:10 BST 2012 [root@ds01 ~]# [root@ds01 ~]# [root@ds01 ~]# ipa user-find ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) [root@ds01 ~]# Has something changes from 6.2 to 6.3 that would cause this by any chance? thanks Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP63x5AAoJEAJsWS61tB+qQfAQAI8uUnPqculxBQvFI8vvCeXF 9rH59lAuhXw6a4lo9Fs+oSwYC0+s78ONRfp9SxhdLFQ1P1lEUffNq5EpO76RQlBT IbT0+UOZwmLzZPOFCPhB/CFhVnnM27yNSp0QzskP/hjkkapJt5T1bszd7b/LTbXp F/Y3RnzXsW7iR7ccAPdj8iEAQOO2lBDYfMx35xuE6LQmvpjcvK1kltuFQWnHRTqf pHKnZHcsUw53WbqpGmBQElBzQ4hCdsXAEuMaxj87FmHgubIo4Tv/886260yIrWpr IHzUfrvTwhC1hMNeeXPhaFIUb0PGJLPkaOOLMKwFSdXMYTlpU4ZZma9Qo2XuMXEY BmJO3ae8vU7i4SdkJP9qq5HpYMyo31PtPN+axjc7f8rXNX7GUrCLe3gekanCimH4 xzAC0bPTPRPH5GOPbSxw60KrGBXr3Ed0LyTpu2Ajg9h6AgJOKzEcezMnGNHyp6sv DXPL/AU1LWioiOR6kQ7ZqHuziSCj6vIRAEybljCwo8hKXeKcrTkExtCQgtCAVH9x cZlFT9vc5Hz4W2v4O2YCUPiZTQb1Ua+diq3RtzTb3oICZ/AxKfwJ7CsS5yZhOxRU kt0hbkkyDstO8M9zS0tvyKtXIMdIwAtthesOkQO2YGUsFBxQI0juPYlfWKY0/mKU tyCxmUcN3SEpKF2UTRFj =bxPG -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/06/12 22:25, Steven Jones wrote: Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the masterso it seems pretty robust. If you're about on irc at all tomorrow I may pick your brains about your experiences. I kind of ruined my test environment this afternoon. I had to redeploy about 15 virtualized guests on my tiny microserver at home. That took quite a while ;-) In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.electronics might as well.in which case swapping one half (I assume you have a raid1) to a new box and syncing it might workthen drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water I was merely giving a radical scenario in jest. My main purpose is to produce an IPA 'specifc' backup/restore procedure that doesn't rely on other technologies. Starting with a similar goal to restoring an AD system state backup for example. Dale 1 to 4 looks OK to mesomething I want to fully try. There are some interesting tech like gluster which give you a distributed raid1Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gbnot much disk useuse kvm and gluster might work well. The second machine could be a reasonable spec'd desktoplike $2k should be good enough I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expenseso 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's disk. Another way might be rsyncing the ldif over ssh to a remote site..maybe even email it to say googleit shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP637pAAoJEAJsWS61tB+qKBMQAJ8zHCH6ysobN3R13QtrNzso 7RxyhnLF3KG2zpEkICTAYwuwT1uGoqjqc7z5z2ypV/77k7VvMu3ejDWm3i8RvD8A n0g43bcY4rA6Jk2Z/JVYc/aPIQqqRdbgx80eK3R8Hi1g0xv0NWVRw3yHiwwKEY27
Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
I can join now as its 10am Thursday here...as I dont know when tomorrow is for you regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.com] Sent: Thursday, 28 June 2012 9:45 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/06/12 22:25, Steven Jones wrote: Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the masterso it seems pretty robust. If you're about on irc at all tomorrow I may pick your brains about your experiences. I kind of ruined my test environment this afternoon. I had to redeploy about 15 virtualized guests on my tiny microserver at home. That took quite a while ;-) In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.electronics might as well.in which case swapping one half (I assume you have a raid1) to a new box and syncing it might workthen drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water I was merely giving a radical scenario in jest. My main purpose is to produce an IPA 'specifc' backup/restore procedure that doesn't rely on other technologies. Starting with a similar goal to restoring an AD system state backup for example. Dale 1 to 4 looks OK to mesomething I want to fully try. There are some interesting tech like gluster which give you a distributed raid1Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gbnot much disk useuse kvm and gluster might work well. The second machine could be a reasonable spec'd desktoplike $2k should be good enough I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expenseso 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's disk. Another way might be rsyncing the ldif over ssh to a remote site..maybe even email it to say googleit shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.commailto:d...@themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything,
Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?
Hi Martin: Just a quick follow up: your suggestion worked great. Here is a little code fragment that emulates the ipa user-find --all operation. I am including it in the hopes that it will help someone else. START #!/usr/bin/env python # # Demonstrate how to get the contents of the command # ipa user-find --all in python data structures based on the # insights provided by Martin Kosek on the freeipa-users@redhat.com # mailing list. # # It also demonstrates how to iterate over the list and grab # individual fields. # import pprint from ipalib import api # Bootstrap. api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Load the records. recs = api.Command['user_find'](all=True) # Dump the whole data structure -- with nice formatting. pprint.PrettyPrinter(indent=4).pprint( recs ) # Print out the uid and email information. # Note that the gratuitous conversion from unicode to UTF8 and the use # of a lambda function instead of an if/then were only for fun. print '---' for i in range(recs['count']): result = recs['result'][i] uid= result['uid' ][0].encode('utf8') # Email can be NULL. email = (lambda f: result[f][0].encode('utf8') if f in result is not None else str('None'))('mail') print '%-20s %s' % (uid,email) END Thanks, Joe -Original Message- From: Joe Linoff Sent: Wednesday, June 27, 2012 11:02 AM To: Martin Kosek Cc: freeipa-users@redhat.com; Joe Linoff Subject: RE: [Freeipa-users] What is the best way to make batch changes to the LDAP? Hi Martin: Excellent! Thank you. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, June 26, 2012 11:34 PM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] What is the best way to make batch changes to the LDAP? On 06/27/2012 01:56 AM, Joe Linoff wrote: Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # # bootstrap # def bootstrap(): Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # # cmd # def cmd(cmd): Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street=123 Main Street --city=Anytown --state=AK --postalcode=12345' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe *From:*Joe Linoff *Sent:* Tuesday, June 26, 2012 3:04 PM *To:* freeipa-users@redhat.com *Cc:* Joe Linoff *Subject:* What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using ipa user-mod in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for ad...@idm.lab.bos.redhat.com: # python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Lets see custom user fbar
[Freeipa-users] How can I change my password from a python script?
Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.' -EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] strange gss failures in RHEL 6.3
On Wed, Jun 27, 2012 at 10:35:00PM +0100, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Evening all I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and installed a new ipa server in a test network. I get the following errors now despite having a valid tgt. This worked perfectly a few hours ago (before I updated the repos) [root@ds01 ~]# date Wed Jun 27 22:31:01 BST 2012 [root@ds01 ~]# kinit admin Password for ad...@example.com: [root@ds01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 06/27/12 22:31:06 06/28/12 22:31:04 krbtgt/example@example.com [root@ds01 ~]# date Wed Jun 27 22:31:10 BST 2012 [root@ds01 ~]# [root@ds01 ~]# [root@ds01 ~]# ipa user-find ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) [root@ds01 ~]# Please check if there are some old tickets which might bestill used by apache. Run find /tmp/systemd-namespace-* -name krb5cc_48 (assuming your apache user has uid 48), delete the files listed here and try ipa user-find again. HTH bye, Sumit Has something changes from 6.2 to 6.3 that would cause this by any chance? thanks Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP63x5AAoJEAJsWS61tB+qQfAQAI8uUnPqculxBQvFI8vvCeXF 9rH59lAuhXw6a4lo9Fs+oSwYC0+s78ONRfp9SxhdLFQ1P1lEUffNq5EpO76RQlBT IbT0+UOZwmLzZPOFCPhB/CFhVnnM27yNSp0QzskP/hjkkapJt5T1bszd7b/LTbXp F/Y3RnzXsW7iR7ccAPdj8iEAQOO2lBDYfMx35xuE6LQmvpjcvK1kltuFQWnHRTqf pHKnZHcsUw53WbqpGmBQElBzQ4hCdsXAEuMaxj87FmHgubIo4Tv/886260yIrWpr IHzUfrvTwhC1hMNeeXPhaFIUb0PGJLPkaOOLMKwFSdXMYTlpU4ZZma9Qo2XuMXEY BmJO3ae8vU7i4SdkJP9qq5HpYMyo31PtPN+axjc7f8rXNX7GUrCLe3gekanCimH4 xzAC0bPTPRPH5GOPbSxw60KrGBXr3Ed0LyTpu2Ajg9h6AgJOKzEcezMnGNHyp6sv DXPL/AU1LWioiOR6kQ7ZqHuziSCj6vIRAEybljCwo8hKXeKcrTkExtCQgtCAVH9x cZlFT9vc5Hz4W2v4O2YCUPiZTQb1Ua+diq3RtzTb3oICZ/AxKfwJ7CsS5yZhOxRU kt0hbkkyDstO8M9zS0tvyKtXIMdIwAtthesOkQO2YGUsFBxQI0juPYlfWKY0/mKU tyCxmUcN3SEpKF2UTRFj =bxPG -END PGP SIGNATURE- pub 4096R/B5B41FAA 2010-11-27 Dale Macartney dbmacart...@gmail.com uidDale Macartney dale.macart...@bskyb.com uidDale Macartney d...@themacartneyclan.com sub 4096R/CF50A682 2010-11-27 [verfällt: 2012-11-26] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users