[Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)

[Z D]

Hallo, I have a problem to prepare the replica.

Environment:

OS: Newly installed EL7.3

IPA Server: Newly installed ipa-server 4.4.0

The error:

# ipa-replica-prepare 
Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.
The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.
To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified
'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.

Any explanation for this and possible resolution, thanks, Zarko

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Use SQLite format NSS database?

[Ian Pilcher]

On 03/21/2017 02:26 PM, Rob Crittenden wrote:

Um, this _might_ work. Each httpd worker will have an fd open to the NSS
database files so you'd want to do this rather carefully.


I'm no expert on this stuff, but my understanding is that any file
descriptors will continue to point to the older database files until a
worker is restarted or it closes and reopens a file for some reason
(which I have no reason to believe mod_nss does).

Even if a worker does do this for some reason, the /etc/httpd/alias
symlink can be changed atomically, so it will only be an issue if a
worker reopens an NSS database at the same time that the symlink is
being updated -- thus getting inconsistent versions of secmod.db,
cert8.db, or key3.db.  If this happens, NSS will presumably return
SEC_ERROR_ALIENS_ATTACKING, or something similarly inaccurate and non-
useful.

(Even this wouldn't be an issue if NSS used openat() like a library that
actually cares about ... security, but I digress.)


In order for NSS to see a newly added certificate it will need to reopen
the database. I'm fairly certain a SIGHUP will cause all the children to
be respawned so except for those actually serving a request at the time
the new certs should be available.


I'll check on SIGHUP.  Even if it doesn't work, a complete restart is
much easier to coordinate than shutting down Apache, updating the
database, and restarting it.

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Use SQLite format NSS database?

[Rob Crittenden]

Ian Pilcher wrote:
> On 03/20/2017 11:02 AM, Rob Crittenden wrote:
>> I think his concern may be around warnings that the NSS BDB databases
>> should only be updated when quiet. In the case of mod_nss it explicitly
>> opens the database read-only so I think you'd be safe updating the
>> certificate.
> 
> You are correct about my concern.  I should have noticed that mod_nss
> is opening the database read-only, based on the file permissions if
> nothing else.
> 
> Based on this, I should be able to do something with symlinks to make a
> copy of the database, do my updates, rename the symlink to make the
> updated database "live", and SIGHUP (or restart if necessary) Apache.

Um, this _might_ work. Each httpd worker will have an fd open to the NSS
database files so you'd want to do this rather carefully.

In order for NSS to see a newly added certificate it will need to reopen
the database. I'm fairly certain a SIGHUP will cause all the children to
be respawned so except for those actually serving a request at the time
the new certs should be available.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Access issue

[Artem Golubev]

yep, Ubuntu 16.04.2

*Artem Golubev*
System Administrator
*(exp)capital limited*

On 21 March 2017 at 19:13, Vasily Yanov  wrote:

> Hi Lukas,
>
> You are right :) Ubuntu 16.04.
>
> -Original Message-
> From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
> Sent: Tuesday, March 21, 2017 7:03 PM
> To: Alexander Bokovoy 
> Cc: freeipa-users@redhat.com; Artem Golubev ;
> IT Team 
> Subject: Re: [Freeipa-users] Certificate Access issue
>
> On (21/03/17 17:35), Alexander Bokovoy wrote:
> >On ti, 21 maalis 2017, Lukas Slebodnik wrote:
> >> On (21/03/17 16:29), Alexander Bokovoy wrote:
> >> > On ti, 21 maalis 2017, Artem Golubev wrote:
> >> > > We use sssd version 1.13.4 on our linux clients A user from ipa
> >> > > successfully authorizes on a linux client via ssh without a
> >> > > certificate. But then if we add a certificate - connection gets
> lost.
> >> > If Lukas is correct, 1.13.4 does not have the fix for broken
> >> > certificate-as-ssh public key:
> >> >
> >> It has.
> >> https://pagure.io/SSSD/sssd/issue/2977#comment-222198
> >> https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004
> >> d
> >>
> >> It will be part of upstream release 1.13.5
> >That's my point -- it is *not* part of 1.13.4, therefore, this is the
> >problem Artem sees.
> >
> >Artem, what is your Linux distribution? Can you move to a newer version?
> >
> I would gues ubuntu :-)
>
> You might file a bug to your distribution to backport patch from the
> ticket https://pagure.io/SSSD/sssd/issue/2977
>
> LS
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Access issue

[Lukas Slebodnik]

On (21/03/17 17:35), Alexander Bokovoy wrote:
>On ti, 21 maalis 2017, Lukas Slebodnik wrote:
>> On (21/03/17 16:29), Alexander Bokovoy wrote:
>> > On ti, 21 maalis 2017, Artem Golubev wrote:
>> > > We use sssd version 1.13.4 on our linux clients
>> > > A user from ipa successfully authorizes on a linux client via ssh 
>> > > without a
>> > > certificate. But then if we add a certificate - connection gets lost.
>> > If Lukas is correct, 1.13.4 does not have the fix for broken
>> > certificate-as-ssh public key:
>> > 
>> It has.
>> https://pagure.io/SSSD/sssd/issue/2977#comment-222198
>> https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004d
>> 
>> It will be part of upstream release 1.13.5
>That's my point -- it is *not* part of 1.13.4, therefore, this is the
>problem Artem sees.
>
>Artem, what is your Linux distribution? Can you move to a newer version?
>
I would gues ubuntu :-)

You might file a bug to your distribution to backport patch from
the ticket https://pagure.io/SSSD/sssd/issue/2977

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Original master lost, cannot create additional CA clones

[Brennan, Paul J]

Hi all,
   Some time ago, I encountered issues requiring my first IPA master to be 
re-initialized, which failed, forcing me to remove it from the domain. While 
those original issues have since been resolved, I am having difficulty 
replacing the system. I can create a new replica, but I cannot use the 
'--setup-ca' option, nor can I run 'ipa-ca-install'. I have been working on 
this for quite some time, and seem to be going in circles. Any help would be 
greatly appreciated.

(host and domain names have been modified)
ipasrv001 was the original master, installed using an external CA, no DNS and 
no NTP. DNS and NTP are already provided in my environment.
ipasrv201 is a replica installed with --setup-ca, which has since been 
re-configured as the new CA master following this guide:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
I have also pointed cs-replication to this system from all other replicas. I 
used ipasrv201 to generate new replica-info for ipasrv001.

These systems are Enterprise Linux 6.8. Current software versions are as 
follows:

[root@ipasrv001 ~]# rpm -qa --queryformat='%{NAME} %{VERSION}-%{RELEASE}\n' 
ipa-server pki-ca 389-ds-base java-1.7.0-openjdk certmonger
certmonger 0.77.5-2.el6
pki-ca 9.0.3-50.el6_8
389-ds-base 1.2.11.15-75.el6_8
java-1.7.0-openjdk 1.7.0.111-2.6.7.2.0.1.el6_8
ipa-server 3.0.0-50.el6_8.3


I receive the following error when attempting to create a new replica:

[root@ipasrv001 ~]# ipa-replica-install --no-ntp --setup-ca --skip-conncheck 
replica-info-ipasrv001.example.com.gpg
Directory Manager (existing master) password:

Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname ipasrv001.example.com -cs_port 9445 
-client_certdb_dir /tmp/tmp-BDfli8 -client_certdb_pwd  -preop_pin 
SoawlFdqmJKt79OSoy1O -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=EXAMPLE.COM,OU=IPA -ldap_host ipasrv001.example.com 
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password  -base_dn 
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm 
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name pki-cad 
-token_name internal -ca_subsystem_cert_subject_name CN=CA 
Subsystem,O=EXAMPLE.COM,OU=IPA -ca_subsystem_cert_subject_name CN=CA 
Subsystem,O=EXAMPLE.COM,OU=IPA -ca_ocsp_cert_subject_name CN=OCSP 
Subsystem,O=EXAMPLE.COM,OU=IPA -ca_server_cert_subject_name 
CN=ipasrv001.example.com,O=EXAMPLE.COM,OU=IPA 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM,OU=IPA 
-ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM,OU=IPA 
-external false -clone true -clone_p12_file ca.p12 -clone_p12_password  
-sd_hostname ipasrv201.example.com -sd_admin_port 443 -sd_admin_name admin 
-sd_admin_password  -clone_start_tls true -clone_uri 
https://ipasrv201.example.com:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


In /var/log/ipareplica-install.log, I see the following:

#
Attempting to connect to: ipasrv001.example.com:9445
Connected.
Posting Query = 
https://ipasrv001.example.com:9445//ca/admin/console/config/wizard?p=5=CA_id=-1815206698136119192=true
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: text/html;charset=UTF-8
RESPONSE HEADER:  Date: Fri, 17 Mar 2017 15:50:34 GMT
RESPONSE HEADER:  Connection: close
Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri
ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure
ERROR: unable to create CA

###

2017-03-17T15:50:35Z DEBUG stderr=java.lang.Exception: 

Re: [Freeipa-users] Certificate Access issue

[Alexander Bokovoy]

On ti, 21 maalis 2017, Lukas Slebodnik wrote:

On (21/03/17 16:29), Alexander Bokovoy wrote:

On ti, 21 maalis 2017, Artem Golubev wrote:

We use sssd version 1.13.4 on our linux clients
A user from ipa successfully authorizes on a linux client via ssh without a
certificate. But then if we add a certificate - connection gets lost.

If Lukas is correct, 1.13.4 does not have the fix for broken
certificate-as-ssh public key:


It has.
https://pagure.io/SSSD/sssd/issue/2977#comment-222198
https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004d

It will be part of upstream release 1.13.5

That's my point -- it is *not* part of 1.13.4, therefore, this is the
problem Artem sees.

Artem, what is your Linux distribution? Can you move to a newer version?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Access issue

[Lukas Slebodnik]

On (21/03/17 16:29), Alexander Bokovoy wrote:
>On ti, 21 maalis 2017, Artem Golubev wrote:
>> We use sssd version 1.13.4 on our linux clients
>> A user from ipa successfully authorizes on a linux client via ssh without a
>> certificate. But then if we add a certificate - connection gets lost.
>If Lukas is correct, 1.13.4 does not have the fix for broken
>certificate-as-ssh public key:
>
It has.
https://pagure.io/SSSD/sssd/issue/2977#comment-222198
https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004d

It will be part of upstream release 1.13.5

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Access issue

[Alexander Bokovoy]

On ti, 21 maalis 2017, Artem Golubev wrote:

We use sssd version 1.13.4 on our linux clients
A user from ipa successfully authorizes on a linux client via ssh without a
certificate. But then if we add a certificate - connection gets lost.

If Lukas is correct, 1.13.4 does not have the fix for broken
certificate-as-ssh public key:

$ git tag --contains 60787fb44924e84a0c7ddfe9d5e62e64ea1edcd1
sssd-1_13_90
sssd-1_13_91
sssd-1_14_0
sssd-1_14_0_alpha1
sssd-1_14_0_beta1
sssd-1_14_1
sssd-1_14_2
sssd-1_15_0
sssd-1_15_1
sssd-1_15_2

So the issue is fixed only in 1.14+ if we would be counting released
versions.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Access issue

[Artem Golubev]

We use sssd version 1.13.4 on our linux clients
A user from ipa successfully authorizes on a linux client via ssh without a
certificate. But then if we add a certificate - connection gets lost.
Please find logs in attached files
Thank you in advance

*Artem Golubev*
System Administrator
*(exp)capital limited*

On 20 March 2017 at 18:14, Lukas Slebodnik  wrote:

> On (20/03/17 16:39), Alexander Bokovoy wrote:
> >On ma, 20 maalis 2017, Artem Golubev wrote:
> >> Good day!
> >>
> >> We use freeipa server 4.3.1, we usually grant access via ssh keys to
> linux
> >> clients.
> >> We currently face the following issue with access on certificate: when
> we
> >> add certificate to user's account, user is not able to login via ssh.
> >> How can we solve this problem? We would like to have  a possibility to
> >> access linux clients via ssh keys and access to other resources using
> >> certificates.
> >You need to provide logs, obviously. Start with level 3 debug logs in
> >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa
> >user-show --raw --all username').
> >
> >When you access SSH with ssh keys, SSSD is involved in account and
> >session phases of PAM authentication. This means either user does not
> >exist to sshd (it would then don't exist on system level at all) or
> >something prevents session phase from success. In session phase SSSD
> >does verify HBAC rules, for example.
> >
> >See https://fedorahosted.org/sssd/wiki/Troubleshooting for
> >troubleshooting instructions.
> >
> The most important is to know version of sssd.
> Because one related bug is already fixed.
> https://pagure.io/SSSD/sssd/issue/2977
>
> LS
>


sshd_log
Description: Binary data


sssd_ssh_log
Description: Binary data


user-show
Description: Binary data
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Use SQLite format NSS database?

[Ian Pilcher]

On 03/20/2017 11:02 AM, Rob Crittenden wrote:

I think his concern may be around warnings that the NSS BDB databases
should only be updated when quiet. In the case of mod_nss it explicitly
opens the database read-only so I think you'd be safe updating the
certificate.


You are correct about my concern.  I should have noticed that mod_nss
is opening the database read-only, based on the file permissions if
nothing else.

Based on this, I should be able to do something with symlinks to make a
copy of the database, do my updates, rename the symlink to make the
updated database "live", and SIGHUP (or restart if necessary) Apache.

Thanks!

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Missing user's primary group after ipa migrate-ds

[Jan Karásek]

Hi,

because HW failure(only one replica left - without CA and unfortunately without 
backup) we have decided to build fresh new IPA servers and move users and 
groups from old IPA server with ipa migrate-ds command.
It's quite small use case just about 100 users and couple of groups. I was able 
successfully import users and groups into new server with:

ipa-new# ipa -d migrate-ds ldap://ipa-old.example.com 
--user-container=cn=users,cn=accounts,dc=example,dc=com 
--group-container=cn=groups,cn=accounts,dc=example,dc=com

Users and all groups were imported but all user's primary groups are missing. 

ipa-new# id user

uid=891500508(user) gid=891500508 groups=891500508,147120(admins)

No reply with:
getent group 891500508
getent group user

also:

ipa-new# su user
Password: 
/usr/bin/id: cannot find name for group ID 891500508

When creating  new user it works correctly:
ipa-new# ipa user-add tester .

uid=147121(tester) gid=147121(tester) groups=147121(tester)
getent group tester
tester:*:147121:

getent group tester
tester:*:147121:

ldapsearch doesn't show any user's primary groups in 
cn=groups,cn=accounts,dc=example,dc=com. It shows just the primary group of 
newly created user- tester + other non primary groups.

Am I doing something wrong ? How to fix this ? Import primary groups manually 
with ldapmodify or can I create them with ipa group-add ?

Thanks,
Jan 






















 

Jan Karásek 

ELOS Technologies s.r.o. 
Americká 36 120 00 Praha 2 

tel. +420 607 008 891 
e-mail: jan.kara...@elostech.cz 
www.elostech.cz 

"Tento e-mail a všechny připojené soubory obsahují důvěrné informace, které 
mohou být chráněny zákonem. Je určen pouze uvedenému příjemci a dalším osobám, 
které jsou jmenovitě uvedeny jako příjemci. Jestliže nejste oprávněný příjemce, 
pak jakákoliv forma zveřejnění, reprodukce, kopírování, distribuce nebo šíření 
je přísně zakázána. Pokud jste obdržel tento e-mail omylem, oznamte to, prosím, 
neprodleně jeho odesilateli a pak jej vymažte. ELOS Technologies s.r.o. neručí 
za bezchybný a úplný přenos zasílaných informaci, ani za zpoždění nebo 
přerušení přenosu a ani za škody způsobené použitím nebo důvěrou v tyto 
informace."

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] (no subject)

[tarak sinha]

Hi All,

I am getting following below error from my 2 nodes, Could anyone tell me
what's the issue and how can resolve it.

tail -f /var/log/dirsrv/slapd-EXPERTCITY-COM/errors

1) 6711e6-bf06e7fb-7c0c06d0, CSN 584b3f2a0001006b): Server is unwilling
to perform (53). Will retry later.
[21/Mar/2017:04:16:34 -0700] NSMMReplicationPlugin - agmt="cn=
meToauthmgr1.ops.example.com" (authmgr1:389): Consumer failed to replay
change (uniqueid 492d6707-be6711e6-bf06e7fb-7c0c06d0, CSN
584b3f2a0001006b): Server is unwilling to perform (53). Will retry
later.
[21/Mar/2017:04:16:39 -0700] NSMMReplicationPlugin - agmt="cn=
meToauthmgr1.ops.example.com" (authmgr1:389): Consumer failed to replay
change (uniqueid 492d6707-be6711e6-bf06e7fb-7c0c06d0, CSN
584b3f2a0001006b): Server is unwilling to perform (53). Will retry
later.
[21/Mar/2017:04:16:44 -0700] NSMMReplicationPlugin - agmt="cn=
meToauthmgr1.ops.expertcity.com" (authmgr1:389): Consumer failed to replay
change (uniqueid 492d6707-be6711e6-bf06e7fb-7c0c06d0, CSN
584b3f2a0001006b): Server is unwilling to perform (53). Will retry
later.

Second Node
2)
[20/Mar/2017:14:02:13 -0700] NSMMReplicationPlugin - agmt="cn=
meToauthmgr1.ops.expertcity.com" (authmgr1:389): Replication bind with
GSSAPI auth resumed
[20/Mar/2017:17:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid
77): Replica is not cleaned yet (agmt="cn=meToauthmgr1.las.expertcity.com"
(authmgr1:389))
[20/Mar/2017:17:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid
77): Replicas have not been cleaned yet, retrying in 14400 seconds
[20/Mar/2017:21:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid
77): Replica is not cleaned yet (agmt="cn=meToauthmgr1.las.expertcity.com"
(authmgr1:389))
[20/Mar/2017:21:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid
77): Replicas have not been cleaned yet, retrying in 14400 seconds
[21/Mar/2017:01:39:08 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid
77): Replica is not cleaned yet (agmt="cn=meToauthmgr1.las.expertcity.com"
(authmgr1:389))
[21/Mar/2017:01:39:08 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid
77): Replicas have not been cleaned yet, retrying in 14400 seconds


-- 

*Thanks,*

*TN*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldap connector from IIQ to ipa

[David Kupka]

On Mon, Mar 20, 2017 at 05:23:31PM +0100, Iulian Roman wrote:
> Hello,
> 
> We do plan to integrate  IPA with IdentityIQ (sailpoint) for user
> provisioning. Because IPA does abstract all the ldap commands via new set
> of commands and APIs, i am not sure if the standard ldap connector is the
> right option and if it is supported ( taking into consideration that a
> simple user creation does update/create more ldap containers).
> 
> Could you please clarify if updating IPA via standard ldap commands is
> supported but not necessarily a best practice or it is an absolute NO ?
> 
> Thank You !

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

Hello!

We have staging area for this purpose. You can create and update user entries
there and once the entry is complete you can call stageuser-activate to create
user entry with using values from stageuser entry.

You can find description of the feature and examples on design page [1].

[1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management
-- 
David Kupka


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project