Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

2017-01-25 Thread Pavel Vomacka 

Hello Steve,

I tried to reproduce what you described on the very same version of 
ipa-server and I was not successful. Actually I was not used your 
back-end plugin. I tried it with no plugin and then with your UI plugin 
and both worked correctly. Did you do any other changes somewhere in 
your installation?


I will try it again also with your Python plugin and we'll see.

On 01/24/2017 08:59 PM, Steve Huston wrote:

And now I'm convinced this has nothing to do with my plugin and
instead is a bug somewhere in FreeIPA.

I removed the entirety of the "astrocustom" plugin that I wrote,
restarted httpd, and force reloaded the page in chrome.  I clicked to
add a new user, gave the basic information, and clicked "add and
edit".  The bottom of the page shows the "Employee information" on the
left side bottom, and the manager drop-down is empty.  I entered '1'
in the "employee type" field and clicked save, and now "Employee
Information" is on the right side directly under "Contact settings",
and the manager drop-down is populated with the list of UIDs on the
system.

When the UI is in the failed state, the "email address" field is also
blank, but when things switch to how they should be (after submitting
a change) it is populated with the email address in the record.  I
just tested by adding a telephone number to the record, and that also
made the contact information and employee information facets refresh
with the proper data.  Pressing shift-reload again makes all the
information disappear (including the telephone number I just entered).

This is with ipa-server-4.4.0-14.el7_3.4


On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
 wrote:

Just tested again, and this is still baffling:

* Create a stage user with the right data, works fine, can be edited.
* Enable that user, and now the two fields ('manager' and
'employeeType') appear to have bogus data in the UI, and I cannot save
the page without changing them to something else.
* Once that user is saved, the "Employee Information" facet moves to
the right side of the page, and now shows not only the current data in
the manager drop down but also the other choices (uids).  Change the
value of manager and employeetype back to what they were previously
and it saves.
* An ldapsearch run when the user is first created (as the directory
manager), and after having two edits (one to change the values to
something else to let the webui save them, and one to change them back
to what they should be and were the first time) produce completely
identical results.
* The output of "ipa user-show  --all --raw" is also identical at
those same steps.

So something, somewhere, is being saved in a way that prevents the
webui from displaying them properly, that gets fixed when those values
are manually changed via the webui.

On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
 wrote:

Even more interesting...

I tried to modify one of the records that was not displaying properly
in the "active users" group, and sure enough the webui complained that
the "Requested By" (relabeled "manager") field was not filled in since
it was blank.  It also, however, complained that the "User tier"
(relabeled "employeetype") was incorrect, even though it showed the
label associated with the value 1.  I clicked the search drop-down for
manager, typed in my own uid, and even though everything had been
blank in the drop down before now my uid showed up.  I clicked on it,
and my uid was now in the manager field.  I then clicked the drop down
for employeetype, and chose one of the other options.  I was now able
to save the changes to the record.

Upon reloading the page, the "Employee Information" facet now shoed up
on the right side bottom, instead of the left side bottom where it was
appearing.  I was also now able to change the drop-down fields for
manager and employeetype to another value, and save them, and they
worked fine even filling in all the data that should have been there.
This almost seemed like the data being returned by the server was
flawed somehow, and confusing the webui, but once it was forced to
have the right data and re-saved it worked fine subsequently.

I looked at the output of "ipa user-show  --all --raw" both
before and after making such changes on a user, and can detect no
difference between them.

On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy  wrote:

On to, 19 tammi 2017, Steve Huston wrote:

On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy 
wrote:

In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
side plugins into different paths (ipaserver/plugins and
ipaclient/plugins instead of being common in ipalib/plugins). The client
code was also changed to always read metadata about API from the server
side. This means the client can adopt to any server version that
supports API metadata.


Right, and I think that the most of the plugin I had belongs

Re: [Freeipa-users] Add text to web login page

2016-12-20 Thread Pavel Vomacka 

Hello Mike,

the safest way is to create a WebUI plugin.

Several examples of plugins can be found here: 
https://pvoborni.fedorapeople.org/plugins/ . I recommend to look at 
loginauth. And here is documentation about plugins: 
https://pvoborni.fedorapeople.org/doc/#!/guide/Plugins



On 12/16/2016 07:54 PM, Mike Waite wrote:

I need to add a login banner to the login page for freeIPA, is there a
setting that I could easily change for this?

Thanks,
--
Mike Waite




--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Services missing in web-ui

2016-12-07 Thread Pavel Vomacka 
I'm glad that you found it, and I'm sorry, I should have attached the BZ 
in the first mail.



On 12/07/2016 01:26 PM, Troels Hansen wrote:

Sorry. Didn't see this.

https://bugzilla.redhat.com/show_bug.cgi?id=1387782



- On Dec 7, 2016, at 12:43 PM, Troels Hansen <t...@casalogic.dk> wrote:

Looks great..Pavel, as a RedHat internal, should I create
a ticket to have this fixed in the RedHat version, or does it
already have a internal Red Hat bugzilla case?


- On Dec 7, 2016, at 11:58 AM, Pavel Vomacka
<pvoma...@redhat.com> wrote:

Hello,

it is caused by missing canonical name on services which were
created in older versions of FreeIPA. Fixed ticket here:
https://fedorahosted.org/freeipa/ticket/6397 .

On 12/07/2016 11:48 AM, Fujisan wrote:

And with Firefox 50.0.2.

F.

On Wed, Dec 7, 2016 at 11:46 AM, Fujisan
<fujisa...@gmail.com <mailto:fujisa...@gmail.com>> wrote:

I have the same issue with version 4.4.2

$ rpm -qa|grep freeipa
freeipa-server-4.4.2-1.fc25.x86_64
freeipa-python-compat-4.4.2-1.fc25.noarch
freeipa-server-common-4.4.2-1.fc25.noarch
freeipa-common-4.4.2-1.fc25.no
<http://freeipa-common-4.4.2-1.fc25.no>arch
freeipa-server-trust-ad-4.4.2-1.fc25.x86_64
freeipa-client-4.4.2-1.fc25.x86_64
freeipa-client-common-4.4.2-1.fc25.noarch


​F.​


On Wed, Dec 7, 2016 at 11:13 AM, Troels Hansen
<t...@casalogic.dk <mailto:t...@casalogic.dk>> wrote:

I have a strange issue in IPA 4.4.0-12 (RHEL 7.3)


Navigating to Identity -> Services reveals 5
services. 2 cifs, 2 dogtag and one empty line...

cifs/host1.domain@REALM
cifs/host2.domain@REALM
dogtag/ipa01.domain@REALM
dogtag/ipa02.domain@REALM



However, from CLI everything looks OK:

# ipa service-find
---
11 services matched
---
Principal name: ldap/ipa02.domain@REALM
Principal alias: ldap/ipa02.domain@REALM
Certificate: ...
...


Keytab: True

Principal name: ldap/ipa01.domain@REALM
Principal alias: ldap/ipa01.domain@REALM
Certificate: ...
...


Keytab: True

Principal name: HTTP/ipa02.domain@REALM
Principal alias: HTTP/ipa02.domain@REALM
Certificate: 
...



Keytab: True

Principal name: cifs/rhellxudv01.domain@REALM
Principal alias: cifs/rhellxudv01.domain@REALM
Keytab: True



Principal name: cifs/ipa02.domain@REALM
Principal alias: cifs/ipa02.domain@REALM
Keytab: True



Principal name: nfs/profil01.domain@REALM
Principal alias: nfs/profil01.domain@REALM
Keytab: True



Principal name: cifs/ipa01.domain@REALM
Principal alias: cifs/ipa01.domain@REALM
Keytab: True

Principal name: dogtag/ipa02.domain@REALM
Principal alias: dogtag/ipa02.domain@REALM
Keytab: True



Principal name: dogtag/ipa01.domain@REALM
Principal alias: dogtag/ipa01.domain@REALM
Keytab: True



Principal name: cifs/rhellxudv02.domain@REALM
Principal alias: cifs/rhellxudv02.domain@REALM
Keytab: True



Principal name: HTTP/ipa01.domain@REALM
Principal alias: HTTP/ipa01.domain@REALM
Certificate: ..
..
Keytab: True



-
Number of entries returned 11
-




(some lines truncated.)


s... somsthing must be disrupting the view in
web-ui,


Tried in Chrome 43 and IE 11


Looking at what gets requested by the browser at
/ipa/session/json I can see in the json that it
gets the correct content:


r

Re: [Freeipa-users] Services missing in web-ui

2016-12-07 Thread Pavel Vomacka 

Hello,

it is caused by missing canonical name on services which were created in 
older versions of FreeIPA. Fixed ticket here: 
https://fedorahosted.org/freeipa/ticket/6397 .


On 12/07/2016 11:48 AM, Fujisan wrote:

And with Firefox 50.0.2.

F.

On Wed, Dec 7, 2016 at 11:46 AM, Fujisan > wrote:


I have the same issue with version 4.4.2

$ rpm -qa|grep freeipa
freeipa-server-4.4.2-1.fc25.x86_64
freeipa-python-compat-4.4.2-1.fc25.noarch
freeipa-server-common-4.4.2-1.fc25.noarch
freeipa-common-4.4.2-1.fc25.no
arch
freeipa-server-trust-ad-4.4.2-1.fc25.x86_64
freeipa-client-4.4.2-1.fc25.x86_64
freeipa-client-common-4.4.2-1.fc25.noarch


​F.​


On Wed, Dec 7, 2016 at 11:13 AM, Troels Hansen > wrote:

I have a strange issue in IPA 4.4.0-12 (RHEL 7.3)


Navigating to Identity -> Services reveals 5 services. 2 cifs,
2 dogtag and one empty line...

cifs/host1.domain@REALM
cifs/host2.domain@REALM
dogtag/ipa01.domain@REALM
dogtag/ipa02.domain@REALM



However, from CLI everything looks OK:

# ipa service-find
---
11 services matched
---
Principal name: ldap/ipa02.domain@REALM
Principal alias: ldap/ipa02.domain@REALM
Certificate: ...
...


Keytab: True

Principal name: ldap/ipa01.domain@REALM
Principal alias: ldap/ipa01.domain@REALM
Certificate: ...
...


Keytab: True

Principal name: HTTP/ipa02.domain@REALM
Principal alias: HTTP/ipa02.domain@REALM
Certificate: 
...



Keytab: True

Principal name: cifs/rhellxudv01.domain@REALM
Principal alias: cifs/rhellxudv01.domain@REALM
Keytab: True



Principal name: cifs/ipa02.domain@REALM
Principal alias: cifs/ipa02.domain@REALM
Keytab: True



Principal name: nfs/profil01.domain@REALM
Principal alias: nfs/profil01.domain@REALM
Keytab: True



Principal name: cifs/ipa01.domain@REALM
Principal alias: cifs/ipa01.domain@REALM
Keytab: True

Principal name: dogtag/ipa02.domain@REALM
Principal alias: dogtag/ipa02.domain@REALM
Keytab: True



Principal name: dogtag/ipa01.domain@REALM
Principal alias: dogtag/ipa01.domain@REALM
Keytab: True



Principal name: cifs/rhellxudv02.domain@REALM
Principal alias: cifs/rhellxudv02.domain@REALM
Keytab: True



Principal name: HTTP/ipa01.domain@REALM
Principal alias: HTTP/ipa01.domain@REALM
Certificate: ..
..
Keytab: True



-
Number of entries returned 11
-




(some lines truncated.)


s... somsthing must be disrupting the view in web-ui,


Tried in Chrome 43 and IE 11


Looking at what gets requested by the browser at
/ipa/session/json I can see in the json that it gets the
correct content:


result: {count: 11, result: [,…], summary: "11 services
matched", truncated: false}
count: 11
result: [,…]
0: {dn:

"krbprincipalname=cifs/rhellxudv01.domain@REALM,cn=services,cn=accounts,dc=domain",…}
1: {dn:

"krbprincipalname=dogtag/ipa01.domain@REALM,cn=services,cn=accounts,dc=domain",…}
2: {dn:

"krbprincipalname=nfs/profil01.domain@REALM,cn=services,cn=accounts,dc=domain",…}
3: {dn:

"krbprincipalname=cifs/rhellxudv02.domain@REALM,cn=services,cn=accounts,dc=domain",…}
4: {dn:

"krbprincipalname=dogtag/ipa02.domain@REALM,cn=services,cn=accounts,dc=domain",…}
5: {dn:

"krbprincipalname=HTTP/ipa01.domain@REALM,cn=services,cn=accounts,dc=domain",…}
6: {dn:

"krbprincipalname=cifs/ipa02.domain@REALM,cn=services,cn=accounts,dc=domain",…}
7: {dn:

"krbprincipalname=cifs/ipa01.domain@REALM,cn=services,cn=accounts,dc=domain",…}
8: {dn:

"krbprincipalname=ldap/ipa01.domain@REALM,cn=services,cn=accounts,dc=domain",…}
9: {dn:

"krbprincipalname=HTTP/ipa02.domain@REALM,cn=services,cn=accounts,dc=domain",…}
10: {dn:

"krbprincipalname=ldap/ipa02.domain@REALM,cn=services,cn=accounts,dc=domain",…}
summary: "11 services matched"
truncated: false



So this is obviously only a web-ui problem, but I can't see
what causes the problem?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-11-11 Thread Pavel Vomacka 

Hello Sebastien,

It's really weird, I tried it again using exactly the same code as you 
sent earlier and it works. Just for information which version of FreeIPA 
do you use? It should not be a problem, but I really can't find anything 
bad in your solution.


On 11/09/2016 05:12 PM, Sébastien Julliot wrote:

Hello Pavel,


Yes I did. "PRESERVE.JS WAS EXECUTED" is printed in my browser's
console, and yet "delete" ("supprimer", in French)  is still the
default. (as you can see in linked image)


Le 31/10/2016 à 16:18, Pavel Vomacka a écrit :

Hello Sebastien,

I tried your plugin and it works correctly. Default value is Preserve
with your plugin. Did you copy your plugin into
/var/share/ipa/ui/js/plugins/plugin_name/plugin_name.js ? That should
be enough.


On 10/28/2016 12:14 AM, Sebastien Julliot wrote:

Hello guys,


Thank you for your answers. First, I was able to modify the minified js
to change the default. Ugly solution, but it works for now.

I am trying to write a plugin but it seems that I missed something here
since, despite being executed, the default is not changed ..

Here is my code, freely inspired of what I think I understood of your
'association_search_fix.js' example:

define([

  'freeipa/ipa',

  'freeipa/user',

],

  function(IPA, user) {

exp = {};

  
exp.orig_create_active_user_del_dialog =

IPA.user.create_active_user_del_dialog;

IPA.user.create_active_user_del_dialog = function(dialog) {

  dialog.deleter_dialog_create_content();

  dialog.option_layout = IPA.fluid_layout({

  label_cls: 'col-sm-3',

  widget_cls: 'col-sm-9'

  });

  dialog.option_radio = IPA.radio_widget({

  name: 'preserve',

  label: '@i18n:objects.user.delete_mode',

  options: [

  { label: '@i18n:objects.user.mode_delete', value:
'false' },

  { label: '@i18n:objects.user.mode_preserve', value:
'true' }

  ],

  default_value: 'true'

  });

  var html = dialog.option_layout.create([dialog.option_radio]);

  dialog.container.append(html);

  dialog.option_radio.set_value(['']);

  return dialog;

};

//exp.orig_create_active_user_del_dialog =
IPA.user.create_active_user_del_dialog;

console.log('PRESERVE.JS WAS EXECUTED');

return exp;

});

I checked that disabling the comment or not does not change anything.


Can you see what I missed here ?


Thanks a lot,

Sebastien Julliot.




--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-10-31 Thread Pavel Vomacka 

Hello Sebastien,

I tried your plugin and it works correctly. Default value is Preserve 
with your plugin. Did you copy your plugin into 
/var/share/ipa/ui/js/plugins/plugin_name/plugin_name.js ? That should be 
enough.



On 10/28/2016 12:14 AM, Sebastien Julliot wrote:

Hello guys,


Thank you for your answers. First, I was able to modify the minified js
to change the default. Ugly solution, but it works for now.

I am trying to write a plugin but it seems that I missed something here
since, despite being executed, the default is not changed ..

Here is my code, freely inspired of what I think I understood of your
'association_search_fix.js' example:

define([

 'freeipa/ipa',

 'freeipa/user',

],

 function(IPA, user) {

exp = {};

  


exp.orig_create_active_user_del_dialog = IPA.user.create_active_user_del_dialog;

IPA.user.create_active_user_del_dialog = function(dialog) {

 dialog.deleter_dialog_create_content();

 dialog.option_layout = IPA.fluid_layout({

 label_cls: 'col-sm-3',

 widget_cls: 'col-sm-9'

 });

 dialog.option_radio = IPA.radio_widget({

 name: 'preserve',

 label: '@i18n:objects.user.delete_mode',

 options: [

 { label: '@i18n:objects.user.mode_delete', value: 'false' },

 { label: '@i18n:objects.user.mode_preserve', value: 'true' }

 ],

 default_value: 'true'

 });

 var html = dialog.option_layout.create([dialog.option_radio]);

 dialog.container.append(html);

 dialog.option_radio.set_value(['']);

 return dialog;

};

//exp.orig_create_active_user_del_dialog = 
IPA.user.create_active_user_del_dialog;

console.log('PRESERVE.JS WAS EXECUTED');

return exp;

});

I checked that disabling the comment or not does not change anything.


Can you see what I missed here ?


Thanks a lot,

Sebastien Julliot.




--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cn=deleted users,cn=accounts

2016-10-30 Thread Pavel Vomacka 

Hello Michael,

Yes, the deleter dialog on details page was extended in version 4.4 ( 
https://fedorahosted.org/freeipa/ticket/5370 ).


On 10/27/2016 02:45 PM, Michael Ströder wrote:

Michael Ströder wrote:

I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to
this container:

cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com

Selecting [Delete] as action really deletes the LDAP entry.

Ah, found it myself:
It makes a difference choosing action [Delete] when displaying a single user
entry or from the user overview table. The latter asks whether to preserve the
entry or not.

Is this UI inconsistency fixed in a later release?

Ciao, Michael.






--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-10-24 Thread Pavel Vomacka 

Hello Sebastien,

the safest way is to create a WebUI plugin which rewrite definition of 
radiobutton in deleter dialog. You can find radiobutton code in user.js, 
line 989 (method IPA.user.create_active_user_del_dialog), where you need 
to set default_value to true.


Several examples of plugins can be found here: 
https://pvoborni.fedorapeople.org/plugins/ . I recommend to look at 
employeenumber or association_search_fix. And here is documentation 
about plugins: https://pvoborni.fedorapeople.org/doc/#!/guide/Plugins


On 10/20/2016 11:43 AM, Sébastien Julliot wrote:

Hi everyone,


In order to prevent administrators to make mistakes that could have

silly consequences, I would like to set "preserve" as the default selected

action in freeipa's webui.

What do you think would be the best way to achieve this ?


Thank you in advance,

Sebastien Julliot.





--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate format error reported by GUI

2016-09-30 Thread Pavel Vomacka 
Ah, ok, does /var/log/httpd/error_log contain any error after looking at 
hosts using GUI? And could you please send output of ipactl status after 
the error ocurres?



On 09/30/2016 02:40 AM, Jim Richard wrote:

Hi Paul, 3.0.0 on Centos 6.8


<http://www.placeiq.com/> 	Jim Richard 	<https://twitter.com/placeiq> 
<https://www.facebook.com/PlaceIQ> 
<https://www.linkedin.com/company/placeiq>

SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 
<http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature_medium=Email_campaign=AccuracyWP>




On Sep 29, 2016, at 11:58 AM, Pavel Vomacka <pvoma...@redhat.com 
<mailto:pvoma...@redhat.com>> wrote:


Hello,

which version of FreeIPA do you use?

On 09/28/2016 12:42 AM, Jim Richard wrote:
When I try to look at hosts under the hosts tab. ipactl restart or 
just restarting httpd seems to clear it up for a short period.


Three replicas in the environment, it only happens when I look at 
hosts using the GUI at one of the three replicas.



Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
certificate/key database is in an old, unsupported format.



<http://www.placeiq.com/> 	Jim Richard 
<https://twitter.com/placeiq> 	<https://www.facebook.com/PlaceIQ> 
<https://www.linkedin.com/company/placeiq>

SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 
<http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature_medium=Email_campaign=AccuracyWP>








--
Pavel^3 Vomacka




--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate format error reported by GUI

2016-09-29 Thread Pavel Vomacka 

Hello,

which version of FreeIPA do you use?

On 09/28/2016 12:42 AM, Jim Richard wrote:
When I try to look at hosts under the hosts tab. ipactl restart or 
just restarting httpd seems to clear it up for a short period.


Three replicas in the environment, it only happens when I look at 
hosts using the GUI at one of the three replicas.



Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
certificate/key database is in an old, unsupported format.



 	Jim Richard 	 
 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 









--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unknown Error - error (pop-up) window

2016-08-23 Thread Pavel Vomacka 



On 08/22/2016 09:46 PM, Zarko Dudic wrote:

Hi all,

IPA version: ipa-server-4.2.0-15.0.1.el7_2.18.x86_64
Kernel: 3.8.13-118.10.2.el7uek.x86_64

I start seeing pop-up window titled "Unknown Error" with message 
"error" and buttons Retry and Cancel. It happens when selecting almost 
anything on the Web interface, from Identity to IPA Server.
Certainly changes have been made, like adding identities, adding certs 
in nssdb, but can't think of anything that can cause such error.
And when errors happen, no new logs in /var/log/httpd both access and 
error logs. Also no new logs in /var/log/dirsrv/slapd-REALM/


For starter, can you please suggest any troubleshooting steps and 
other logs to query.



Hello,

You are probably facing this issue: 
https://fedorahosted.org/freeipa/ticket/4821 , pvoborni wrote a comment 
with some situations when this error might be seen. Try to check them ( 
https://fedorahosted.org/freeipa/ticket/4821#comment:3 ).


--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project