Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On 05/31/2011 08:28 PM, Dan Scott wrote: > Done: > > https://fedorahosted.org/freeipa/ticket/1266 Thanks. We will try to look at it as soon as we can. > Dan > > On Tue, May 31, 2011 at 18:26, Dmitri Pal wrote: >> On 05/31/2011 06:02 PM, Dan Scott wrote: >>> Hi, >>> >>> Thanks for all the replies. >>> >>> On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: > I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running > on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has > been released. But I have a few questions: > > 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? Yes but you would have to configure it yourself. sssd would work nicely with an ldap/krb5 configuration. >>> I've set up a Fedora 15 VM and have successfully configured it to >>> authenticate against my FreeIPA 1 servers, so this is good. One small >>> problem was that I couldn't get passwordless ssh logins *to* the F15 >>> system working. I created and installed a host keytab, same as for all >>> the other systems, but no luck. I was able to ssh *from* the F15 >>> system without a password however. Any ideas? >>> > 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring > an upgrade from Fedora 14 to 15 along the way). You cannot do a straight upgrade, too much changed between the two versions. You should be able to migrate the users and groups using the v2 migration system. This will maintain your user passwords at least. You would need to generate new principals and keytabs for your kerberized services. >>> I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the >>> ipa migrate-ds command provided in the documentation. All of the user >>> groups were migrated successfully, but none of the users were migrated >>> due to 'unknown object class "radiusprofile"' errors. >>> >>> I've seen this post here: >>> >>> https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html >>> >>> but I wanted to add that I don't use any of the radius functionality >>> and my FreeIPA v1 installation is pretty standard, so other users >>> might run into this. I didn't find a bug report, but can file one if >>> needed? >>> >> Yes please: https://fedorahosted.org/freeipa/ >> >>> Thanks, >>> >>> Dan >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Dan Scott wrote: Hi, Thanks for all the replies. On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has been released. But I have a few questions: 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? Yes but you would have to configure it yourself. sssd would work nicely with an ldap/krb5 configuration. I've set up a Fedora 15 VM and have successfully configured it to authenticate against my FreeIPA 1 servers, so this is good. One small problem was that I couldn't get passwordless ssh logins *to* the F15 system working. I created and installed a host keytab, same as for all the other systems, but no luck. I was able to ssh *from* the F15 system without a password however. Any ideas? Are any errors reported on either side? You can test the host principal with something like: # kinit -kt /etc/krb5.keytab host/ipa.example@example.com 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring an upgrade from Fedora 14 to 15 along the way). You cannot do a straight upgrade, too much changed between the two versions. You should be able to migrate the users and groups using the v2 migration system. This will maintain your user passwords at least. You would need to generate new principals and keytabs for your kerberized services. I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the ipa migrate-ds command provided in the documentation. All of the user groups were migrated successfully, but none of the users were migrated due to 'unknown object class "radiusprofile"' errors. I've seen this post here: https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html but I wanted to add that I don't use any of the radius functionality and my FreeIPA v1 installation is pretty standard, so other users might run into this. I didn't find a bug report, but can file one if needed? Saw that you filed one, thanks, we'll take a look. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Done: https://fedorahosted.org/freeipa/ticket/1266 Dan On Tue, May 31, 2011 at 18:26, Dmitri Pal wrote: > On 05/31/2011 06:02 PM, Dan Scott wrote: >> Hi, >> >> Thanks for all the replies. >> >> On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has been released. But I have a few questions: 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? >>> Yes but you would have to configure it yourself. sssd would work nicely with >>> an ldap/krb5 configuration. >> I've set up a Fedora 15 VM and have successfully configured it to >> authenticate against my FreeIPA 1 servers, so this is good. One small >> problem was that I couldn't get passwordless ssh logins *to* the F15 >> system working. I created and installed a host keytab, same as for all >> the other systems, but no luck. I was able to ssh *from* the F15 >> system without a password however. Any ideas? >> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring an upgrade from Fedora 14 to 15 along the way). >>> You cannot do a straight upgrade, too much changed between the two versions. >>> You should be able to migrate the users and groups using the v2 migration >>> system. This will maintain your user passwords at least. You would need to >>> generate new principals and keytabs for your kerberized services. >> I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the >> ipa migrate-ds command provided in the documentation. All of the user >> groups were migrated successfully, but none of the users were migrated >> due to 'unknown object class "radiusprofile"' errors. >> >> I've seen this post here: >> >> https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html >> >> but I wanted to add that I don't use any of the radius functionality >> and my FreeIPA v1 installation is pretty standard, so other users >> might run into this. I didn't find a bug report, but can file one if >> needed? >> > > Yes please: https://fedorahosted.org/freeipa/ > >> Thanks, >> >> Dan >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On 05/31/2011 06:02 PM, Dan Scott wrote: > Hi, > > Thanks for all the replies. > > On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: >>> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running >>> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has >>> been released. But I have a few questions: >>> >>> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? >> Yes but you would have to configure it yourself. sssd would work nicely with >> an ldap/krb5 configuration. > I've set up a Fedora 15 VM and have successfully configured it to > authenticate against my FreeIPA 1 servers, so this is good. One small > problem was that I couldn't get passwordless ssh logins *to* the F15 > system working. I created and installed a host keytab, same as for all > the other systems, but no luck. I was able to ssh *from* the F15 > system without a password however. Any ideas? > >>> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring >>> an upgrade from Fedora 14 to 15 along the way). >> You cannot do a straight upgrade, too much changed between the two versions. >> You should be able to migrate the users and groups using the v2 migration >> system. This will maintain your user passwords at least. You would need to >> generate new principals and keytabs for your kerberized services. > I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the > ipa migrate-ds command provided in the documentation. All of the user > groups were migrated successfully, but none of the users were migrated > due to 'unknown object class "radiusprofile"' errors. > > I've seen this post here: > > https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html > > but I wanted to add that I don't use any of the radius functionality > and my FreeIPA v1 installation is pretty standard, so other users > might run into this. I didn't find a bug report, but can file one if > needed? > Yes please: https://fedorahosted.org/freeipa/ > Thanks, > > Dan > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Hi, Thanks for all the replies. On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: >> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running >> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has >> been released. But I have a few questions: >> >> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? > > Yes but you would have to configure it yourself. sssd would work nicely with > an ldap/krb5 configuration. I've set up a Fedora 15 VM and have successfully configured it to authenticate against my FreeIPA 1 servers, so this is good. One small problem was that I couldn't get passwordless ssh logins *to* the F15 system working. I created and installed a host keytab, same as for all the other systems, but no luck. I was able to ssh *from* the F15 system without a password however. Any ideas? >> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring >> an upgrade from Fedora 14 to 15 along the way). > > You cannot do a straight upgrade, too much changed between the two versions. > You should be able to migrate the users and groups using the v2 migration > system. This will maintain your user passwords at least. You would need to > generate new principals and keytabs for your kerberized services. I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the ipa migrate-ds command provided in the documentation. All of the user groups were migrated successfully, but none of the users were migrated due to 'unknown object class "radiusprofile"' errors. I've seen this post here: https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html but I wanted to add that I don't use any of the radius functionality and my FreeIPA v1 installation is pretty standard, so other users might run into this. I didn't find a bug report, but can file one if needed? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Hi, The school has had its own kerberos-ldap for a decade but its a one off they are cumputer science so have "rocket scientists" to run itits not what we want to use as we need to consider "normal" user and windows admins who need to be able to use a solution... Its good to know the kerberos linking up would workanother plus for IPAbecause its probable that this will be a requirement further along, but if I have to look for something with all the bells and whistles its 100s of K and a long time to put it in, and huge opex costsand TCO wise I dont see it as worthwhile (think oracle Identity).hence something low cost that does 90% of what we need ie the real core functionality is the only sane / cost effective way IMHO. regards From: Simo Sorce [s...@redhat.com] Sent: Friday, 27 May 2011 1:10 a.m. To: Steven Jones Cc: Christian Horn; Erinn Looney-Triggs; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2 On Thu, 2011-05-26 at 05:51 +, Steven Jones wrote: > Quickly as Im late. > > We are setting up cross realm from AD to a school who runs MIT Kerberos with > openldap underneathA windows client in our domain can then connect to a > school resource where its connected to the school's centralised setup > > So its possible, yes. > > Not with freeipa from what Ive seen posted, yet...next version I am assuming > so. Freeipa does not give you UI or tools to do it, although creating a Kerberos trust is a very simple matter using kadmin.local to create the proper principals. Everything else would work like in the Kerberos+openldap setup in the school you meantion. So it is technically possible, we simply do not yet make it easy for you by providing wrappers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On Thu, 2011-05-26 at 05:51 +, Steven Jones wrote: > Quickly as Im late. > > We are setting up cross realm from AD to a school who runs MIT Kerberos with > openldap underneathA windows client in our domain can then connect to a > school resource where its connected to the school's centralised setup > > So its possible, yes. > > Not with freeipa from what Ive seen posted, yet...next version I am assuming > so. Freeipa does not give you UI or tools to do it, although creating a Kerberos trust is a very simple matter using kadmin.local to create the proper principals. Everything else would work like in the Kerberos+openldap setup in the school you meantion. So it is technically possible, we simply do not yet make it easy for you by providing wrappers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On Thu, May 26, 2011 at 05:51:59AM +, Steven Jones wrote: > Quickly as Im late. > > We are setting up cross realm from AD to a school who runs MIT Kerberos with > openldap underneathA windows client in our domain can then connect to a > school resource where its connected to the school's centralised setup > > So its possible, yes. > > Not with freeipa from what Ive seen posted, yet...next version I am assuming > so. Ah sorry, was thinking ahead softwarewise :) Also did that not with FreeIPA but plain MIT-kerberos in the past, also the environment where Microsoft actively helped debugging upcoming problems was at the MIT with ofcourse MIT-kerberos running. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Quickly as Im late. We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneathA windows client in our domain can then connect to a school resource where its connected to the school's centralised setup So its possible, yes. Not with freeipa from what Ive seen posted, yet...next version I am assuming so. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Christian Horn [ch...@fluxcoil.net] Sent: Thursday, 26 May 2011 3:20 p.m. To: Erinn Looney-Triggs Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2 On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote: > On 05/25/2011 01:21 PM, Steven Jones wrote: > > > > As far as I am aware Windows clients can only authenticate against ADs. So > > if you need to authenticate Windows you need a password trust/sync setup > > with AD and yes you need an AD as well as FreeIPA. > No Windows clients can auth against kerberos realms directly and so > should be able to auth again an IPA server as well. It is slightly > complicated and difficult to manage but it can be done. True, but does not help with the clients fetching ldap data. I think the cross realm setup is a good idea if one wants to run Windows clients and use SSO together with kerberized services on linux/unix: - the windows clients stay hooked up to an AD, so in a supported environment - from following mailinglists I had the impression Microsoft seems to support the scenario - the linux/unix servers can use the IPA and benefit from proper de- bugging tools, having their server OpenSourced etc. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote: > On 05/25/2011 01:21 PM, Steven Jones wrote: > > > > As far as I am aware Windows clients can only authenticate against ADs. So > > if you need to authenticate Windows you need a password trust/sync setup > > with AD and yes you need an AD as well as FreeIPA. > No Windows clients can auth against kerberos realms directly and so > should be able to auth again an IPA server as well. It is slightly > complicated and difficult to manage but it can be done. True, but does not help with the clients fetching ldap data. I think the cross realm setup is a good idea if one wants to run Windows clients and use SSO together with kerberized services on linux/unix: - the windows clients stay hooked up to an AD, so in a supported environment - from following mailinglists I had the impression Microsoft seems to support the scenario - the linux/unix servers can use the IPA and benefit from proper de- bugging tools, having their server OpenSourced etc. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Dan Scott wrote: Hello, I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has been released. But I have a few questions: 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? Yes but you would have to configure it yourself. sssd would work nicely with an ldap/krb5 configuration. 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate against FreeIPA 2 servers? You would need to either build your own Fedora 14 ipa-client v2 package or manually configure it. The sssd in F-14 should work well even using the ipa provider. Windows domain login is not supported. 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring an upgrade from Fedora 14 to 15 along the way). You cannot do a straight upgrade, too much changed between the two versions. You should be able to migrate the users and groups using the v2 migration system. This will maintain your user passwords at least. You would need to generate new principals and keytabs for your kerberized services. I don't think it would be practical to try to run the two systems side-by-side. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On Wed, 2011-05-25 at 17:00 -0400, Dan Scott wrote: > Hello, > > I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running > on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has > been released. But I have a few questions: > > 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? Yes but you should configure them as normal LDAP+Krb clients not FreeIPA clients. > 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate > against FreeIPA 2 servers? Yes as normal LDAP+Krb clients. > 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring > an upgrade from Fedora 14 to 15 along the way). You need to perform an actual data migration, I suggest you install a separate box with F15 + freeipa v2 and migrate accounts from the v1 instance. Direct upgrades from v1 to v2 by way of an rpm upgrade are not possible. > Overall, my questions boil down to this: Can I migrate systems as and > when possible/convenient, or do I have to do 'everything' in one go? You don't have to do everything in one go, except for the server instances (unless you can live for a while in a split brain situation). > I looked through the documentation, but the V2 docs currently seem > quite developer-centric, does anyone have any links for me? Take a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/ Still a work in progress but there is a lot already. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On 05/25/2011 01:21 PM, Steven Jones wrote: > Hi, > > As far as I am aware Windows clients can only authenticate against ADs. So > if you need to authenticate Windows you need a password trust/sync setup with > AD and yes you need an AD as well as FreeIPA. No Windows clients can auth against kerberos realms directly and so should be able to auth again an IPA server as well. It is slightly complicated and difficult to manage but it can be done. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Hi, As far as I am aware Windows clients can only authenticate against ADs. So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA. >From what's been said in the last day or so the next version of FreeIPA will >do interREALM kerberos trusts?so its looking a bit better than a password >syncbut I think you will still need AD and FreeIPA. From my limited >understanding something has to do the authorisation still which is the LDAP >bit.so once you trust the user you still have to put in two places what >the user can dodepending on what the user wants to connect to. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dan Scott [danieljamessc...@gmail.com] Sent: Thursday, 26 May 2011 9:00 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2 Hello, I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has been released. But I have a few questions: 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate against FreeIPA 2 servers? 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring an upgrade from Fedora 14 to 15 along the way). Overall, my questions boil down to this: Can I migrate systems as and when possible/convenient, or do I have to do 'everything' in one go? I looked through the documentation, but the V2 docs currently seem quite developer-centric, does anyone have any links for me? Thanks, Dan Scott ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Hello, I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has been released. But I have a few questions: 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate against FreeIPA 2 servers? 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring an upgrade from Fedora 14 to 15 along the way). Overall, my questions boil down to this: Can I migrate systems as and when possible/convenient, or do I have to do 'everything' in one go? I looked through the documentation, but the V2 docs currently seem quite developer-centric, does anyone have any links for me? Thanks, Dan Scott ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users