Re: [Freeipa-users] error adding replica
On Fri, Jan 11, 2013 at 4:19 PM, Natxo Asenjo wrote: > On Fri, Jan 11, 2013 at 3:51 PM, Rob Crittenden wrote: >> Natxo Asenjo wrote: >>> I just tried again to create a replica and had exactly the same error >>> as on the thread's first post. >>> >>> in ipareplica-install.log I get "The pkcs12 file is not correct." error. >>> >> >> Can you send me the log file /var/log/pki-ca/debug out-of-band? I'll pass >> that long to the dogtag guys who can hopefully tell us what is going on. I'd >> need the log from both the IPA Master that you are installing and the one >> that generated the replica file. >> >> The files can be big, gzipping is appreciate :-) hi, do you have any updates on this case? It is not really important, but if you do not have the time to look into it I will just wipe the vm because my homelab is going to be rebuilt ;-) -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
Natxo Asenjo wrote: On Fri, Dec 14, 2012 at 1:36 AM, Dmitri Pal wrote: On 12/13/2012 03:48 AM, Natxo Asenjo wrote: hi, On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: The holidays are coming. It is unlikely that we would be able to look into it till Jan. that is no problem at all, we have the same issues ;-) Do you want me to keep the vm's around for troubleshooting the issue when there is time? Would be great if you would be able to start this thread over after the holidays to draw our attention. So at that time every detail would be handy. hi, I just tried again to create a replica and had exactly the same error as on the thread's first post. in ipareplica-install.log I get "The pkcs12 file is not correct." error. Can you send me the log file /var/log/pki-ca/debug out-of-band? I'll pass that long to the dogtag guys who can hopefully tell us what is going on. I'd need the log from both the IPA Master that you are installing and the one that generated the replica file. The files can be big, gzipping is appreciate :-) thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
On Fri, Dec 14, 2012 at 1:36 AM, Dmitri Pal wrote: > On 12/13/2012 03:48 AM, Natxo Asenjo wrote: >> hi, >> >> On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: >>> The holidays are coming. It is unlikely that we would be able to look >>> into it till Jan. >> that is no problem at all, we have the same issues ;-) >> >> Do you want me to keep the vm's around for troubleshooting the issue >> when there is time? >> > Would be great if you would be able to start this thread over after the > holidays to draw our attention. > So at that time every detail would be handy. hi, I just tried again to create a replica and had exactly the same error as on the thread's first post. in ipareplica-install.log I get "The pkcs12 file is not correct." error. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
On 12/13/2012 03:48 AM, Natxo Asenjo wrote: > hi, > > On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: >> The holidays are coming. It is unlikely that we would be able to look >> into it till Jan. > that is no problem at all, we have the same issues ;-) > > Do you want me to keep the vm's around for troubleshooting the issue > when there is time? > Would be great if you would be able to start this thread over after the holidays to draw our attention. So at that time every detail would be handy. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
hi, On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: >> > The holidays are coming. It is unlikely that we would be able to look > into it till Jan. that is no problem at all, we have the same issues ;-) Do you want me to keep the vm's around for troubleshooting the issue when there is time? -- thanks, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
On 12/12/2012 02:29 PM, Natxo Asenjo wrote: > hi, > > On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden wrote: > >>> a bit late, but here is the output of /var/log/ipareplica-install.log >>> en /var/log/pki-ca/debug ; I did not find a >>> /var/log/ipaserver-install.log in the replica server. >> >> The dogtag installer is failing with the error "The pkcs12 file is not >> correct." I'll need to defer to a dogtag engineer to explain what this >> means, and how to fix it. > would you like me to keep a copy of this vm's in this state in order > to keep testing this error? > > Otherwise I was planning on reinstalling the realm and starting afresh > with the latest version, I have seen that creating replicas when > starting with 6.3 (so no upgrading from 6.1 to 6,2 and then 6.3) just > works (TM) and this was just a test lab anyway. > The holidays are coming. It is unlikely that we would be able to look into it till Jan. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
hi, On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden wrote: >> a bit late, but here is the output of /var/log/ipareplica-install.log >> en /var/log/pki-ca/debug ; I did not find a >> /var/log/ipaserver-install.log in the replica server. > > > The dogtag installer is failing with the error "The pkcs12 file is not > correct." I'll need to defer to a dogtag engineer to explain what this > means, and how to fix it. would you like me to keep a copy of this vm's in this state in order to keep testing this error? Otherwise I was planning on reinstalling the realm and starting afresh with the latest version, I have seen that creating replicas when starting with 6.3 (so no upgrading from 6.1 to 6,2 and then 6.3) just works (TM) and this was just a test lab anyway. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica
Natxo Asenjo wrote: On Mon, Dec 3, 2012 at 4:50 PM, Rob Crittenden wrote: Natxo Asenjo wrote: hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now that I have more hardware to run a few more vm's I can test replicas. But apparently I am running into this problem: https://bugzilla.redhat.com/show_bug.cgi?id=867640 I have exactly the same error: 2012-10-17T22:07:50Z DEBUG stderr= 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f -client_certdb_pwd -preop_pin w53uYQUJBSyYNddpO5Xk -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit status 255 My realm realm is different, but the rest is the same. Apparently there is a newer ou ou=csusers somewhere (this is what I understand from the bugzilla), but I am not sure where it must be created. Is it in the the ipa slapd or in the pki slapd? When I log in as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config anywhere in the directory tree. Any clues? It is likely not the same bug. The output from the installer on failures is rather generic (and granted, awful). You'll need to look at the full /var/log/ipaserver-install.log for clues. Sometimes we need to examine /var/log/pki-ca/debug as well. a bit late, but here is the output of /var/log/ipareplica-install.log en /var/log/pki-ca/debug ; I did not find a /var/log/ipaserver-install.log in the replica server. The dogtag installer is failing with the error "The pkcs12 file is not correct." I'll need to defer to a dogtag engineer to explain what this means, and how to fix it. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error adding replica (2)
Steven Jones wrote: Hi, Any ideas? I have moved the CA cert off the original ipam001 to ipam002 and built a fresh iapm001 when I try and join it to ipam002 I get the error below. ipam003 was removed off the old ipam001 and added to ipam002 perfectly. From google it was suggested kerberos might be caching but Ive rebooted all the IPA servers at least once and ipam002 (it holds the CA) 3 times over 8 hoursno joy. I also did a search for the principal as suggested by Rob, output below. == [root@vuwunicoipam001 ~]# ipa-replica-install --setup-dns --no-reverse --forwarder=130.195.85.25 /root/replica/replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg --skip-conncheck Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@vuwunicoipam001 ~]# [20/30]: restarting directory server ipa : DEBUGargs=/sbin/service dirsrv restart ODS-VUW-AC-NZ ipa : DEBUGstdout=Shutting down dirsrv: ODS-VUW-AC-NZ... [ OK ] Starting dirsrv: ODS-VUW-AC-NZ... [ OK ] ipa : DEBUGstderr= ipa : DEBUGargs=/sbin/service dirsrv status ODS-VUW-AC-NZ ipa : DEBUGstdout=dirsrv ODS-VUW-AC-NZ (pid 10552) is running... ipa : DEBUGstderr= ipa : DEBUG duration: 3 seconds ipa : DEBUG [21/30]: setting up initial replication [21/30]: setting up initial replication ipa : DEBUGargs=/sbin/service dirsrv restart ODS-VUW-AC-NZ ipa : DEBUGstdout=Shutting down dirsrv: ODS-VUW-AC-NZ... [ OK ] Starting dirsrv: ODS-VUW-AC-NZ... [ OK ] ipa : DEBUGstderr= Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication ipa : DEBUGFailed to start replication File "/usr/sbin/ipa-replica-install", line 496, in main() File "/usr/sbin/ipa-replica-install", line 432, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 147, in install_replica_ds pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 282, in create_replica self.start_creation("Configuring directory server", 60) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 295, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 748, in setup_replication raise RuntimeError("Failed to start replication") Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@vuwunicoipam001 ~]# [root@vuwunicoipam002 ~]# ldapsearch -x -b 'cn=services,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz' '(krbprincipalname=*ods-directory*)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (krbprincipalname=*ods-directory*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@vuwunicoipam002 ~]# This is failing during the initial replication which is a bit strange. Are you seeing anything logged in errors on either directory server? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/ma
Re: [Freeipa-users] error adding replica
Natxo Asenjo wrote: hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now that I have more hardware to run a few more vm's I can test replicas. But apparently I am running into this problem: https://bugzilla.redhat.com/show_bug.cgi?id=867640 I have exactly the same error: 2012-10-17T22:07:50Z DEBUG stderr= 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f -client_certdb_pwd -preop_pin w53uYQUJBSyYNddpO5Xk -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit status 255 My realm realm is different, but the rest is the same. Apparently there is a newer ou ou=csusers somewhere (this is what I understand from the bugzilla), but I am not sure where it must be created. Is it in the the ipa slapd or in the pki slapd? When I log in as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config anywhere in the directory tree. Any clues? It is likely not the same bug. The output from the installer on failures is rather generic (and granted, awful). You'll need to look at the full /var/log/ipaserver-install.log for clues. Sometimes we need to examine /var/log/pki-ca/debug as well. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] error adding replica (2)
Hi, Any ideas? I have moved the CA cert off the original ipam001 to ipam002 and built a fresh iapm001 when I try and join it to ipam002 I get the error below. ipam003 was removed off the old ipam001 and added to ipam002 perfectly. >From google it was suggested kerberos might be caching but Ive rebooted all >the IPA servers at least once and ipam002 (it holds the CA) 3 times over 8 >hoursno joy. I also did a search for the principal as suggested by Rob, output below. == [root@vuwunicoipam001 ~]# ipa-replica-install --setup-dns --no-reverse --forwarder=130.195.85.25 /root/replica/replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg --skip-conncheck Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@vuwunicoipam001 ~]# [20/30]: restarting directory server ipa : DEBUGargs=/sbin/service dirsrv restart ODS-VUW-AC-NZ ipa : DEBUGstdout=Shutting down dirsrv: ODS-VUW-AC-NZ... [ OK ] Starting dirsrv: ODS-VUW-AC-NZ... [ OK ] ipa : DEBUGstderr= ipa : DEBUGargs=/sbin/service dirsrv status ODS-VUW-AC-NZ ipa : DEBUGstdout=dirsrv ODS-VUW-AC-NZ (pid 10552) is running... ipa : DEBUGstderr= ipa : DEBUG duration: 3 seconds ipa : DEBUG [21/30]: setting up initial replication [21/30]: setting up initial replication ipa : DEBUGargs=/sbin/service dirsrv restart ODS-VUW-AC-NZ ipa : DEBUGstdout=Shutting down dirsrv: ODS-VUW-AC-NZ... [ OK ] Starting dirsrv: ODS-VUW-AC-NZ... [ OK ] ipa : DEBUGstderr= Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication ipa : DEBUGFailed to start replication File "/usr/sbin/ipa-replica-install", line 496, in main() File "/usr/sbin/ipa-replica-install", line 432, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 147, in install_replica_ds pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 282, in create_replica self.start_creation("Configuring directory server", 60) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 295, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 748, in setup_replication raise RuntimeError("Failed to start replication") Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@vuwunicoipam001 ~]# [root@vuwunicoipam002 ~]# ldapsearch -x -b 'cn=services,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz' '(krbprincipalname=*ods-directory*)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (krbprincipalname=*ods-directory*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@vuwunicoipam002 ~]# === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] error adding replica
hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now that I have more hardware to run a few more vm's I can test replicas. But apparently I am running into this problem: https://bugzilla.redhat.com/show_bug.cgi?id=867640 I have exactly the same error: 2012-10-17T22:07:50Z DEBUG stderr= 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f -client_certdb_pwd -preop_pin w53uYQUJBSyYNddpO5Xk -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit status 255 My realm realm is different, but the rest is the same. Apparently there is a newer ou ou=csusers somewhere (this is what I understand from the bugzilla), but I am not sure where it must be created. Is it in the the ipa slapd or in the pki slapd? When I log in as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config anywhere in the directory tree. Any clues? -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users