om/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello Ranbir,
are other records (A, , PTR, ...) created for the client in random.ipa and
just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd
installed and keys generated on client
t
You can also look into RHEL documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
,
as already described in the output you've posted ipa-replica-prepare is no
longer used when domain level is above 0. Since domain level 1 new replica is
first joined to FreeIPA domain as client using ipa-client-install and then
promoted to replica using ipa-replica-install.
You can find out more ab
when IPA was first installed, if any
> config files or certificates need to be brought back. I can provide further
> log excerpts if needed.
>
> Thank you in advance,
> Paul Brennan
>
> --
> Manage your subscription for the Freeipa-users mailing list:
&g
update user entries
there and once the entry is complete you can call stageuser-activate to create
user entry with using values from stageuser entry.
You can find description of the feature and examples on design page [1].
[1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management
--
David
ht help but I
never tried.
Generally I would not recommend touching this on production system. Why do you
want to change the database format?
(1) certutil -d sql:HTTPD_ALIAS_DIR --upgrade-merge --source-dir
HTTPD_ALIAS_DIR --upgrade-id 1
--
David Kupka
signature.asc
Description: PGP signat
Certmonger [2] is configured during ipa-server-install to track and renew
certificates.
[1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer
[2] https://pagure.io/certmonger
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the F
ock the user account after period of time or at
specified time. You need to call "ipa user-disable LOGIN" manually.
You can file ticket and describe your use-case here:
https://pagure.io/freeipa/new_issue
--
David Kupka
signature.asc
Description: PGP signature
--
Manage yo
nt as I
proposed in [2]? Why is separate deployment of FreeIPA for the project
required?
[1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx
[2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html
--
David Kupka
signature.asc
Description: PGP si
ilman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello!
From man 8 useradd:
Usernames may only be up to 32 characters long.
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
htt
st for a day for him and he
logs-out in the end of the workday (after 8~10 hours). So there's no need to
refresh it.
But feel free to open a ticket for SSSD [1] and describe you use case. I don't
know SSSD that well and maybe there's no reason against setting it by default.
[1] ht
hen he is logging-in.
And can be configured to renew the ticket for the user until the ticket renew
life time expires.
Given this you can keep ticket life time reasonable short (~1 day) set ticket
renewable life time to longer period (~2 weeks) and maintain reasonable
security level without negative impact on use
10day krbtgt/EXAMPLE.ORG
Principal "krbtgt/example@example.org" modified.
: exit
To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
and restart krb5kdc service.
But generally I don't think it's a good idea to have such long tickets. Wo
I would say that the Project IPA is not
necessary in the desribed scenario.
You can create accounts for all the users involved in Project in Enterprise
IPA and assign them to Project group. You can also enroll all Project hosts
to Enterprise IPA and add them to Project hostgroup. Then you can use
omains),
c) will likely result in weird behavior,
d) is definitelly not supported nor encouraged.
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ream git clone [1] add the desired
patches and build your own package.
[1] https://git.centos.org/commit/rpms!ipa.git
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
gt;Role Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hosts
On 17/01/17 12:16, Peter Fern wrote:
On 17/01/17 21:48, David Kupka wrote:
Ok, your plugin is not really a plugin but that should not be a problem.
To make it work:
1) replace "from ipalib.plugins.user import user" with "from
ipaserver.plugins.user import use
On 17/01/17 11:30, Peter Fern wrote:
On 17/01/17 20:39, David Kupka wrote:
in 4.4 we split the plugins to the server and client plugins. Simple
plugins (like server plugin) needs to exist only on server and all
what is needed is to move it from ipalib/plugins to ipaserver/plugins.
But if
plugin define interactive_prompt_callback (like
dns plugin) or forward (like vault plugin) you will need to split the
client and server part of the plugin.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
s://fedorahosted.org/freeipa/ticket/5814
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
0*24*3600)))"
+'%Y%m%d%H%M%S'Z)
END_LDIF
It works but I would not recommend using it in production environment.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
on master and replica and 6.9 (ipa-client 3.0.0-51) on client
and it worked for me as expected.
I've done these steps:
[master] # ipa-server-install -a Secret123 -p Secret123 --domain
example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U
[replica] # ipa-client-install -p admin -w
On 13/12/16 07:52, Stephen Ingram wrote:
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka wrote:
yes you can do it. DNS domain and Kerberos realm are two different things.
It's common and AFAIK recommended to capitalize DNS domain to get the realm
but it's not required.
If you real
ou want to have the realm different from the
domain?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello,
I'm almost sure that 'krbcanonicalname' has nothing to do with this.
Adding krbcanonicalname attribute was done to allow principal aliases
(multiple kerberos principals for one user/host/service), see [1] for
details.
Unfortunately, I don't know what's wrong
the
same issue have it easier.
[1]
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_user_with_OTP_with_Google_Authenticator
On Wed, Nov 30, 2016 at 1:11 PM David Kupka wrote:
On 30/11/16 10:13, David Kupka wrote:
On 29/11/16 12:57, Callum Guy wrote:
Hi Alexander,
I can con
On 30/11/16 10:13, David Kupka wrote:
On 29/11/16 12:57, Callum Guy wrote:
Hi Alexander,
I can confirm that I am using version 4.2.0.
The bug link provided mentions that it caused GA to fail to scan the
codes.
In my situation it is FreeIPA (or related service) which appears to
fail to
ion or warranty as to the absence of
viruses in this email or any attachments.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
David Kupk
see the exactly same errors as you've reported
and are described in the ticket, now.
Is dogtag running on your master? Is in responding (e.g. issuing
certificates for users)? Is it accessible from the replica?
2016-11-29 13:41 GMT+01:00 Petr Vobornik :
On 11/29/2016 12:43 PM, David Ku
the
Server-Cert but I don't understand why there's "bad database" error in
the errors log. I'll try to reproduce it. What version of FreeIPA are
you using? On what system?
2016-11-29 12:09 GMT+01:00 David Kupka :
On 29/11/16 11:51, David Dejaeghere wrote:
Hi,
I
v/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
omain-configuration-of-dns/
The article is about CentOS 6 and more than 3 years old but still might
be helpful because it's mainly about Bind 9 configuration.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
installed it).
samba-common contains files for samba client and server so removing it
may remove applications that can behave as samba client.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
#x27;s expiration or the account's expiration. My
/var/log/secure has messages like "pam_sss(sshd:auth): received for user
uname: 13 (User account has expired)". Is there a setting for default
expiration of user accounts ? I don't remember setting it anywhere.
On Mon, Oct 24, 2
On 24/10/16 19:26, Gilbert Wilson wrote:
On Oct 24, 2016, at 5:51 AM, David Kupka wrote:
On 22/10/16 00:15, Gilbert Wilson wrote:
We have a lot of FreeBSD systems that I would like to streamline certificate
issuance and renewal. Ideally, we could leverage our FreeIPA system's CA
install and run certmonger using FreeBSD's Linux
Binary Compatibility [1]? Though I don't know what are the limitations
or possible issues it could be a way.
[1] http://www.freebsd.cz/doc/handbook/linuxemu.html
--
David Kupka
--
Manage your subscription for the Freeipa-
A has no way to say the password
is expired.
When the user tries to obtain Kerberos ticket he will be forced to
change the password and NTLM hash will be also regenerated.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/fr
n upstream? Create pull request on GitHub
(https://github.com/freeipa/freeipa ).
Do you want to contribute the translations? Submit it via zanata
(https://fedora.zanata.org/project/view/freeipa ).
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.
nly on one master and by default is enabled
on first master that is installed with CA. Here you can find more
information and how to:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
http
cally.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
opposite (installing CS on CA-less freeipa
server). Feel free to file an RFE https://fedorahosted.org/freeipa/newticket
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on
RFE (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
on client?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
erver-Cert u,u,u
EXAMPLE.TEST IPA CA CT,C,C
Signing-Cert u,u,u
If this is not what you was asking please try to explain what you want
to achieve with more details.
--
David Kupka
--
M
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 27/04/16 13:15, barry...@gmail.com wrote:
Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>> 寫道:
On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com&
g
nsslapd-requiresrestart
I don't see nsslapd-security listed so it should be possible to change
it in runtime.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
gi?id=1134497
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
. Timo have you met this issue?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
orahosted.org/freeipa/newticket) and provide reproducer?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
lpful hint is highly welcome
Harri
Hello Harri,
the attribute you're looking for is 'nsaccountlock'. This command should
give you uids of all disabled users:
$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test
"(nsaccountlock=TRUE)" uid
5 14:00 secmod.db
Please check the permission on your system. If it's different and you
(or system admin) haven't changed it please file a ticket
(https://fedorahosted.org/freeipa/newticket).
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat
on from "User Administrator" privilege ($ ipa
privilege-remove-permission "User Administrators" --permissions "System:
Remove Users").
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
d its logs?
I believe that all services in FreeIPA depends on host names and resolve
IP address from DNS when needed.
But if DNS server is part of FreeIPA server you're trying to restore it
is holding old records with old IP addresses. Maybe this is the cause
but it's just wild guess
On 26/02/16 08:56, David Kupka wrote:
On 26/02/16 02:22, Teik Hooi Beh wrote:
Hi,
I have manged to deployed 1 ipa master and 1 ipa client with success on
centos 7.2 with freeipa v4.2. I also managed to create user and set
sshd-rules to for ttester user and also successfully get krb ticket
Thanks
Hello!
I don't know why it does not work with ktutil but I've find other way
how to get keytab for a user:
$ kinit ttester
$ ipa-getkeytab -p ttes...@example.test -k ttester.keytab -e
aes256-cts-hmac-sha1-96
$ kdestroy ttester
$ kinit ttes...@example.test -kt ttester.key
fully, someone, who understand kerberos better will advice.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
don't see the need for stopping the server manually.
ipa-backup calls "ipactl start" [0]. If you remove the else branch it
will not start the server.
[0
]https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316
HTH,
David
2016-02-17 8:00 GMT+01:0
vent in the kdc log on server:
Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND:
nonexist...@example.test for krbtgt/example.t...@example.test, Client
not found in Kerberos database
--
David Kupka
--
Manage your subsc
unning server unless
you stopped it before. It can result in inconsistent data in backup archive.
[0]
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293
[1]
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316
--
David Kupka
--
n IP address is needed it
can be resolved from the name included in SRV response.
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
group with this GID.)
David
On Mon, Aug 24, 2015 at 5:01 AM, David Kupka mailto:dku...@redhat.com>> wrote:
On 21/08/15 15:21, bahan w wrote:
Hello !
I contact you because I notice something strange with IPA
environment.
I created a group :
mepManagedEntry: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=test
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://w
chael!
Thanks for notifying us. Martin just updated the copr repository
(https://copr.fedoraproject.org/coprs/mkosek/freeipa/) with newer
version of PKI packages and I tested replication between Fedora 21 and
CentOS 7.1 (both FreeIPA 4.1.4) and it works for me as expected.
Could you please try it
y to
certmonger to send the CSR to preconfigured CA instead of just storing
it in file.
This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one
command (getcert-add-ca).
Could you please file a tic
that came to my mind would be having records in DNS and
not having corresponding IPv6 on that host but that is general
misconfiguration.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
Hello Steven!
I would like to help you but unfortunately I have no chance to guess
what went wrong.
To help us help you please report any issue in a way described on
FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting).
Most importantly we need the following:
1. Versi
this information.
On the other hand it would be useful to show these "implicit" members in
group-show output.
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redha
Peter
Hello,
I think that it should be possible with ID View
(http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views)
but I'm not familiar with it.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailma
icies". This is
currently WIP, you can find more on freeipa-devel list.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
information about what is failing? Only thing
that comes to my mind is that you're using $ADMIN_PASS variable where
Directory Manager password is required but I know it's just name of the
variable.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise TKS Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTHZ_FAIL][SubjectI
date" on all ipa servers and clients
to distribute the new certificate.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ing of pki-tomcatd fails and
therefore "ipactl start" fails.
Could you run "# ipactl start -d" and post its output?
Also starting individual services is not a good idea as you can forget
to start some (you actually did :-)
--
David Kupka
--
Manage your subscription for
ting login.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
/archives/freeipa-users/2015-April/msg00016.html)
there is no special procedure. You just turn the servers off before the
power outage and then turn them back on.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
you need to decide whether your FreeIPA domain is internal or
external.
If it's internal it is inaccessible from outside and you need to first
connect to the internal network (e.g. use VPN) and then connect to
FreeIPA server.
If it's external then everything works as expected.
--
D
to solve similar issue:
https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
them off and on
normaly (with system or using ipactl stop/start) and after they start
again the replication process should continue.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for
l a host to IPA domain.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
th/to/external_ca_certificate
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello Bryan,
I'm currently working on this. This feature should be available in
freeipa-4.2.
--
David Kupka
On 02/13/2015 01:25 PM, Bryan Pearson wrote:
One of our IPA servers, is in a virtualized environment and is continuously
losing time, resulting in invalid credentials and bre
www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]
Hi,
this looks similar to:
https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html
and https://fedorahosted.org/freeipa/ticket/4807
Did you try to raise the nsslapd-sasl-max-buffer-size?
--
David Kupka
--
Manage your subscription for
84 matches
Mail list logo
