<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/23/2014 06:59 PM, Nordgren, Bryce L -FS wrote:
<blockquote
cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E6A3C39@001FSN2MPN1-045.001f.mgd2.msft.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif][if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m
not, in general, in favor of solutions which promiscuously
sling Kerberos passwords around the net.
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
pGina + Kerberos authenticating directly off of IPA would be
the way to go, I think.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Presumably Dimitri’s statement about the user
being “foreign” and having limited access to windows
services would apply equally well to a user with a SID from
a foreign domain in a large Kerberos federation. This, and
the uncertainty concerning what type of directory service
the foreign KDC is paired with, is probably responsible for
keeping Kerberos-based federations small.
</span></p>
</div>
</blockquote>
<br>
If you have a SID you can tell Windows what t odo with it and how to
resolve it to name. If you do not have one you can't do anything if
you accessing elements of the Windows infra.<br>
<br>
<blockquote
cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E6A3C39@001FSN2MPN1-045.001f.mgd2.msft.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">That being said, the collaboration use case (not
to mention “home networks”) is what makes “foreign” logins
interesting. There’s hardly anything in common between two
collaboration projects, so it’s hard to define far-reaching
policies (i.e., you’re not missing out on much). Most all
authorization decisions are delegated out to some project
member responsible for the server/asset. Constructing
authorization sets having members defined by text based
principals makes a certain amount of sense. Hence the LDAP
“member” attribute in RFC4519.</span></p>
</div>
</blockquote>
<br>
Collaboration can be in different ways. It all depends on the use
case. It can be OpenID, SAML, Kerberos, etc. There are different
technologies and they suit better different use cases.<br>
<br>
<blockquote
cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E6A3C39@001FSN2MPN1-045.001f.mgd2.msft.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">What would really be cool is the “inverse” of
gluu or openam. Kerberos preauthentication data which allows
the KDC to authenticate off of an OpenID Connect, SAML, or
LDAP authentication source, caching the provided password
and provisioning a Kerberos principal. Future AS exchanges
would start out as “normal” Kerberos. Sort of like migration
mode does now. If the KDC could then signal IPA that a new
principal was provisioned, IPA could allocate and harmonize
an SID and a UID for the principal in the domain.
</span></p>
</div>
</blockquote>
<br>
It is already to some extend possible. It is called "constrained
delegation". The problem is that the gateway that would do such
protocol conversion would be able to impersonate any user in the
Kerberos realm. This is not the best but since it is being asked we
are looking into it.<br>
There is a project called Ipsilon
<a class="moz-txt-link-freetext" href="https://git.fedorahosted.org/git/ipsilon">https://git.fedorahosted.org/git/ipsilon</a> that is building the way of
federating different applications via SAML but in future it might be
extended to the workflows you are talking about here though I am not
sure I met these use cases in practice. Can you please share under
what circumstances such "inversion" would actually be needed?<br>
<br>
<blockquote
cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E6A3C39@001FSN2MPN1-045.001f.mgd2.msft.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Poof.
Console logins for Windows (pGina) and Linux (sssd) using
IPA backed by your google account. That just eliminated 98%
of the external accounts you would have had to create and
manage.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
Your Google account does not use Kerberos that means that your
password goes over the wire. The whole point of Kerberos that
password does not go the wire.<br>
That being said modern Kerberos server and client support OTP
preauthentication method. This method can be used (abused) to proxy
to any RADIUS server including the one provided by Google. So if you
use Google 2FA then it becomes more interesting. You can extually
try it now with the latest upstream bits. It is not 100% complete
but good enough to give it a try.<br>
We are also working with MIT to make sure that one can use IPA with
Kerberos password + HOTP/TOTP token. Then instead of sending the
authentication to the external entity (RADIUS server) the token code
would be processed by IPA, but to make is more secure and not send
the password over the wire together with OTP, KDC and client need to
support authentication sets. It is a feature that we will be looking
to have in a 1.14 Kerberos release.<br>
<br>
<blockquote
cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E6A3C39@001FSN2MPN1-045.001f.mgd2.msft.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Food
for thought.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bryce<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-freetext" href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Dmitri Pal<br>
<b>Sent:</b> Saturday, March 22, 2014 5:55 PM<br>
<b>To:</b> Will Sheldon<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] About Windows
client<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On 03/22/2014 05:47 PM, Will Sheldon
wrote: <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica","sans-serif"">I’d
be curious to see how well a solution that combines
pGina using RADIUS against some middleware like the
Gluu server (<a moz-do-not-send="true"
href="http://www.gluu.org">www.gluu.org</a>) backed
by IPA would work.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><br>
This is not an interesting scenario. This would would
probably work right now but the machine would still not know
who the user is because it will not know user SID so he
would be foreign and no Windows policies would apply to him.
I suspect such user would have no or very limited read only
access to Windows resources because all Windows ACLs are
based on knowing the user SIDs and SIDs of the groups the
user is a member of.<br>
The value of native IdM integration would be to get user SID
and SIDs of the groups from IdM and then get the right
kerberos ticket(s) for Windows resources using cross realm
kerberos trusts and put these tickets into the right place
so that windows system can use them automatically when user
navigates to the corresponding resource. Something like
this.<br>
<br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica","sans-serif"">It
strikes me that getting domain federation between IPA
and Gluu would tick a lot of boxes as it seems to
offer a host of authentication and accounting
interfaces including oAuth, SAML, OpenID and of course
RADIUS.<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><br>
Kind regards,<br>
<br>
Will Sheldon<br>
+1.778-689-1244 <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p><span style="color:#A0A0A8">On Saturday, March 22, 2014 at
2:17 PM, Dmitri Pal wrote:<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid windowtext
1.0pt;padding:0in 0in 0in
8.0pt;margin-left:0in;margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">On 03/22/2014 01:18 PM, Arthur
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Dmitri Pal wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">On 03/20/2014 11:15 PM,
Arthur Faizullin wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">HI!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I've got some
thoughts on 4-th point: there is a <a
moz-do-not-send="true"
href="http://pgina.org">
http://pgina.org</a>/ <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">pgina<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">project, may be them
are able to do such thing.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes pgina is one of the
options.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Someone would have to
take it and integrate with MIT Kerberos for
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Windows if it is not
already doing so.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">But I suspect that it
would be more a project in itself that would
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">leverage code from MIT
and may be pgina to integrate different
parts.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The biggest part figuring
out the domain affiliation. I mean the use
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">cases like this:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">a) The system is
domainless but user authentictaes with user
name and
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">password against IPA<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">b) The system is
domainless but user authentictaes with user
name and
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">OTP against IPA<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">c) The system is in an AD
domain trusted by IdM domain but user
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">authenticates with user
name and password against IPA because he is
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">in IdM domain.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">d) The system is in an AD
domain trusted by IdM domain but user
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">authenticates with user
name and password against IPA because he is
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">in IdM domain.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">More to research. We can
help with guidance if someone wants to run
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">with it.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Dmitri<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">20.02.2014 04:23,
Dmitri Pal пишет:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Hello,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I want to
summarize our position regarding
joining Windows systems<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">into IPA.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1) If you already
have AD we recommend using this
system with AD and<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">using trusts
between AD and IPA.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) If you do not
have AD then use Samba 4 instead of
it. It would be<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">great when Samba
4 grows capability to establish
trusts. Right now it<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">can't but there
is an effort going on. If you are
interested - please<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">contribute.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3) If neither of
the two options work for you you can
configure<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Windows system to
work directly with IPA as described
on the wiki. It<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">is an option of
last resort because IPA does not
provide the services<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">windows client
expects. If this is good enough for
you, fine by us.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">4) Build a native
Windows client (cred provider) for
IPA using latest<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Kerberos. IMO
this would be really useful if
someone does that because<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">we will not build
this ourselves. With the native OTP
support in IPA<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">it becomes a real
business opportunity to provide a
native 2FA inside<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">enterprise across
multiple platforms. But please do it
open source way<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">otherwise we
would not recommend you ;-)<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal">_______________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Freeipa-users mailing
list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div>
<p class="MsoNormal">My friend agreed to try. He
is C# programmer. But the problem that has
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">low knowledge about kerberos,
GSSAPI, and I could not told him what is
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">wrong with current pgina's
ldap plugin.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">He does not want to subscribe
to freeipa mail-lists, so may be I shall
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">give him your (Dmitri)
e-mail?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">He speaks russian :)<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">List is really the way to develop
open source software collaboratively.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This is what we are doing here.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">We can agree that the
communication about the topic will be prefixed in
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">such a way that he can create a
filter so that he would get only mails
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">that match the filter.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Would that work?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am not sure that I would be
able to provide all the support. We are a
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">community here and we have
different roles and angles. Working with just
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">one person would not fly, sorry.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">_______________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Freeipa-users mailing list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Dmitri Pal<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Sr. Engineering Manager for IdM
portfolio<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Red Hat Inc.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">-------------------------------<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Looking to carve out IT costs?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">_______________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Freeipa-users mailing list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Sr. Engineering Manager for IdM portfolio<o:p></o:p></pre>
<pre>Red Hat Inc.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-------------------------------<o:p></o:p></pre>
<pre>Looking to carve out IT costs?<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
</div>
</div>
<br>
<br>
<br>
<br>
This electronic message contains information generated by the USDA
solely for the intended recipients. Any unauthorized interception
of this message or the use or disclosure of the information it
contains may violate the law and subject the violator to civil or
criminal penalties. If you believe you have received this message
in error, please notify the sender and delete the email
immediately.
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>