<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    On 11/01/2012 08:26 AM, Bret Wortman wrote:
    <blockquote
cite="mid:CACWq_Zmdq-1wV7VTA9O0HWL-kqrnEjca63LzaH_HiaQJRw=gfQ@mail.gmail.com"
      type="cite">To close the loop:
      <div><br>
      </div>
      <div>I did the following to clear the credential problem. I
        suspect that I hadn't properly run kinit before doing these
        steps the first time:</div>
      <div><br>
      </div>
      <div>
        <div><font face="courier new, monospace">-sh-4.2$ kinit</font></div>
        <div><font face="courier new, monospace">Password for <a
              moz-do-not-send="true" href="mailto:bretw@WEDGEOFLI.ME">bretw@WEDGEOFLI.ME</a>: </font></div>
        <div><font face="courier new, monospace">-sh-4.2$ sudo su -</font></div>
        <div><font face="courier new, monospace">sudo:
            ldap_sasl_bind_s(): Invalid credentials</font></div>
        <div><font face="courier new, monospace">[sudo] password for
            bretw: </font></div>
        <div><font face="courier new, monospace">bretw is not in the
            sudoers file.  This incident will be reported.</font></div>
      </div>
    </blockquote>
    <br>
    This seems to suggest that it tries to use sudoers file instead of
    LDAP.<br>
    <br>
    <blockquote
cite="mid:CACWq_Zmdq-1wV7VTA9O0HWL-kqrnEjca63LzaH_HiaQJRw=gfQ@mail.gmail.com"
      type="cite">
      <div>
        <div><font face="courier new, monospace">-sh-4.2$ ldapsearch -x
            ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace"># extended LDIF</font></div>
        <div><font face="courier new, monospace">#</font></div>
        <div><font face="courier new, monospace"># LDAPv3</font></div>
        <div><font face="courier new, monospace"># base
            <dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
        <div><font face="courier new, monospace"># filter:
            ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace"># requesting: ALL</font></div>
        <div><font face="courier new, monospace">#</font></div>
        <div>
          <font face="courier new, monospace"><br>
          </font></div>
        <div><font face="courier new, monospace"># search result</font></div>
        <div><font face="courier new, monospace">search: 2</font></div>
        <div><font face="courier new, monospace">result: 0 Success</font></div>
        <div><font face="courier new, monospace"><br>
          </font></div>
        <div><font face="courier new, monospace"># numResponses: 1</font></div>
      </div>
    </blockquote>
    <br>
    If you used kinit you then can use -Y GSSAPI to use kerberos
    credential for the authentication.<br>
    <br>
    <blockquote
cite="mid:CACWq_Zmdq-1wV7VTA9O0HWL-kqrnEjca63LzaH_HiaQJRw=gfQ@mail.gmail.com"
      type="cite">
      <div>
        <div><font face="courier new, monospace">-sh-4.2$ ldapsearch
            ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace">SASL/EXTERNAL
            authentication started</font></div>
        <div><font face="courier new, monospace">ldap_sasl_interactive_bind_s:
            Unknown authentication method (-6)</font></div>
        <div><font face="courier new, monospace"><span
              class="Apple-tab-span" style="white-space:pre"> </span>additional
            info: SASL(-4): no mechanism available: </font></div>
        <div><font face="courier new, monospace">-sh-4.2$ ldapsearch -x
            ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace"># extended LDIF</font></div>
        <div><font face="courier new, monospace">#</font></div>
        <div><font face="courier new, monospace"># LDAPv3</font></div>
        <div><font face="courier new, monospace"># base
            <dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
        <div><font face="courier new, monospace"># filter:
            ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace"># requesting: ALL</font></div>
        <div><font face="courier new, monospace">#</font></div>
        <div><font face="courier new, monospace"><br>
          </font></div>
        <div><font face="courier new, monospace"># search result</font></div>
        <div><font face="courier new, monospace">search: 2</font></div>
        <div><font face="courier new, monospace">result: 0 Success</font></div>
        <div><font face="courier new, monospace"><br>
          </font></div>
        <div><font face="courier new, monospace"># numResponses: 1</font></div>
        <div><span style="font-family:'courier new',monospace">-sh-4.2$
            ldapsearch -D
            uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
            password ou=SUDOers,dc=wedgeofli,dc=me</span></div>
        <div><font face="courier new, monospace">ldap_bind: Invalid
            credentials (49)</font></div>
      </div>
      <div><br>
      </div>
      <div>
        <div><font face="courier new, monospace">-sh-4.2$ ldappasswd -Y
            GSSAPI -S -h <a moz-do-not-send="true"
              href="http://fs1.wedgeofli.me">fs1.wedgeofli.me</a>
            uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me</font></div>
        <div>
          <font face="courier new, monospace">New password: </font></div>
        <div><font face="courier new, monospace">Re-enter new password: </font></div>
        <div><font face="courier new, monospace">SASL/GSSAPI
            authentication started</font></div>
        <div><font face="courier new, monospace">SASL username: <a
              moz-do-not-send="true" href="mailto:bretw@WEDGEOFLI.ME">bretw@WEDGEOFLI.ME</a></font></div>
        <div><font face="courier new, monospace">SASL SSF: 56</font></div>
        <div><font face="courier new, monospace">SASL data security
            layer installed.</font></div>
        <div><font face="courier new, monospace">-sh-4.2$ ldapsearch -D
            uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
            password ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace"># extended LDIF</font></div>
        <div><font face="courier new, monospace">#</font></div>
        <div><font face="courier new, monospace"># LDAPv3</font></div>
        <div><font face="courier new, monospace"># base
            <dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
        <div><font face="courier new, monospace"># filter:
            ou=SUDOers,dc=wedgeofli,dc=me</font></div>
        <div><font face="courier new, monospace"># requesting: ALL</font></div>
        <div><font face="courier new, monospace">#</font></div>
        <div>
          <font face="courier new, monospace"><br>
          </font></div>
        <div><font face="courier new, monospace"># search result</font></div>
        <div><font face="courier new, monospace">search: 2</font></div>
        <div><font face="courier new, monospace">result: 0 Success</font></div>
        <div><font face="courier new, monospace"><br>
          </font></div>
        <div><font face="courier new, monospace"># numResponses: 1</font></div>
        <div><font face="courier new, monospace">-sh-4.2$ sudo su -</font></div>
        <div><font face="courier new, monospace">[sudo] password for
            bretw: </font></div>
        <div><font face="courier new, monospace">[root@fs1 ~]#</font></div>
        <div><br>
          <div class="gmail_quote">On Thu, Nov 1, 2012 at 7:58 AM, Bret
            Wortman <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:bret.wortman@damascusgrp.com"
                target="_blank">bret.wortman@damascusgrp.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">That's
              got me closer now, as I'm at least getting an error
              message on stdout:
              <div><br>
              </div>
              <div>
                <div><font face="courier new, monospace">[root@fs1 etc]#
                    more nslcd.conf </font></div>
                <div><font face="courier new, monospace">binddn
                    uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me</font></div>
                <div class="im">
                  <div><font face="courier new, monospace">bindpw
                      password</font></div>
                  <div><font face="courier new, monospace"><br>
                    </font></div>
                  <div><font face="courier new, monospace">ssl start_tls</font></div>
                  <div><font face="courier new, monospace">tls_cacertfile
                      /etc/ipa/ca.crt</font></div>
                  <div><font face="courier new, monospace">tls_checkpeer
                      yes</font></div>
                  <div><font face="courier new, monospace"><br>
                    </font></div>
                  <div><font face="courier new, monospace">bind_timelimit
                      5</font></div>
                  <div><font face="courier new, monospace">timelimit 15</font></div>
                  <div><font face="courier new, monospace"><br>
                    </font></div>
                  <div><font face="courier new, monospace">uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
                        moz-do-not-send="true"
                        href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a></font></div>
                </div>
                <div><font face="courier new, monospace">sudoers_base
                    ou=SUDOers,dc=wedgeofli,dc=me</font></div>
                <div><font face="courier new, monospace">[root@fs1 etc]#
                    sudo su -</font></div>
                <div><font face="courier new, monospace">sudo:
                    ldap_sasl_bind_s(): Invalid credentials</font></div>
                <div><font face="courier new, monospace">[root@fs1 ~]#</font></div>
                <div><br>
                </div>
                <div>So I'm off to figure out where my credentials are
                  wrong. Thanks again, Rob, Stephen & Pavel.</div>
                <span class="HOEnZb"><font color="#888888">
                    <div><br>
                    </div>
                    <div><br>
                    </div>
                    <div>Bret</div>
                  </font></span>
                <div>
                  <div class="h5"><br>
                    <div class="gmail_quote">On Wed, Oct 31, 2012 at
                      2:39 PM, Rob Crittenden <span dir="ltr"><<a
                          moz-do-not-send="true"
                          href="mailto:rcritten@redhat.com"
                          target="_blank">rcritten@redhat.com</a>></span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex;border-left:1px #ccc
                        solid;padding-left:1ex">
                        <div>Bret Wortman wrote:<br>
                          <blockquote class="gmail_quote"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex">
                            [root@fs1 etc]# more /etc/ldap.conf<br>
                            sudoers_debug: 1<br>
                            [root@fs1 etc]# ls -l /etc/ldap.conf<br>
                            -rw-r--r--. 1 root root 17 Oct 19 14:54
                            /etc/ldap.conf<br>
                            <br>
                            Where should I see the extra output? I've
                            had this set since last Friday<br>
                            and I'm not seeing any difference.<br>
                          </blockquote>
                          <br>
                        </div>
                        Move the contents of /etc/nslcd.conf to this
                        file and add ldap to sudoers in
                        /etc/nsswitch.conf.<br>
                        <br>
                        rob<br>
                        <br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <br>
                          <div>
                            On Wed, Oct 31, 2012 at 2:20 PM, Rob
                            Crittenden <<a moz-do-not-send="true"
                              href="mailto:rcritten@redhat.com"
                              target="_blank">rcritten@redhat.com</a><br>
                          </div>
                          <div>
                            <mailto:<a moz-do-not-send="true"
                              href="mailto:rcritten@redhat.com"
                              target="_blank">rcritten@redhat.com</a>>>
                            wrote:<br>
                            <br>
                                Bret Wortman wrote:<br>
                            <br>
                                    F17.<br>
                            <br>
                            <br>
                                I think you want /etc/ldap.conf then.
                            The easiest way to be sure the<br>
                                right file is being used is to add
                            sudoers_debug 1 to the file. This<br>
                                will present a lot of extra output so
                            you'll know the file is being<br>
                                read.<br>
                            <br>
                                rob<br>
                            <br>
                            <br>
                                    On Wed, Oct 31, 2012 at 2:04 PM, Rob
                            Crittenden<br>
                                    <<a moz-do-not-send="true"
                              href="mailto:rcritten@redhat.com"
                              target="_blank">rcritten@redhat.com</a>
                            <mailto:<a moz-do-not-send="true"
                              href="mailto:rcritten@redhat.com"
                              target="_blank">rcritten@redhat.com</a>><br>
                          </div>
                          <div>
                            <div>
                                      <mailto:<a
                                moz-do-not-send="true"
                                href="mailto:rcritten@redhat.com"
                                target="_blank">rcritten@redhat.com</a>
                              <mailto:<a moz-do-not-send="true"
                                href="mailto:rcritten@redhat.com"
                                target="_blank">rcritten@redhat.com</a>>>>
                              wrote:<br>
                              <br>
                                           Bret Wortman wrote:<br>
                              <br>
                                               I had enabled debugging
                              of sudo but am not clear on<br>
                                      where that<br>
                                               debugging<br>
                                               is going. It's not
                              stdout, and I'm not seeing anything in<br>
                                               /var/log/messages.<br>
                              <br>
                                               I'll try switching to SSS
                              and see what that gets me.<br>
                              <br>
                              <br>
                                           What distro is this? If it is
                              RHEL 6.3 then put the<br>
                                      configuration<br>
                                           into /etc/sudo-ldap.conf
                              instead of /etc/nslcd. The docs are<br>
                                           incorrect (we are working on
                              getting them fixed).<br>
                              <br>
                                           rob<br>
                              <br>
                              <br>
                              <br>
                                               On Wed, Oct 31, 2012 at
                              1:33 PM, Stephen Gallagher<br>
                                               <<a
                                moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a>
                              <mailto:<a moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a>><br>
                                      <mailto:<a
                                moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a>
                              <mailto:<a moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a>>><br>
                                               <mailto:<a
                                moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a><br>
                                      <mailto:<a
                                moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a>>
                              <mailto:<a moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a><br>
                                      <mailto:<a
                                moz-do-not-send="true"
                                href="mailto:sgallagh@redhat.com"
                                target="_blank">sgallagh@redhat.com</a>>>>>
                              wrote:<br>
                              <br>
                                                    On Wed 31 Oct 2012
                              11:53:15 AM EDT, Bret Wortman<br>
                                      wrote:<br>
                              <br>
                                                        I'm pretty
                              certain there's a painfully simple<br>
                                      solution<br>
                                               to this that<br>
                                                        I'm not seeing,
                              but my current configuration isn't<br>
                                               picking up the<br>
                                                        freeipa sudoer
                              rule that I've set.<br>
                              <br>
                                                       
                              /etc/nsswitch.conf specifies:<br>
                                                          sudoers:  
                               files ldap<br>
                              <br>
                                                        /etc/nslcd.conf
                              contains:<br>
                              <br>
                                                        binddn<br>
                            </div>
                          </div>
                                         
                           uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me
                          <div>
                            <div><br>
                              <br>
                              <br>
                                                        bindpw password<br>
                              <br>
                                                        ssl start_tls<br>
                                                        tls_cacertfile
                              /etc/ipa/ca.crt<br>
                                                        tls_checkpeer
                              yes<br>
                              <br>
                                                        bind_timelimit 5<br>
                                                        timelimit 15<br>
                              <br>
                                                        uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
                                moz-do-not-send="true"
                                href="http://fs1.wedgeofli.me"
                                target="_blank">fs1.wedgeofli.me</a><br>
                                      <<a moz-do-not-send="true"
                                href="http://fs1.wedgeofli.me"
                                target="_blank">http://fs1.wedgeofli.me</a>>
                              <<a moz-do-not-send="true"
                                href="http://fs1.wedgeofli.me"
                                target="_blank">http://fs1.wedgeofli.me</a>><br>
                                               <<a
                                moz-do-not-send="true"
                                href="http://fs1.wedgeofli.me"
                                target="_blank">http://fs1.wedgeofli.me</a>><br>
                                                        <<a
                                moz-do-not-send="true"
                                href="http://fs1.wedgeofli.me"
                                target="_blank">http://fs1.wedgeofli.me</a>><br>
                              <br>
                                                        sudoers_base
                              ou=SUDOers,dc=wedgeofli,dc=me<br>
                              <br>
                              <br>
                                                        The
                              sssd_DOMAIN.log file contains this when I<br>
                                      try to sudo:<br>
                              <br>
                              <br>
                                                    <snip><br>
                              <br>
                                                    The SSSD logs aren't
                              showing anything wrong<br>
                                      because they have<br>
                                                    nothing to do with
                              the execution of the SUDO rules<br>
                                      in this<br>
                                                    situation. All the
                              SSSD is doing is verifying the<br>
                                               authentication<br>
                                                    (when sudo prompts
                              you for your password).<br>
                              <br>
                                                    The problem with the
                              rule is most likely happening<br>
                                      inside SUDO<br>
                                                    itself. When you
                              specify 'sudoers: files, ldap' in<br>
                                               nsswitch.conf,<br>
                                                    it's telling SUDO to
                              use its own internal LDAP<br>
                                      driver to<br>
                                               look up the<br>
                                                    rules. So you need
                              to check sudo logs to see<br>
                                      what's happening<br>
                                                    (probably you will
                              need to enable debug logging in<br>
                                               /etc/sudo.conf).<br>
                              <br>
                                                    Recent versions of
                              SUDO (1.8.6 and later) have<br>
                                      support for<br>
                                               setting<br>
                                                    'sudoers: files,
                              sss' in nsswitch.conf which DOES<br>
                                      use SSSD<br>
                                               (1.9.0<br>
                                                    and later) for
                              lookups (and caching) of sudo rules.<br>
                              <br>
                              <br>
                              <br>
                              <br>
                                               --<br>
                                               Bret Wortman<br>
                                               The Damascus Group<br>
                                               Fairfax, VA<br>
                                      <a moz-do-not-send="true"
                                href="http://bretwortman.com/"
                                target="_blank">http://bretwortman.com/</a><br>
                                      <a moz-do-not-send="true"
                                href="http://twitter.com/BretWortman"
                                target="_blank">http://twitter.com/BretWortman</a><br>
                              <br>
                              <br>
                              <br>
                              <br>
                                               --<br>
                                               Bret Wortman<br>
                                               The Damascus Group<br>
                                               Fairfax, VA<br>
                                      <a moz-do-not-send="true"
                                href="http://bretwortman.com/"
                                target="_blank">http://bretwortman.com/</a><br>
                                      <a moz-do-not-send="true"
                                href="http://twitter.com/BretWortman"
                                target="_blank">http://twitter.com/BretWortman</a><br>
                              <br>
                              <br>
                              <br>
                            </div>
                          </div>
                                         
                           ___________________________________________________
                          <div><br>
                                             Freeipa-users mailing list<br>
                                    <a moz-do-not-send="true"
                              href="mailto:Freeipa-users@redhat.com"
                              target="_blank">Freeipa-users@redhat.com</a>
                            <mailto:<a moz-do-not-send="true"
                              href="mailto:Freeipa-users@redhat.com"
                              target="_blank">Freeipa-users@redhat.com</a>><br>
                          </div>
                                  <mailto:<a moz-do-not-send="true"
                            href="mailto:Freeipa-users@redhat."
                            target="_blank">Freeipa-users@redhat.</a>__com<br>
                                  <mailto:<a moz-do-not-send="true"
                            href="mailto:Freeipa-users@redhat.com"
                            target="_blank">Freeipa-users@redhat.com</a>>><br>
                                  <a moz-do-not-send="true"
                            href="https://www.redhat.com/____mailman/listinfo/freeipa-users"
                            target="_blank">https://www.redhat.com/____mailman/listinfo/freeipa-users</a><br>
                                  <<a moz-do-not-send="true"
                            href="https://www.redhat.com/__mailman/listinfo/freeipa-users"
                            target="_blank">https://www.redhat.com/__mailman/listinfo/freeipa-users</a>><br>
                          <br>
                          <br>
                                  <<a moz-do-not-send="true"
                            href="https://www.redhat.com/__mailman/listinfo/freeipa-users"
                            target="_blank">https://www.redhat.com/__mailman/listinfo/freeipa-users</a><br>
                                  <<a moz-do-not-send="true"
                            href="https://www.redhat.com/mailman/listinfo/freeipa-users"
                            target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a>>__>
                          <div><br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                                    --<br>
                                    Bret Wortman<br>
                                    The Damascus Group<br>
                                    Fairfax, VA<br>
                                    <a moz-do-not-send="true"
                              href="http://bretwortman.com/"
                              target="_blank">http://bretwortman.com/</a><br>
                                    <a moz-do-not-send="true"
                              href="http://twitter.com/BretWortman"
                              target="_blank">http://twitter.com/BretWortman</a><br>
                            <br>
                            <br>
                            <br>
                                    _________________________________________________<br>
                                    Freeipa-users mailing list<br>
                                    <a moz-do-not-send="true"
                              href="mailto:Freeipa-users@redhat.com"
                              target="_blank">Freeipa-users@redhat.com</a>
                            <mailto:<a moz-do-not-send="true"
                              href="mailto:Freeipa-users@redhat.com"
                              target="_blank">Freeipa-users@redhat.com</a>><br>
                                    <a moz-do-not-send="true"
                              href="https://www.redhat.com/__mailman/listinfo/freeipa-users"
                              target="_blank">https://www.redhat.com/__mailman/listinfo/freeipa-users</a><br>
                                    <<a moz-do-not-send="true"
                              href="https://www.redhat.com/mailman/listinfo/freeipa-users"
                              target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a>><br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            --<br>
                            Bret Wortman<br>
                            The Damascus Group<br>
                            Fairfax, VA<br>
                            <a moz-do-not-send="true"
                              href="http://bretwortman.com/"
                              target="_blank">http://bretwortman.com/</a><br>
                            <a moz-do-not-send="true"
                              href="http://twitter.com/BretWortman"
                              target="_blank">http://twitter.com/BretWortman</a><br>
                            <br>
                            <br>
                            <br>
                            _______________________________________________<br>
                            Freeipa-users mailing list<br>
                            <a moz-do-not-send="true"
                              href="mailto:Freeipa-users@redhat.com"
                              target="_blank">Freeipa-users@redhat.com</a><br>
                            <a moz-do-not-send="true"
                              href="https://www.redhat.com/mailman/listinfo/freeipa-users"
                              target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
                            <br>
                          </div>
                        </blockquote>
                        <br>
                      </blockquote>
                    </div>
                    <br>
                    <br clear="all">
                    <div><br>
                    </div>
                    -- <br>
                    <div>Bret Wortman</div>
                    <div>The Damascus Group</div>
                    <div>Fairfax, VA</div>
                    <div><a moz-do-not-send="true"
                        href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a></div>
                    <div><a moz-do-not-send="true"
                        href="http://twitter.com/BretWortman"
                        target="_blank">http://twitter.com/BretWortman</a></div>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
          <br clear="all">
          <div><br>
          </div>
          -- <br>
          <div>Bret Wortman</div>
          <div>The Damascus Group</div>
          <div>Fairfax, VA</div>
          <div><a moz-do-not-send="true" href="http://bretwortman.com/"
              target="_blank">http://bretwortman.com/</a></div>
          <div><a moz-do-not-send="true"
              href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a></div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
  </body>
</html>