Folks,
I am migrating CentOS7 to RockyLinux 8.3. I have my master running on CentOS7 and trying to add replica of RockyLinux 8.3
I am stuck here and not sure what it's actually trying to say and how to fix it?
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will retry: 4035 (Request failed with status 400: Non-2xx response from CA REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
Could not get dnaHostname entries in 60 seconds
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring SID generation
[1/7]: creating samba domain object
[2/7]: adding admin(group) SIDs
[3/7]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
# ipa idrange-find --all --raw
----------------
3 ranges matched
----------------
dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_id_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE_OLD_USERS
ipabaseid: 500
ipaidrangesize: 500
iparangetype: ipa-local
objectclass: ipadomainidrange
objectclass: ipaIDrange
----------------------------
Number of entries returned 3
----------------------------
Satish Patel via FreeIPA-users wrote:
Folks,
I am migrating CentOS7 to RockyLinux 8.3. I have my master running on CentOS7 and trying to add replica of RockyLinux 8.3
I am stuck here and not sure what it's actually trying to say and how to fix it?
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will retry: 4035 (Request failed with status 400: Non-2xx response from CA REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
Could not get dnaHostname entries in 60 seconds
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring SID generation
[1/7]: creating samba domain object
[2/7]: adding admin(group) SIDs
[3/7]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
# ipa idrange-find --all --raw
3 ranges matched
dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_id_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE_OLD_USERS
ipabaseid: 500
ipaidrangesize: 500
iparangetype: ipa-local
objectclass: ipadomainidrange
objectclass: ipaIDrange
Number of entries returned 3
Only one range without a RID base is allowed. See https://pagure.io/freeipa/issue/9076
rob
Hi Rob,
You are saying I have "3 ranges matched" but technically we only need "1 range". Sorry I am little new to freeIPA terms and not sure about what to do to fix this issue?
On Fri, May 10, 2024 at 8:42 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Folks,
I am migrating CentOS7 to RockyLinux 8.3. I have my master running on CentOS7 and trying to add replica of RockyLinux 8.3
I am stuck here and not sure what it's actually trying to say and how to fix it?
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will retry: 4035 (Request failed with status 400: Non-2xx response from CA REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
Could not get dnaHostname entries in 60 seconds
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring SID generation
[1/7]: creating samba domain object
[2/7]: adding admin(group) SIDs
[3/7]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
# ipa idrange-find --all --raw
3 ranges matched
dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_id_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE_OLD_USERS
ipabaseid: 500
ipaidrangesize: 500
iparangetype: ipa-local
objectclass: ipadomainidrange
objectclass: ipaIDrange
Number of entries returned 3
Only one range without a RID base is allowed. See https://pagure.io/freeipa/issue/9076
rob
Satish Patel wrote:
Hi Rob,
You are saying I have "3 ranges matched" but technically we only need "1 range". Sorry I am little new to freeIPA terms and not sure about what to do to fix this issue?
You have two ranges without a RID base. You need to set one for at least EXAMPLE.COM_id_range and likely for the other as well once you upgrade to RHEL 9.
rob
On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Satish Patel via FreeIPA-users wrote: > Folks, > > I am migrating CentOS7 to RockyLinux 8.3. I have my master running on > CentOS7 and trying to add replica of RockyLinux 8.3 > > I am stuck here and not sure what it's actually trying to say and how to > fix it? > > [1/4]: Generating ipa-custodia config file > > [2/4]: Generating ipa-custodia keys > > [3/4]: starting ipa-custodia > > [4/4]: configuring ipa-custodia to start on boot > > Done configuring ipa-custodia. > > Configuring certificate server (pki-tomcatd) > > [1/2]: configure certmonger for renewals > > [2/2]: Importing RA key > > Done configuring certificate server (pki-tomcatd). > > Configuring Kerberos KDC (krb5kdc) > > [1/1]: installing X509 Certificate for PKINIT > > PKINIT certificate request failed: Certificate issuance failed > (CA_UNREACHABLE: Server at > https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will > retry: 4035 (Request failed with status 400: Non-2xx response from CA > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).) > > Failed to configure PKINIT > > Full PKINIT configuration did not succeed > > The setup will only install bits essential to the server functionality > > You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' > > Done configuring Kerberos KDC (krb5kdc). > > Applying LDAP updates > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > > [1/10]: stopping directory server > > [2/10]: saving configuration > > [3/10]: disabling listeners > > [4/10]: enabling DS global lock > > [5/10]: disabling Schema Compat > > [6/10]: starting directory server > > [7/10]: upgrading server > > Could not get dnaHostname entries in 60 seconds > > [8/10]: stopping directory server > > [9/10]: restoring configuration > > [10/10]: starting directory server > > Done. > > Finalize replication settings > > Restarting the KDC > > Configuring SID generation > > [1/7]: creating samba domain object > > [2/7]: adding admin(group) SIDs > > [3/7]: adding RID bases > > Found more than one local domain ID range with no RID base set. > > [error] RuntimeError: Too many ID ranges > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > Too many ID ranges > > > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > > > > # ipa idrange-find --all --raw > > ---------------- > > 3 ranges matched > > ---------------- > > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > > cn: EXAMPLE.COM_id_range > > ipabaseid: 1000 > > ipaidrangesize: 200000 > > iparangetype: ipa-local > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaDomainIDRange > > > dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com > > cn: EXAMPLE.COM_subid_range > > ipabaseid: 2147483648 > > ipaidrangesize: 2147352576 > > ipabaserid: 2147283648 > > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254 > > iparangetype: ipa-ad-trust > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaTrustedADDomainRange > > > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com > > cn: EXAMPLE_OLD_USERS > > ipabaseid: 500 > > ipaidrangesize: 500 > > iparangetype: ipa-local > > objectclass: ipadomainidrange > > objectclass: ipaIDrange > > ---------------------------- > > Number of entries returned 3 > > ---------------------------- Only one range without a RID base is allowed. See https://pagure.io/freeipa/issue/9076 rob
Hi Rob,
Thank you for helping me out with this. Little confused here so let me ask you. you are saying I don't have "ipabaserid:" attribute set on two ranges and that is what I need to set, correct? Curious why this is happening now and not before? I am running this ldap last 5 years and had no issues. Do you think this is a new version of freeIPA issue?
Do you have any command to set that for others to range? and what number should I use?
On Fri, May 10, 2024 at 11:40 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Hi Rob,
You are saying I have "3 ranges matched" but technically we only need "1 range". Sorry I am little new to freeIPA terms and not sure about what to do to fix this issue?
You have two ranges without a RID base. You need to set one for at least EXAMPLE.COM_id_range and likely for the other as well once you upgrade to RHEL 9.
rob
On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Satish Patel via FreeIPA-users wrote: > Folks, > > I am migrating CentOS7 to RockyLinux 8.3. I have my master running
on
> CentOS7 and trying to add replica of RockyLinux 8.3 > > I am stuck here and not sure what it's actually trying to say and how to > fix it? > > [1/4]: Generating ipa-custodia config file > > [2/4]: Generating ipa-custodia keys > > [3/4]: starting ipa-custodia > > [4/4]: configuring ipa-custodia to start on boot > > Done configuring ipa-custodia. > > Configuring certificate server (pki-tomcatd) > > [1/2]: configure certmonger for renewals > > [2/2]: Importing RA key > > Done configuring certificate server (pki-tomcatd). > > Configuring Kerberos KDC (krb5kdc) > > [1/1]: installing X509 Certificate for PKINIT > > PKINIT certificate request failed: Certificate issuance failed > (CA_UNREACHABLE: Server at > https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will > retry: 4035 (Request failed with status 400: Non-2xx response from
CA
> REST API: 400. Profile KDCs_PKINIT_Certs Not Found).) > > Failed to configure PKINIT > > Full PKINIT configuration did not succeed > > The setup will only install bits essential to the server
functionality
> > You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' > > Done configuring Kerberos KDC (krb5kdc). > > Applying LDAP updates > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > > [1/10]: stopping directory server > > [2/10]: saving configuration > > [3/10]: disabling listeners > > [4/10]: enabling DS global lock > > [5/10]: disabling Schema Compat > > [6/10]: starting directory server > > [7/10]: upgrading server > > Could not get dnaHostname entries in 60 seconds > > [8/10]: stopping directory server > > [9/10]: restoring configuration > > [10/10]: starting directory server > > Done. > > Finalize replication settings > > Restarting the KDC > > Configuring SID generation > > [1/7]: creating samba domain object > > [2/7]: adding admin(group) SIDs > > [3/7]: adding RID bases > > Found more than one local domain ID range with no RID base set. > > [error] RuntimeError: Too many ID ranges > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > Too many ID ranges > > > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > > > > # ipa idrange-find --all --raw > > ---------------- > > 3 ranges matched > > ---------------- > > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > > cn: EXAMPLE.COM_id_range > > ipabaseid: 1000 > > ipaidrangesize: 200000 > > iparangetype: ipa-local > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaDomainIDRange > > > dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com > > cn: EXAMPLE.COM_subid_range > > ipabaseid: 2147483648 > > ipaidrangesize: 2147352576 > > ipabaserid: 2147283648 > > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254 > > iparangetype: ipa-ad-trust > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaTrustedADDomainRange > > > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com > > cn: EXAMPLE_OLD_USERS > > ipabaseid: 500 > > ipaidrangesize: 500 > > iparangetype: ipa-local > > objectclass: ipadomainidrange > > objectclass: ipaIDrange > > ---------------------------- > > Number of entries returned 3 > > ---------------------------- Only one range without a RID base is allowed. See https://pagure.io/freeipa/issue/9076 rob
Satish Patel wrote:
Hi Rob,
Thank you for helping me out with this. Little confused here so let me ask you. you are saying I don't have "ipabaserid:" attribute set on two ranges and that is what I need to set, correct?
Yes.
Curious why this is happening now and not before? I am running this ldap last 5 years and had no issues. Do you think this is a new version of freeIPA issue?
Yes. All users require a SID now in order to mitigate a security issue.
Do you have any command to set that for others to range? and what number should I use?
It's all in the referenced e-mail threads. There are more, in fact, in the freeipa-users archives if you want.
rob
On Fri, May 10, 2024 at 11:40 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Satish Patel wrote: > Hi Rob, > > You are saying I have "3 ranges matched" but technically we only need "1 > range". Sorry I am little new to freeIPA terms and not sure about what > to do to fix this issue? You have two ranges without a RID base. You need to set one for at least EXAMPLE.COM_id_range and likely for the other as well once you upgrade to RHEL 9. rob > > On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Satish Patel via FreeIPA-users wrote: > > Folks, > > > > I am migrating CentOS7 to RockyLinux 8.3. I have my master running on > > CentOS7 and trying to add replica of RockyLinux 8.3 > > > > I am stuck here and not sure what it's actually trying to say and > how to > > fix it? > > > > [1/4]: Generating ipa-custodia config file > > > > [2/4]: Generating ipa-custodia keys > > > > [3/4]: starting ipa-custodia > > > > [4/4]: configuring ipa-custodia to start on boot > > > > Done configuring ipa-custodia. > > > > Configuring certificate server (pki-tomcatd) > > > > [1/2]: configure certmonger for renewals > > > > [2/2]: Importing RA key > > > > Done configuring certificate server (pki-tomcatd). > > > > Configuring Kerberos KDC (krb5kdc) > > > > [1/1]: installing X509 Certificate for PKINIT > > > > PKINIT certificate request failed: Certificate issuance failed > > (CA_UNREACHABLE: Server at > > https://ldap-vx-010103-2.site5.example.com/ipa/json failed > request, will > > retry: 4035 (Request failed with status 400: Non-2xx response from CA > > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).) > > > > Failed to configure PKINIT > > > > Full PKINIT configuration did not succeed > > > > The setup will only install bits essential to the server functionality > > > > You can enable PKINIT after the setup completed using > 'ipa-pkinit-manage' > > > > Done configuring Kerberos KDC (krb5kdc). > > > > Applying LDAP updates > > > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > > > > [1/10]: stopping directory server > > > > [2/10]: saving configuration > > > > [3/10]: disabling listeners > > > > [4/10]: enabling DS global lock > > > > [5/10]: disabling Schema Compat > > > > [6/10]: starting directory server > > > > [7/10]: upgrading server > > > > Could not get dnaHostname entries in 60 seconds > > > > [8/10]: stopping directory server > > > > [9/10]: restoring configuration > > > > [10/10]: starting directory server > > > > Done. > > > > Finalize replication settings > > > > Restarting the KDC > > > > Configuring SID generation > > > > [1/7]: creating samba domain object > > > > [2/7]: adding admin(group) SIDs > > > > [3/7]: adding RID bases > > > > Found more than one local domain ID range with no RID base set. > > > > [error] RuntimeError: Too many ID ranges > > > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > Too many ID ranges > > > > > > The ipa-replica-install command failed. See > > /var/log/ipareplica-install.log for more information > > > > > > > > > > > > # ipa idrange-find --all --raw > > > > ---------------- > > > > 3 ranges matched > > > > ---------------- > > > > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > > > > cn: EXAMPLE.COM_id_range > > > > ipabaseid: 1000 > > > > ipaidrangesize: 200000 > > > > iparangetype: ipa-local > > > > objectclass: top > > > > objectclass: ipaIDrange > > > > objectclass: ipaDomainIDRange > > > > > > dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com > > > > cn: EXAMPLE.COM_subid_range > > > > ipabaseid: 2147483648 > > > > ipaidrangesize: 2147352576 > > > > ipabaserid: 2147283648 > > > > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254 > > > > iparangetype: ipa-ad-trust > > > > objectclass: top > > > > objectclass: ipaIDrange > > > > objectclass: ipaTrustedADDomainRange > > > > > > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com > > > > cn: EXAMPLE_OLD_USERS > > > > ipabaseid: 500 > > > > ipaidrangesize: 500 > > > > iparangetype: ipa-local > > > > objectclass: ipadomainidrange > > > > objectclass: ipaIDrange > > > > ---------------------------- > > > > Number of entries returned 3 > > > > ---------------------------- > > Only one range without a RID base is allowed. See > https://pagure.io/freeipa/issue/9076 > > rob > >
freeipa-users@lists.fedorahosted.org