Hey Alexander,
I have tried installing a new IPA server with my expected ranges on my new
site and its working fine.Thanks for the document.
I have observed a couple of errors. POSIX ID's 4248,4141,4121,4258..etc.
all are my infra group id's.
[30/Nov/2023:05:17:36.931522914 -0500] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[30/Nov/2023:05:17:36.933841900 -0500] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [0].
[30/Nov/2023:05:17:41.443256202 -0500] - ERR - schema-compat-plugin -
warning: no entries set up under ou=sudoers,dc=alpha-grep,dc=com
[30/Nov/2023:05:17:41.449472986 -0500] - ERR - schema-compat-plugin -
warning: no entries set up under cn=ng, cn=compat,dc=alpha-grep,dc=com
[30/Nov/2023:05:17:41.456705946 -0500] - ERR - schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=alpha-grep,dc=com
[30/Nov/2023:05:17:41.457666134 -0500] - ERR - schema-compat-plugin -
Finished plugin initialization.
[30/Nov/2023:05:27:02.337803787 -0500] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4141] into
an unused SID.
[30/Nov/2023:05:27:02.338927487 -0500] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
[30/Nov/2023:06:03:06.173948392 -0500] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4121] into
an unused SID.
[30/Nov/2023:06:03:06.174922473 -0500] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
[30/Nov/2023:06:22:36.616707461 -0500] - ERR - rid_to_sid_with_check -
[file ipa_sidgen_common.c, line 384]: SID
[S-1-5-21-3258431096-680571367-3483437258-16054] is already used.
[30/Nov/2023:06:24:53.185373410 -0500] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4258] into
an unused SID.
[30/Nov/2023:06:24:53.186107898 -0500] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
[30/Nov/2023:07:07:48.738323141 -0500] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
an unused SID.
[30/Nov/2023:07:07:48.739492958 -0500] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
[30/Nov/2023:08:10:33.205867886 -0500] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
an unused SID.
[30/Nov/2023:08:10:33.206759596 -0500] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
[30/Nov/2023:08:33:53.787156179 -0500] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
an unused SID.
[30/Nov/2023:08:33:53.788186638 -0500] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
[root@ipa- ~]#
[root@ipa-~]# ipa user-show test --all --raw
dn: uid=test,cn=users,cn=accounts,dc=$REAL
uid: test
givenname: test
sn: test
cn: test
initials: TE
homedirectory: /home/test
gecos: Test
loginshell: /bin/bash
krbcanonicalname: test(a)$REALM.COM
krbprincipalname: kpradeep(a)$REALM.COM
uidnumber: 5708
gidnumber: 4141
sshpubkeyfp:
nsaccountlock: FALSE
has_password: TRUE
has_keytab: TRUE
displayName: Test
ipaNTSecurityIdentifier: S-1-5-21-3258431096-680571367-3483437258-1708
ipaSshPubKey: <key>
ipaUniqueID: <id>
krbExtraData: <data>
krbLastAdminUnlock: 20231130174441Z
krbLastPwdChange: 20231130174540Z
krbLoginFailedCount: 0
krbPasswordExpiration: 20240228174540Z
krbTicketFlags: 128
memberof: cn=admin,cn=groups,cn=accounts,dc=$real
memberof: cn=ipausers,cn=groups,cn=accounts,dc=$real
memberofindirect:
ipaUniqueID=8c81c2c6-8f6b-11ee-b685-a68c8b95f346,cn=sudorules,cn=sudo,dc=$real
mepManagedEntry: cn=test,cn=groups,cn=accounts,dc=$real
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
[root@ipa- ~]# ipa idrange-find --all --raw
----------------
2 ranges matched
----------------
dn: cn=$REALM_id_range,cn=ranges,cn=etc,dc=$real
cn: $REALM_id_range
ipabaseid: 5000
ipaidrangesize: 1995001
ipabaserid: 1000
ipasecondarybaserid: 100000000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=$REALM_subid_range,cn=ranges,cn=etc,dc=$realm
cn: $REALM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2145488647
ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
----------------------------
Number of entries returned 2
----------------------------
[root@ipa ~]#
On Tue, Nov 28, 2023 at 4:58 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com>
wrote:
Thanks a lot and I will Go through it.
On Tue, Nov 28, 2023 at 4:56 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >ok but in my case i don't use AD,Windows authentication or replica etc,
> >just the centralised authentication system all are redhat os installed
> >servers.
> >In this case also i need to create a base RID?
>
> Yes. You keep ignoring my references to previous discussions.
>
> You will not get it working without proper SIDs because we require PAC
> presence to protect against Kerberos impersonation. This is not a
> theoretical probability anymore since November 2022 Microsoft security
> updates. The same attacks apply to all Kerberos environments and current
> way of protecting against them is to utilize MS-PAC buffers with
> appropriate signatures and checksums. PAC buffers require use of SIDs to
> address objects and that is what we enforce now.
>
> If you still want to know details, I'd suggest to watch at least the two
> talks we gave at SambaXP past few years:
>
> - "Kerberos" by Andrew Bartlett
>
>
https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Ker...
>
> - Samba AD / MIT Kerberos: path out of experimental by me and Andreas
>
>
https://sambaxp.org/fileadmin/user_upload/sambaxp2023-Slides/Bokovoy_Schn...
>
https://youtu.be/0_cdYuIYw0o
>
> While these talk about Samba AD, the changes went to both Samba and
> FreeIPA, as well as MIT Kerberos (and Microsoft's Active Directory too).
>
> So, look at the KCS I gave, understand how to add RID bases to your new
> ID range and fix your problem through that.
>
> >
> >On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy <abokovoy(a)redhat.com>
> >wrote:
> >
> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >> >Alexander,
> >> >
> >> >Thanks for that document.Bit of that i did it but it dint worked looks
> >> like
> >> >i might followed some wrong steps.
> >> >
> >> >My default id range mentioned below
> >> >ipa idrange-find --all --raw
> >> >----------------
> >> >2 ranges matched
> >> >----------------
> >> > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX
> >> > cn: REALM_id_range
> >> > ipabaseid: 771000000
> >> > ipaidrangesize: 200000
> >> > ipabaserid: 1000
> >> > ipasecondarybaserid: 100000000
> >> > iparangetype: ipa-local
> >> > objectclass: top
> >> > objectclass: ipaIDrange
> >> > objectclass: ipaDomainIDRange
> >> >
> >> > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX
> >> > cn: REALM_subid_range
> >> > ipabaseid: 2147483648
> >> > ipaidrangesize: 2147352576
> >> > ipabaserid: 2147283648
> >> > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
> >> > iparangetype: ipa-ad-trust
> >> > objectclass: top
> >> > objectclass: ipaIDrange
> >> > objectclass: ipaTrustedADDomainRange
> >> >
> >> >##################################
> >> >Manually created ID range
> >> >
> >> >[root@ipa-mum1 ~]# ipa idrange-find --all --raw
> >> >----------------
> >> >3 ranges matched
> >> >----------------
> >> > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX
> >> > cn: REALM_id_new_range
> >> > ipabaseid: 1000
> >> > ipaidrangesize: 200000
> >> > iparangetype: ipa-local
> >> > objectclass: ipaIDrange
> >> > objectclass: ipadomainidrange
> >>
> >> You created a new ID range but this range has no RID bases. Therefore,
> >> the range cannot be used for SID assignment.
> >>
> >> The KCS article has a section about RID bases and how to choose them,
> >> please follow that.
> >>
> >> >
> >> >Then i created the user name called test user post it dint created
> >> expected
> >> >user attribute
> >> >
> >> >root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189
> >> >--gidnumber=4141 --password
> >> >root@ipa ~]# ipa user-show testuser --all
> >> > dn: uid=testuser,cn=users,cn=accounts,dc=real
> >> > User login: testuser
> >> > First name: Test
> >> > Last name: User
> >> > Full name: Test User
> >> > Display name: Testuser
> >> > Initials: TU
> >> > Home directory: /home/testuser
> >> > GECOS: Test User
> >> > Login shell: /bin/bash
> >> > Principal name: testuser(a)REALM.COM
> >> > Principal alias: testuser(a)REALM.COM
> >> > User password expiration: 20231124144147Z
> >> > UID: 5189
> >> > GID: 4141
> >> > Account disabled: False
> >> > Preserved user: False
> >> > Password: True
> >> > Member of groups: ipausers
> >> > Kerberos keys available: True
> >> > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346
> >> > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA=
> >> > krblastadminunlock: 20231124144147Z
> >> > krblastpwdchange: 20231124144147Z
> >> > krbloginfailedcount: 0
> >> > mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
> >> > objectclass: top, person, organizationalperson, inetorgperson,
> inetuser,
> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
> ipasshuser,
> >> >ipaSshGroupOfPubKeys, mepOriginEntry
> >> >
> >> >The above method followed but after creating another id range
> manually, I
> >> >don't know where I missed post creation of ranges, for somehow it
> didn't
> >> >work. That's why I followed that generic method creating users and
> >> >modifying it manually.
> >> >PLease suggest me.
> >> >
> >> >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <
> kns.pradeep(a)alpha-grep.com>
> >> >wrote:
> >> >
> >> >> Thanks will go through it.
> >> >>
> >> >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <
> abokovoy(a)redhat.com>
> >> >> wrote:
> >> >>
> >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >> >>> >Could you please help me with those threads here to
regenerate
> sid’s.
> >> >>>
> >> >>>
https://access.redhat.com/articles/7027037
> >> >>>
> >> >>> >
> >> >>> >
> >> >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy <
> >> abokovoy(a)redhat.com>
> >> >>> >wrote:
> >> >>> >
> >> >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >> >>> >> >Yeah,
> >> >>> >> >But my default id range starts with 770000 but all
my existing
> >> >>> >> >infrastructure uid's are within 4 digits like
4147,8921,9756
> like
> >> >>> this.
> >> >>> >> >Here I am facing an issue.
> >> >>> >> >
> >> >>> >> >That's why I am creating users with default id
range and then
> >> later I
> >> >>> am
> >> >>> >> >modifying it via uid's as per my
infrastructure then
> ipantuserattrs
> >> >>> >> created
> >> >>> >> >and I am able to authenticate with password.
> >> >>> >>
> >> >>> >> This is wrong.
> >> >>> >>
> >> >>> >> >
> >> >>> >> >Can you suggest to me that with this setup i can
easily handle
> >> >>> 350Users
> >> >>> >> for
> >> >>> >> >around 400 servers across different different
locations with
> cache
> >> of
> >> >>> >> >storing on ipa clients.
> >> >>> >>
> >> >>> >> As I already said in other threads, create additional
ID range
> that
> >> >>> >> covers your 4-digit IDs, then re-run SID generation to
make sure
> >> those
> >> >>> >> users get proper SIDs.
> >> >>> >>
> >> >>> >> This is covered in the KCS.
> >> >>> >>
> >> >>> >> >
> >> >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy
<
> >> >>> abokovoy(a)redhat.com>
> >> >>> >> >wrote:
> >> >>> >> >
> >> >>> >> >> Please don't drop mailing list.
> >> >>> >> >>
> >> >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >> >>> >> >> >Hey Alexander,
> >> >>> >> >> >
> >> >>> >> >> >Thanks For the Reply.
> >> >>> >> >> >
> >> >>> >> >> >But in my case i have fixed it by
recreating the user on
> Ipa web
> >> >>> UI and
> >> >>> >> >> >observing ipantuserattrs created password
logins are working
> >> fine.
> >> >>> >> >> >
> >> >>> >> >> >But do I face any issues if I try to
modify the base id
> range
> >> >>> >> manually? as
> >> >>> >> >> >per redhat docs which is not recommended
to modify.
> >> >>> >> >>
> >> >>> >> >> If you have re-created your user and that new
one works, it
> means
> >> >>> >> >> underlying infrastructure works properly.
Older user entries
> need
> >> >>> to be
> >> >>> >> >> fixed. Preferrably through a new ID range, if
those entries
> use
> >> IDs
> >> >>> >> >> which are outside of the main ID range.
> >> >>> >> >>
> >> >>> >> >> >
> >> >>> >> >> >Also on ipa 4.11 they support dedicated
ssh key based
> >> >>> >> >> >authentication.Ofcourse now also its
working.
> >> >>> >> >> >
> >> >>> >> >> >My setup is that I have internal dns
which is handled by a
> >> puppet
> >> >>> and
> >> >>> >> >> >slowly will move it to a dedicated
internal dns server so
> that's
> >> >>> why i
> >> >>> >> >> >opted for ipa installation without dns.
> >> >>> >> >> >
> >> >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander
Bokovoy <
> >> >>> abokovoy(a)redhat.com
> >> >>> >> >
> >> >>> >> >> >wrote:
> >> >>> >> >> >
> >> >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via
FreeIPA-users wrote:
> >> >>> >> >> >> >Hi Rob,
> >> >>> >> >> >> >Thank you for your email.
I've identified the issue.
> >> >>> >> >> >> >When attempting to create a user
using the 'ipa user-add'
> >> >>> command
> >> >>> >> and
> >> >>> >> >> >> >defining the UID and GID
according to my specifications,
> the
> >> UID
> >> >>> >> falls
> >> >>> >> >> >> >within the 4-digit range, for
instance, 4141. The
> >> >>> >> >> >> >IPA IDs range during
installation was set to 770000.
> Users
> >> >>> created
> >> >>> >> >> within
> >> >>> >> >> >> >this range are accepted with
their passwords. However,
> users
> >> >>> created
> >> >>> >> >> with
> >> >>> >> >> >> >UIDs like 4141 or 4142 encounter
issues.
> >> >>> >> >> >> >
> >> >>> >> >> >> >Looks like attributes, were not
creating
> >> >>> >> >> >> >
> >> >>> >> >> >> >objectclass: top, person,
organizationalperson,
> >> inetorgperson,
> >> >>> >> >> inetuser,
> >> >>> >> >> >> >posixaccount, krbprincipalaux,
krbticketpolicyaux,
> ipaobject,
> >> >>> >> >> ipasshuser,
> >> >>> >> >> >> >ipaSshGroupOfPubKeys,
mepOriginEntry, ipantuserattrs
> >> >>> >> >> >> >
> >> >>> >> >> >> >If i mention uid and gid using
ipa user-add command
> >> >>> >> >> >> >ipantuserattrs is not getting
create.
> >> >>> >> >> >> >
> >> >>> >> >> >> >I tried to modify default range
but it dint happened.
> >> >>> >> >> >>
> >> >>> >> >> >> See my answers in a parallel thread
'kinit fails on
> freeipa
> >> >>> master:
> >> >>> >> File
> >> >>> >> >> >> or directory not found'.
> >> >>> >> >> >>
> >> >>> >> >> >> >
> >> >>> >> >> >> >
> >> >>> >> >> >> >
> >> >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM,
Rob Crittenden <
> >> >>> rcritten(a)redhat.com
> >> >>> >> >
> >> >>> >> >> >> wrote:
> >> >>> >> >> >> >
> >> >>> >> >> >> >> Pradeep KNS wrote:
> >> >>> >> >> >> >> > Hi,
> >> >>> >> >> >> >> > I have installed an
ipa with internal dns.After
> >> installing
> >> >>> >> updated
> >> >>> >> >> >> >> > entries on dns as
well.
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> > My main criteria is to
communicate with ipa clients
> with
> >> ssh
> >> >>> >> >> keybased
> >> >>> >> >> >> >> > authentication which
is working fine.
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> > Today i tot of i want
to test with password based
> >> >>> authentication
> >> >>> >> >> which
> >> >>> >> >> >> >> > is not happening.I
dont know where i am missing
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> > [root(a)example.com
<mailto:root@example.com>]# ipa
> >> --version
> >> >>> >> >> >> >> > VERSION: 4.10.1,
API_VERSION: 2.251
> >> >>> >> >> >> >> > [root(a)example.com
<mailto:root@example.com>]#
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> > **********************
PREVIOUS MESSAGE WAS
> TRIGGERED BY
> >> THE
> >> >>> >> >> FOLLOWING
> >> >>> >> >> >> >> > BACKTRACE:
> >> >>> >> >> >> >> > * (2023-11-23
19:33:16): [krb5_child[11588]]
> >> >>> [tgt_req_child]
> >> >>> >> >> >> >> > (0x1000): [RID#15]
Password was expired
> >> >>> >> >> >> >>
> >> >>> >> >> >> >> The user's password is
expired.
> >> >>> >> >> >> >>
> >> >>> >> >> >> >> IPA intends that only the
end-user knows their
> password. So
> >> >>> if it
> >> >>> >> is
> >> >>> >> >> set
> >> >>> >> >> >> >> or reset by an
administrator the user will need to
> change
> >> it.
> >> >>> >> >> >> >>
> >> >>> >> >> >> >> Is the user not prompted to
reset it?
> >> >>> >> >> >> >>
> >> >>> >> >> >> >> rob
> >> >>> >> >> >> >>
> >> >>> >> >> >> >> > * (2023-11-23
19:33:16): [krb5_child[11588]]
> >> >>> >> >> [sss_krb5_responder]
> >> >>> >> >> >> >> > (0x4000): [RID#15] Got
question [password].
> >> >>> >> >> >> >> > * (2023-11-23
19:33:16): [krb5_child[11588]]
> >> >>> >> [map_krb5_error]
> >> >>> >> >> >> >> > (0x0020): [RID#15]
2138: [-1765328324][Generic error
> (see
> >> >>> >> e-text)]
> >> >>> >> >> >> >> > **********************
BACKTRACE DUMP ENDS HERE
> >> >>> >> >> >> >> >
*********************************
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> > ssh log
> >> >>> >> >> >> >> >
> >> >>> >> >> >> >> > Nov 23 19:33:16
test-example.com <
> >>
http://test-example.com>
> >> >>> >> >> >> sshd[11586]:
> >> >>> >> >> >> >> > pam_sss(sshd:auth):
authentication failure; logname=
> >> uid=0
> >> >>> >> euid=0
> >> >>> >> >> >> >> > tty=ssh ruser=
rhost=10.10.1.1 user=harsh
> >> >>> >> >> >> >> > Nov 23 19:33:16
test-example.com <
> >>
http://test-example.com>
> >> >>> >> >> >> sshd[11586]:
> >> >>> >> >> >> >> > pam_sss(sshd:auth):
received for user harsh: 4
> (System
> >> >>> error)
> >> >>> >> >> >> >> > Nov 23
19:33:18test-example.com <
> >>
http://18test-example.com>
> >> >>> >> >> >> sshd[11584]:
> >> >>> >> >> >> >> > error: PAM:
Authentication failure for harsh from
> >> 10.10.1.1
> >> >>> >> >> >> >> > Nov 23 19:33:20
test-example.com <
> >>
http://test-example.com>
> >> >>> >> >> >> sshd[11584]:
> >> >>> >> >> >> >> > Connection closed by
authenticating user harsh
> 10.10.1.1
> >> >>> port
> >> >>> >> 47724
> >> >>> >> >> >> >> > [preauth]
> >> >>> >> >> >> >>
> >> >>> >> >> >> >>
> >> >>> >> >> >> >>
> >> >>> >> >> >>
> >> >>> >> >> >>
> >> >>> >> >> >>
> >> >>> >> >> >>
> >> >>> >> >> >> --
> >> >>> >> >> >> / Alexander Bokovoy
> >> >>> >> >> >> Sr. Principal Software Engineer
> >> >>> >> >> >> Security / Identity Management
Engineering
> >> >>> >> >> >> Red Hat Limited, Finland
> >> >>> >> >> >>
> >> >>> >> >> >>
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >> --
> >> >>> >> >> / Alexander Bokovoy
> >> >>> >> >> Sr. Principal Software Engineer
> >> >>> >> >> Security / Identity Management Engineering
> >> >>> >> >> Red Hat Limited, Finland
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >>
> >> >>> >>
> >> >>> >>
> >> >>> >>
> >> >>> >> --
> >> >>> >> / Alexander Bokovoy
> >> >>> >> Sr. Principal Software Engineer
> >> >>> >> Security / Identity Management Engineering
> >> >>> >> Red Hat Limited, Finland
> >> >>> >>
> >> >>> >>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> / Alexander Bokovoy
> >> >>> Sr. Principal Software Engineer
> >> >>> Security / Identity Management Engineering
> >> >>> Red Hat Limited, Finland
> >> >>>
> >> >>>
> >>
> >>
> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>