#1881 Unable to configure IPA client against IPA server with anonymous bind disabled
Closed: Fixed None Opened 10 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=741050

Description of problem:

Our LDAP(s) server needs to be available over the public internet, so we have disabled anonymous bind on our FreeIPA system.  I am attempting to configure an IPA client against that server and it fails with and error.

Version-Release number of selected component (if applicable):

Server (RHEL 6.1):
  ipa-pki-common-theme-9.0.3-6.el6.noarch
  ipa-server-2.0.0-23.el6_1.2.x86_64
  ipa-client-2.0.0-23.el6_1.2.x86_64
  ipa-admintools-2.0.0-23.el6_1.2.x86_64
  ipa-pki-ca-theme-9.0.3-6.el6.noarch
  ipa-server-selinux-2.0.0-23.el6_1.2.x86_64
  ipa-python-2.0.0-23.el6_1.2.x86_64

Client (CentOS 5):
  ipa-client-2.0-14.el5_7.1

How reproducible:

Every time.

Steps to Reproduce:
1. Configure IPA server
2. Disable anonymous bind (by enabling the "nsslapd-allow-anonymous-access" option)
3. run "ipa-client-install" on the client system

Actual results:

root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    [ipadnssearchldap(internal.opennms.com)]
root        : DEBUG    [ipadnssearchldap(opennms.com)]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmp1NzEv5/ca.crt http://connect.opennms.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-09-24 13:41:17--  http://connect.opennms.com/ipa/config/ca.crt
Resolving connect.opennms.com... 66.135.60.215
Connecting to connect.opennms.com|66.135.60.215|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://connect.opennms.com/ipa/config/ca.crt [following]
--2011-09-24 13:41:17--  https://connect.opennms.com/ipa/config/ca.crt
Connecting to connect.opennms.com|66.135.60.215|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 771 [application/x-x509-ca-cert]
Saving to: `/tmp/tmp1NzEv5/ca.crt'

     0K                                                       100% 1.15M=0.001s

2011-09-24 13:41:18 (1.15 MB/s) - `/tmp/tmp1NzEv5/ca.crt' saved [771/771]


root        : DEBUG    Init ldap with: ldap://connect.opennms.com:389
root        : ERROR    LDAP Error: Inappropriate authentication: Anonymous access is not allowed
root        : DEBUG    will use domain: opennms.com

root        : DEBUG    will use server: connect.opennms.com

Failed to verify that connect.opennms.com is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.


Expected results: client gets configured to talk to the IPA server


Additional info:

Metadata Update from @dpal:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 2.1.2 (bug fixing)

5 years ago

Login to comment on this ticket.

Metadata