https://bugzilla.redhat.com/show_bug.cgi?id=744101
ipa-client-install produces this error when trying to join a client to a freeipa server with anonymous-access set to rootdse: ERROR LDAP Error: Inappropriate authentication: Anonymous access is not allowed.
2011-10-06 15:08:14,300 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} 2011-10-06 15:08:14,304 DEBUG missing options might be asked for interactively later
2011-10-06 15:08:14,304 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-10-06 15:08:14,305 DEBUG [ipadnssearchldap(example.com)] 2011-10-06 15:08:14,307 DEBUG [ipadnssearchldap(example.com)] 2011-10-06 15:08:14,309 DEBUG [ipadnssearchldap(com)] 2011-10-06 15:08:14,310 DEBUG [ipadnssearchldap(example.com)] 2011-10-06 15:08:14,312 DEBUG [ipadnssearchldap(com)] 2011-10-06 15:08:14,314 DEBUG [ipadnssearchldap(example.com)] 2011-10-06 15:08:14,316 DEBUG [ipadnssearchldap(example.com)] 2011-10-06 15:08:14,317 DEBUG [ipadnssearchldap(com)] 2011-10-06 15:08:14,318 DEBUG Domain not found 2011-10-06 15:08:17,717 DEBUG will use domain: example.com
2011-10-06 15:08:17,717 DEBUG [ipadnssearchldap] 2011-10-06 15:08:17,719 DEBUG IPA Server not found 2011-10-06 15:08:21,420 DEBUG will use server: authdev2.example.com
2011-10-06 15:08:21,420 DEBUG [ipacheckldap] 2011-10-06 15:08:21,805 DEBUG args=/usr/bin/wget -O /tmp/tmpzlOnxR/ca.crt http://authdev2.example.com/ipa/config/ca.crt 2011-10-06 15:08:21,806 DEBUG stdout= 2011-10-06 15:08:21,806 DEBUG stderr=--2011-10-06 15:08:21-- http://authdev2.example.com/ipa/config/ca.crt Resolving authdev2.example.com... 10.230.6.96 Connecting to authdev2.example.com|10.230.6.96|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1333 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmpzlOnxR/ca.crt'
0K . 100% 5.27M=0s
2011-10-06 15:08:21 (5.27 MB/s) - `/tmp/tmpzlOnxR/ca.crt' saved [1333/1333]
2011-10-06 15:08:21,806 DEBUG Init ldap with: ldap://authdev2.example.com:389 2011-10-06 15:08:21,827 DEBUG Search rootdse 2011-10-06 15:08:21,829 DEBUG Search for (info=*) in dc=example,dc=com(base) 2011-10-06 15:08:21,830 ERROR LDAP Error: Inappropriate authentication: Anonymous access is not allowed.
server access log: [06/Oct/2011:15:40:07 -0700] conn=8 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [06/Oct/2011:15:40:07 -0700] conn=8 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [06/Oct/2011:15:40:07 -0700] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [06/Oct/2011:15:40:07 -0700] conn=8 op=3 SRCH dn="dc=example,dc=com" authzid="(null)", anonymous search not allowed
This is running into our new code that checks all namingcontexts to see which one is an IPA one. If we can't read the namingcontext we'll have no way to determine which one is the IPA one.
I think the best we can do here is if we can't read any then see if there is a naming context for the value of domain that was passed in.
attachment freeipa-rcrit-890-client.patch
master: f2fb655
ipa-2-1: 32dbf7f
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1.3 (bug fixing)
Login to comment on this ticket.