freeipa

Clone
Source Code
GIT

#1935 ipa-client-install fails with dse.ldif set to: nsslapd-allow-anonymous-access: rootdse
Closed: Fixed None Opened 12 years ago by jraquino.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=744101

ipa-client-install produces this error when trying to join a client to a freeipa server with anonymous-access set to rootdse:

ERROR    LDAP Error: Inappropriate authentication: Anonymous access is not allowed.

2011-10-06 15:08:14,300 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None}
2011-10-06 15:08:14,304 DEBUG missing options might be asked for interactively later

2011-10-06 15:08:14,304 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-10-06 15:08:14,305 DEBUG [ipadnssearchldap(example.com)]
2011-10-06 15:08:14,307 DEBUG [ipadnssearchldap(example.com)]
2011-10-06 15:08:14,309 DEBUG [ipadnssearchldap(com)]
2011-10-06 15:08:14,310 DEBUG [ipadnssearchldap(example.com)]
2011-10-06 15:08:14,312 DEBUG [ipadnssearchldap(com)]
2011-10-06 15:08:14,314 DEBUG [ipadnssearchldap(example.com)]
2011-10-06 15:08:14,316 DEBUG [ipadnssearchldap(example.com)]
2011-10-06 15:08:14,317 DEBUG [ipadnssearchldap(com)]
2011-10-06 15:08:14,318 DEBUG Domain not found
2011-10-06 15:08:17,717 DEBUG will use domain: example.com

2011-10-06 15:08:17,717 DEBUG [ipadnssearchldap]
2011-10-06 15:08:17,719 DEBUG IPA Server not found
2011-10-06 15:08:21,420 DEBUG will use server: authdev2.example.com

2011-10-06 15:08:21,420 DEBUG [ipacheckldap]
2011-10-06 15:08:21,805 DEBUG args=/usr/bin/wget -O /tmp/tmpzlOnxR/ca.crt http://authdev2.example.com/ipa/config/ca.crt
2011-10-06 15:08:21,806 DEBUG stdout=
2011-10-06 15:08:21,806 DEBUG stderr=--2011-10-06 15:08:21-- http://authdev2.example.com/ipa/config/ca.crt
Resolving authdev2.example.com... 10.230.6.96
Connecting to authdev2.example.com|10.230.6.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1333 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmpzlOnxR/ca.crt'

 0K .                                                     100% 5.27M=0s

2011-10-06 15:08:21 (5.27 MB/s) - `/tmp/tmpzlOnxR/ca.crt' saved [1333/1333]

2011-10-06 15:08:21,806 DEBUG Init ldap with: ldap://authdev2.example.com:389
2011-10-06 15:08:21,827 DEBUG Search rootdse
2011-10-06 15:08:21,829 DEBUG Search for (info=*) in dc=example,dc=com(base)
2011-10-06 15:08:21,830 ERROR LDAP Error: Inappropriate authentication: Anonymous access is not allowed.

server access log:
[06/Oct/2011:15:40:07 -0700] conn=8 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[06/Oct/2011:15:40:07 -0700] conn=8 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[06/Oct/2011:15:40:07 -0700] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[06/Oct/2011:15:40:07 -0700] conn=8 op=3 SRCH dn="dc=example,dc=com" authzid="(null)", anonymous search not allowed

This is running into our new code that checks all namingcontexts to see which one is an IPA one. If we can't read the namingcontext we'll have no way to determine which one is the IPA one.

I think the best we can do here is if we can't read any then see if there is a naming context for the value of domain that was passed in.

master: f2fb655

ipa-2-1: 32dbf7f

Metadata Update from @jraquino:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1.3 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=744101
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.