I'm using F-17 with testing version of 389-ds-base-1.2.11.4
ipa-server-install for server part completes successfully, but ipa-client-install run by ipa-server-install fails
my workaround is to use certutil to install /etc/ipa/ca.crt in /etc/openldap/certs, then run the ipa-client-install command printed by ipa-server-install - then it works fine
Do you have any more information on the install failure? It works fine for me but I'm using an older version of 389-ds-base.
The install log would be very helpful.
I can't speak entirely to Rich's issue, but I was having the same problem using 389-ds-base-1.2.11.x builds. When I rebuilt 389-ds-base-1.2.10.8 for Fedora 17, I did not see this issue -- related to being unable to automatically get the ca.crt.
It may be related to ticket #2772 too - maybe when that is fixed, it will fix this issue too.
ok - just tried it with the latest 389-ds-base-1.2.11 candidate and latest freeipa ipa-2-2 branch built from source - failed again
I ran ipa-server-install like this:
ipa-server-install -ddd -r TESTDOMAIN.COM -n testdomain.com -p password -a password --hostname=f17x8664.testdomain.com -N --no-host-dns --selfsign
http://rmeggins.fedorapeople.org/ipaserver-install.log
http://rmeggins.fedorapeople.org/ipaclient-install.log
it looks like the client part cannot install the CA cert into whatever repo it is using
What more information do you need?
Is this supposed to work?
ipa-client/ipaclient/ipadiscovery.py:248 lh = ldap.initialize("ldap://"+format_netloc(thost, 389)) ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "%s/ca.crt" % temp_ca_dir) lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3) lh.set_option(ldap.OPT_X_TLS_DEMAND, True) lh.start_tls_s()
Why is it setting some of the options in the ldap module and some in the ldap handle?
Why isn't it doing a TLS_NEWCTX?
Bug 819536 - MozNSS CA cert dir does not work together with PEM CA cert file
This ticket will be fixed when 819536 is pushed
Should we set the min n-v-r of openldap to this release?
Replying to [comment:9 rcritten]:
Yes. openldap-2.4.31-2 is still in testing - will add some karma today
Metadata Update from @rmeggins: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.