#2771 ipa-client-install part of ipa-server-install fails on F-17
Closed: Invalid None Opened 11 years ago by rmeggins.

I'm using F-17 with testing version of 389-ds-base-1.2.11.4

ipa-server-install for server part completes successfully, but ipa-client-install run by ipa-server-install fails

my workaround is to use certutil to install /etc/ipa/ca.crt in /etc/openldap/certs, then run the ipa-client-install command printed by ipa-server-install - then it works fine


Do you have any more information on the install failure? It works fine for me but I'm using an older version of 389-ds-base.

The install log would be very helpful.

I can't speak entirely to Rich's issue, but I was having the same problem using 389-ds-base-1.2.11.x builds. When I rebuilt 389-ds-base-1.2.10.8 for Fedora 17, I did not see this issue -- related to being unable to automatically get the ca.crt.

It may be related to ticket #2772 too - maybe when that is fixed, it will fix this issue too.

ok - just tried it with the latest 389-ds-base-1.2.11 candidate and latest freeipa ipa-2-2 branch built from source - failed again

I ran ipa-server-install like this:

ipa-server-install -ddd -r TESTDOMAIN.COM -n testdomain.com -p password -a password --hostname=f17x8664.testdomain.com -N --no-host-dns --selfsign

http://rmeggins.fedorapeople.org/ipaserver-install.log

http://rmeggins.fedorapeople.org/ipaclient-install.log

it looks like the client part cannot install the CA cert into whatever repo it is using

What more information do you need?

Is this supposed to work?

ipa-client/ipaclient/ipadiscovery.py:248

            lh = ldap.initialize("ldap://"+format_netloc(thost, 389))
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)
            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "%s/ca.crt" % temp_ca_dir)
            lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
            lh.set_option(ldap.OPT_X_TLS_DEMAND, True)
            lh.start_tls_s()

Why is it setting some of the options in the ldap module and some in the ldap handle?

Why isn't it doing a TLS_NEWCTX?

Bug 819536 - MozNSS CA cert dir does not work together with PEM CA cert file

This ticket will be fixed when 819536 is pushed

Should we set the min n-v-r of openldap to this release?

Replying to [comment:9 rcritten]:

Should we set the min n-v-r of openldap to this release?

Yes. openldap-2.4.31-2 is still in testing - will add some karma today

Metadata Update from @rmeggins:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 Beta 1

7 years ago

Login to comment on this ticket.

Metadata