Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1122621
CHanging min SSF (setting cn=config's nsslapd-minssf to "1") in FreeIPA master DS breaks subsequent client enrollments: Check if naming context 'dc=example,dc=com' is for IPA Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'}
My initial investigation:
# ipa-client-install --debug DNS record found: "EXAMPLE.COM" Search DNS for SRV record of _kerberos._udp.example.com DNS record found: 0 100 88 vm-086.example.com. [LDAP server check] Verifying that vm-086.example.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection to: vm-086.example.com Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} Error checking LDAP: Server is unwilling to perform: Minimum SSF not met. Skip vm-086.example.com: cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; server=None, domain=example.com, kdc=vm-086.example.com, basedn=None Validated servers: will use discovered domain: example.com IPA Server not found DNS discovery failed to find the IPA Server ... I see we already try to catch the case when MINSSF is set higher than what ipa-client-install can offer, but it was only applied to the anonymous BIND and not the actual LDAP search. This should be pretty easy to fix.
Patch from initial investigation 0001-Do-not-crash-client-basedn-discovery-when-SSF-not-me.patch
Reported confirmed that the patch fixed the problem for them.
attachment freeipa-mkosek-480-do-not-crash-client-basedn-discovery-when-ssf-not-me.patch
Patch freeipa-mkosek-480-do-not-crash-client-basedn-discovery-when-ssf-not-me.patch sent for review
Starting review
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 4.0.2
Login to comment on this ticket.