#7418 [RFE] Improve ipa-client-install behaviour when non-standard ldap.conf is used
Closed: fixed 9 months ago Opened a year ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1542127

Description of problem:
ipa-client-install fails with a less than helpful error message ("500 Internal
Server Error") when a non-standard ldap.conf file is in place.

If you run ipa-client install with the config file below:

SASL_NOCANON    on
URI ldaps://server4006.bc ldaps://server4005.bc
BASE dc=atelcocompany,dc=be
HOST server4006.bc server4005.bc
PORT 636
TLS_REQCERT allow

then the install fails with the error mentioned above.

If you switch back to the original ldap.conf:

TLS_CACERTDIR   /etc/openldap/certs
SASL_NOCANON    on

then the installation succeeds.

The real issue here is the following:
1) The error/diagnostics were of no use at identifying the root issue.
2) Solution 103543 (https://access.redhat.com/solutions/103543) implies that
ldap.conf would have been saved off to /var/lib/ipa/sysrestore/ to avoid this
problem.

The article raised the expectation from the customer that the installer would
archive their config, put a suitable config for the install in place, and then
copy back their config.

The customer would like to see two improvements:

1) Improved error messages/diagnostics in ipa-client-install to help pinpoint
the reasons for failure.
2) Installer to ensure appropriate config is in place for successful install:
   -a- copy /etc/ldap.conf to /var/lib/ipa/sysrestore/
   -b- replace  /etc/ldap.conf with the working default.
   -c- perform ipa-client-install functions.
   -d- copy back customer /var/lib/ipa/sysrestore/ldap.conf to /etc/ldap.conf
       after completion of ipa-client-install functions.

There is also an upstream ticket which seems related to this idea:
https://pagure.io/freeipa/issue/7366

The installer makes assumptions which are simply not valid for many customer
configurations.

Version-Release number of selected component (if applicable):
ipa-client-4.5.0-22.el7_4.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Run ipa-client-install with non-standard config file included above.

Actual results:
Install fails with "500 Internal Server Error"

Expected results:
Install should succeed.

Additional info:
sosreport from failed install will be attached to include the various log files

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1542127

a year ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.7 backlog)

a year ago

The goal is to try to improve error reporting and/or detect a custom ldap.conf and report on it.

Client and server could use os.environ['LDAPNOINIT'] = '1' to disable loading of ldap.conf and other ldap config files. The env var must be set before any function of the ldap module is called:

without LDAPNOINIT

$ python3
>>> import ldap
>>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_init: HOME env is /home/heimes
ldap_init: trying /home/heimes/ldaprc
ldap_init: trying /home/heimes/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL

with LDAPNOINIT

$ python3
>>> import os
>>> os.environ['LDAPNOINIT'] = '1'
>>> import ldap
>>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ldap_url_parse_ext(ldap://localhost/)

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1607

a year ago

Metadata Update from @rcritten:
- Issue assigned to cheimes
- Issue priority set to: normal

9 months ago

master:

  • 9a9c8ce Use sane default settings for ldap connections
  • 829998b Apply sane LDAP settings to C code
  • 172df67 Refuse PORT, HOST in /etc/openldap/ldap.conf

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

9 months ago

master:

ipa-4-7:

Login to comment on this ticket.

Metadata