Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1542127
Description of problem: ipa-client-install fails with a less than helpful error message ("500 Internal Server Error") when a non-standard ldap.conf file is in place. If you run ipa-client install with the config file below: SASL_NOCANON on URI ldaps://server4006.bc ldaps://server4005.bc BASE dc=atelcocompany,dc=be HOST server4006.bc server4005.bc PORT 636 TLS_REQCERT allow then the install fails with the error mentioned above. If you switch back to the original ldap.conf: TLS_CACERTDIR /etc/openldap/certs SASL_NOCANON on then the installation succeeds. The real issue here is the following: 1) The error/diagnostics were of no use at identifying the root issue. 2) Solution 103543 (https://access.redhat.com/solutions/103543) implies that ldap.conf would have been saved off to /var/lib/ipa/sysrestore/ to avoid this problem. The article raised the expectation from the customer that the installer would archive their config, put a suitable config for the install in place, and then copy back their config. The customer would like to see two improvements: 1) Improved error messages/diagnostics in ipa-client-install to help pinpoint the reasons for failure. 2) Installer to ensure appropriate config is in place for successful install: -a- copy /etc/ldap.conf to /var/lib/ipa/sysrestore/ -b- replace /etc/ldap.conf with the working default. -c- perform ipa-client-install functions. -d- copy back customer /var/lib/ipa/sysrestore/ldap.conf to /etc/ldap.conf after completion of ipa-client-install functions. There is also an upstream ticket which seems related to this idea: https://pagure.io/freeipa/issue/7366 The installer makes assumptions which are simply not valid for many customer configurations. Version-Release number of selected component (if applicable): ipa-client-4.5.0-22.el7_4.x86_64 How reproducible: Always. Steps to Reproduce: 1. Run ipa-client-install with non-standard config file included above. Actual results: Install fails with "500 Internal Server Error" Expected results: Install should succeed. Additional info: sosreport from failed install will be attached to include the various log files
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1542127
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.7 backlog)
The goal is to try to improve error reporting and/or detect a custom ldap.conf and report on it.
Client and server could use os.environ['LDAPNOINIT'] = '1' to disable loading of ldap.conf and other ldap config files. The env var must be set before any function of the ldap module is called:
os.environ['LDAPNOINIT'] = '1'
ldap.conf
$ python3 >>> import ldap >>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255) ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /etc/openldap/ldap.conf ldap_init: using /etc/openldap/ldap.conf ldap_init: HOME env is /home/heimes ldap_init: trying /home/heimes/ldaprc ldap_init: trying /home/heimes/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL
$ python3 >>> import os >>> os.environ['LDAPNOINIT'] = '1' >>> import ldap >>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255) ldap_url_parse_ext(ldap://localhost/)
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1607
Metadata Update from @rcritten: - Issue assigned to cheimes - Issue priority set to: normal
master:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-7:
Log in to comment on this ticket.