#7418 [RFE] Improve ipa-client-install behaviour when non-standard ldap.conf is used
Closed: fixed 2 years ago Opened 2 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1542127

Description of problem:
ipa-client-install fails with a less than helpful error message ("500 Internal
Server Error") when a non-standard ldap.conf file is in place.

If you run ipa-client install with the config file below:

URI ldaps://server4006.bc ldaps://server4005.bc
BASE dc=atelcocompany,dc=be
HOST server4006.bc server4005.bc
PORT 636

then the install fails with the error mentioned above.

If you switch back to the original ldap.conf:

TLS_CACERTDIR   /etc/openldap/certs

then the installation succeeds.

The real issue here is the following:
1) The error/diagnostics were of no use at identifying the root issue.
2) Solution 103543 (https://access.redhat.com/solutions/103543) implies that
ldap.conf would have been saved off to /var/lib/ipa/sysrestore/ to avoid this

The article raised the expectation from the customer that the installer would
archive their config, put a suitable config for the install in place, and then
copy back their config.

The customer would like to see two improvements:

1) Improved error messages/diagnostics in ipa-client-install to help pinpoint
the reasons for failure.
2) Installer to ensure appropriate config is in place for successful install:
   -a- copy /etc/ldap.conf to /var/lib/ipa/sysrestore/
   -b- replace  /etc/ldap.conf with the working default.
   -c- perform ipa-client-install functions.
   -d- copy back customer /var/lib/ipa/sysrestore/ldap.conf to /etc/ldap.conf
       after completion of ipa-client-install functions.

There is also an upstream ticket which seems related to this idea:

The installer makes assumptions which are simply not valid for many customer

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run ipa-client-install with non-standard config file included above.

Actual results:
Install fails with "500 Internal Server Error"

Expected results:
Install should succeed.

Additional info:
sosreport from failed install will be attached to include the various log files

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1542127

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.7 backlog)

2 years ago

The goal is to try to improve error reporting and/or detect a custom ldap.conf and report on it.

Client and server could use os.environ['LDAPNOINIT'] = '1' to disable loading of ldap.conf and other ldap config files. The env var must be set before any function of the ldap module is called:


$ python3
>>> import ldap
>>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_init: HOME env is /home/heimes
ldap_init: trying /home/heimes/ldaprc
ldap_init: trying /home/heimes/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL


$ python3
>>> import os
>>> os.environ['LDAPNOINIT'] = '1'
>>> import ldap
>>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1607

2 years ago

Metadata Update from @rcritten:
- Issue assigned to cheimes
- Issue priority set to: normal

2 years ago


  • 9a9c8ce Use sane default settings for ldap connections
  • 829998b Apply sane LDAP settings to C code
  • 172df67 Refuse PORT, HOST in /etc/openldap/ldap.conf

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago



Login to comment on this ticket.