Bug 1301757

Summary: "Error checking LDAP: Server is unwilling to perform: Minimum SSF not met" when minsff is not set to 0
Product: Red Hat Enterprise Linux 7 Reporter: aheverle
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: aheverle, mkosek, pspacek, pvoborni, rcritten
Target Milestone: rc   
Target Release: 7.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-15 20:18:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description aheverle 2016-01-25 22:39:53 UTC 
Description of problem:

When running "ipa-client-install" and minssf is set to 1, get the following error.

"Error checking LDAP: Server is unwilling to perform: Minimum SSF not met."


Version-Release number of selected component (if applicable):
RHEL 7.2
ipa-client-4.2.0-15.el7_2.3.x86_64

How reproducible:
Every time running ip-client-install

Steps to Reproduce:
1. Set minssf to 1
2. Run cmd "ipa-client-install --server=example.com"
3.

Actual results:

Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.

Expected results:

Should not see the error if minssf is set to anything other than 0.

Additional info:

Seems like a known issue in previous versions.  
https://fedorahosted.org/freeipa/ticket/4459
Comment 2 Petr Vobornik 2016-01-25 23:36:58 UTC 
Related 7,1 bug: https://bugzilla.redhat.com/show_bug.cgi?id=1122621

Alan, could you attach ipaclient-install.log with minssf 1 set on server? I don't see the log in SOS report(s).

There were 3 occurances of:
 Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.

But the installation ended with:
  Client configuration complete.

So it would be interesting to know what didn't work. And if the client is actually installed properly.
Comment 4 aheverle 2016-01-26 17:58:05 UTC 
Attached is the ipa install log.

Please let me know if you need any additional information.
Comment 6 aheverle 2016-01-26 19:25:29 UTC 
FYI - Customer has closed the case, since the error did not prevent the installation from completing.
Comment 7 Rob Crittenden 2016-01-26 19:31:06 UTC 
This is working as expected. The discovery tries to verify that the servers it found are IPA masters but it doesn't yet have the IPA CA to connect with so SSF failures are not fatal.
Comment 9 Petr Vobornik 2016-02-15 20:18:28 UTC 
Closing, reasons in comments 2, 6, 7.