Bug 741050
| Summary: | Unable to configure IPA client against IPA server with anonymous bind disabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Benjamin Reed <redhat> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dpal, grajaiya, jgalipea, mkosek, ssorce |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.2-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: ipa-client-install always checks a server whether it is a valid IPA server. However, if the IPA server has a restricted access for anonymous binds (via nsslapd-allow-anonymous-access option) the check fails and ipa-client-install ends with an error
Consequence: ipa-client-install cannot join IPA server with restricted anonymous access
Fix: When the ipa-client-install detects that the chosen server does not allow anonymous binds, it skips server verification, reports a warning and lets user to join the IPA server
Result: ipa-client-install is able to join IPA server with restricted anonymous access
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:32:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. Changing to the right component. ipa-client component as stand alone is for old clients only. Sorry for confusion. Upstream ticket: https://fedorahosted.org/freeipa/ticket/1881 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/8f2e3333952edcce8d27a4d8fc23386908819030 ipa-2-1: https://fedorahosted.org/freeipa/changeset/8fb70fd24938f9106821f323ae8557a9bc814846
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: ipa-client-install always checks a server whether it is a valid IPA server. However, if the IPA server has a restricted access for anonymous binds (via nsslapd-allow-anonymous-access option) the check fails and ipa-client-install ends with an error
Consequence: ipa-client-install cannot join IPA server with restricted anonymous access
Fix: When the ipa-client-install detects that the chosen server does not allow anonymous binds, it skips server verification, reports a warning and lets user to join the IPA server
Result: ipa-client-install is able to join IPA server with restricted anonymous access
SERVER: [root@decepticons slapd-PKI-IPA]# ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -w Secret123 -b 'cn=config' "objectClass=nsslapdConfig" nsslapd-allow-anonymous-access # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: objectClass=nsslapdConfig # requesting: nsslapd-allow-anonymous-access # # config dn: cn=config nsslapd-allow-anonymous-access: off # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 CLIENT: [root@sideswipe ~]# ipa-client-install DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): lab.eng.pnq.redhat.com DNS discovery failed to find the IPA Server Provide your IPA server name (ex: ipa.example.com): decepticons.lab.eng.pnq.redhat.com Warning: Anonymous access to the LDAP server is disabled. <<<<<<<<<<<<< Proceeding without strict verification. <<<<<<<<<<<<< Note: This is not an error if anonymous access has been explicitly restricted. <<<<<<<<<<<<< The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operation and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: sideswipe.lab.eng.pnq.redhat.com Realm: LAB.ENG.PNQ.REDHAT.COM DNS Domain: lab.eng.pnq.redhat.com IPA Server: decepticons.lab.eng.pnq.redhat.com BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin.PNQ.REDHAT.COM: Enrolled in IPA realm LAB.ENG.PNQ.REDHAT.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm LAB.ENG.PNQ.REDHAT.COM SSSD enabled NTP enabled Client configuration complete. [root@sideswipe ~]# [root@sideswipe ~]# kinit shanks Password for shanks.PNQ.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@sideswipe ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: shanks.PNQ.REDHAT.COM Valid starting Expires Service principal 11/07/11 17:01:32 11/08/11 17:01:32 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM [root@sideswipe ~]# Verified. Version: ipa-server-2.1.3-8.el6.x86_64 & ipa-client-2.1.3-8.el6.i686. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |
Description of problem: Our LDAP(s) server needs to be available over the public internet, so we have disabled anonymous bind on our FreeIPA system. I am attempting to configure an IPA client against that server and it fails with and error. Version-Release number of selected component (if applicable): Server (RHEL 6.1): ipa-pki-common-theme-9.0.3-6.el6.noarch ipa-server-2.0.0-23.el6_1.2.x86_64 ipa-client-2.0.0-23.el6_1.2.x86_64 ipa-admintools-2.0.0-23.el6_1.2.x86_64 ipa-pki-ca-theme-9.0.3-6.el6.noarch ipa-server-selinux-2.0.0-23.el6_1.2.x86_64 ipa-python-2.0.0-23.el6_1.2.x86_64 Client (CentOS 5): ipa-client-2.0-14.el5_7.1 How reproducible: Every time. Steps to Reproduce: 1. Configure IPA server 2. Disable anonymous bind (by enabling the "nsslapd-allow-anonymous-access" option) 3. run "ipa-client-install" on the client system Actual results: root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG [ipadnssearchldap(internal.opennms.com)] root : DEBUG [ipadnssearchldap(opennms.com)] root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmp1NzEv5/ca.crt http://connect.opennms.com/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2011-09-24 13:41:17-- http://connect.opennms.com/ipa/config/ca.crt Resolving connect.opennms.com... 66.135.60.215 Connecting to connect.opennms.com|66.135.60.215|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://connect.opennms.com/ipa/config/ca.crt [following] --2011-09-24 13:41:17-- https://connect.opennms.com/ipa/config/ca.crt Connecting to connect.opennms.com|66.135.60.215|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 771 [application/x-x509-ca-cert] Saving to: `/tmp/tmp1NzEv5/ca.crt' 0K 100% 1.15M=0.001s 2011-09-24 13:41:18 (1.15 MB/s) - `/tmp/tmp1NzEv5/ca.crt' saved [771/771] root : DEBUG Init ldap with: ldap://connect.opennms.com:389 root : ERROR LDAP Error: Inappropriate authentication: Anonymous access is not allowed root : DEBUG will use domain: opennms.com root : DEBUG will use server: connect.opennms.com Failed to verify that connect.opennms.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Expected results: client gets configured to talk to the IPA server Additional info: