Bug 818723
| Summary: | ipa-server-install after uninstall failing with the latest update for openldap-clients | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> | |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED NOTABUG | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.2 | CC: | jvcelak, mkosek, sgallagh | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 818844 (view as bug list) | Environment: | ||
| Last Closed: | 2012-05-07 14:35:51 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 818844, 819536 | |||
We set TLS_CACERTDIR to /etc/openldap/certs in ldap.conf with default openldap installation. This change was introduced as a fix for bug #742023. This might be the cause. Together with Jan Vcelak I investigated this issue in ipa-client-install. The issue only occurs when the new openldap nss db is set in TLS_CACERTDIR configuration option. When its commented out in /etc/openldap/ldap.conf or ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "") is added to the LDAP connection initialization in ipa-client-install, the installation works OK. The second change can be used as a workaround until the issue in openldap is fixed. |
Description of problem: Install latest RHEL 6.3 distro with openldap-clients-2.4.23-25.el6. Install ipa-server, uninstall ipa-server and re-install ipa-server. Server install will fail on installing and configuring the ipa client. openldap-clients now uses NSS cert db # ls /etc/openldap/certs/ cert8.db key3.db password secmod.db If you move these files, and try again .. client install is successful. <snip> Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server dhcp-186-52.testrelm.com --realm TESTRELM.COM --hostname dhcp-186-52.testrelm.com' returned non-zero exit status 1 </snip> Client install log :: {{{ 2012-05-03T19:34:59Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-05-03T19:34:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2012-05-03T19:34:59Z DEBUG [ipadnssearchkrb] 2012-05-03T19:34:59Z DEBUG [ipacheckldap] 2012-05-03T19:34:59Z DEBUG args=/usr/bin/wget -O /tmp/tmpBXaaZ0/ca.crt -T 15 -t 2 http://dhcp-186-52.testrelm.com/ipa/config/ca.crt 2012-05-03T19:34:59Z DEBUG stdout= 2012-05-03T19:34:59Z DEBUG stderr=--2012-05-03 15:34:59-- http://dhcp-186-52.testrelm.com/ipa/config/ca.crt Resolving dhcp-186-52.testrelm.com... 10.16.186.52 Connecting to dhcp-186-52.testrelm.com|10.16.186.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1325 (1.3K) [application/x-x509-ca-cert] Saving to: “/tmp/tmpBXaaZ0/ca.crt” 0K . 100% 158M=0s 2012-05-03 15:34:59 (158 MB/s) - “/tmp/tmpBXaaZ0/ca.crt” saved [1325/1325] 2012-05-03T19:34:59Z DEBUG Init ldap with: ldap://dhcp-186-52.testrelm.com:389 2012-05-03T19:34:59Z ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. 2012-05-03T19:34:59Z DEBUG will use domain: testrelm.com 2012-05-03T19:34:59Z DEBUG will use server: dhcp-186-52.testrelm.com }}} Version-Release number of selected component (if applicable): ipa-client-2.2.0-12.el6.i686 ipa-server-2.2.0-12.el6.i686 openldap-clients-2.4.23-25.el6.i686 How reproducible: Steps to Reproduce: 1. install latest 6.3 distro 2. install ipa-server 3. uninstall ipa-server 4. install ipa-server Actual results: re-install of ipa-server fails on install and config of the ipa-client Expected results: successful installation Additional info: