Bug 818723

Summary: ipa-server-install after uninstall failing with the latest update for openldap-clients
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: jvcelak, mkosek, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 818844 (view as bug list) Environment:
Last Closed: 2012-05-07 14:35:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 818844, 819536    

Description Jenny Severance 2012-05-03 19:37:05 UTC
Description of problem:

Install latest RHEL 6.3 distro with openldap-clients-2.4.23-25.el6.

Install ipa-server, uninstall ipa-server and re-install ipa-server.

Server install will fail on installing and configuring the ipa client.

openldap-clients now uses NSS cert db

# ls /etc/openldap/certs/
cert8.db  key3.db  password  secmod.db


If you move these files, and try again .. client install is successful.

<snip>

Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server dhcp-186-52.testrelm.com --realm TESTRELM.COM --hostname dhcp-186-52.testrelm.com' returned non-zero exit status 1

</snip>

Client install log ::

{{{

2012-05-03T19:34:59Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-05-03T19:34:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2012-05-03T19:34:59Z DEBUG [ipadnssearchkrb]
2012-05-03T19:34:59Z DEBUG [ipacheckldap]
2012-05-03T19:34:59Z DEBUG args=/usr/bin/wget -O /tmp/tmpBXaaZ0/ca.crt -T 15 -t 2 http://dhcp-186-52.testrelm.com/ipa/config/ca.crt
2012-05-03T19:34:59Z DEBUG stdout=
2012-05-03T19:34:59Z DEBUG stderr=--2012-05-03 15:34:59--  http://dhcp-186-52.testrelm.com/ipa/config/ca.crt
Resolving dhcp-186-52.testrelm.com... 10.16.186.52
Connecting to dhcp-186-52.testrelm.com|10.16.186.52|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1325 (1.3K) [application/x-x509-ca-cert]
Saving to: “/tmp/tmpBXaaZ0/ca.crt”

     0K .                                                     100%  158M=0s

2012-05-03 15:34:59 (158 MB/s) - “/tmp/tmpBXaaZ0/ca.crt” saved [1325/1325]


2012-05-03T19:34:59Z DEBUG Init ldap with: ldap://dhcp-186-52.testrelm.com:389
2012-05-03T19:34:59Z ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
2012-05-03T19:34:59Z DEBUG will use domain: testrelm.com

2012-05-03T19:34:59Z DEBUG will use server: dhcp-186-52.testrelm.com

}}}


Version-Release number of selected component (if applicable):
ipa-client-2.2.0-12.el6.i686
ipa-server-2.2.0-12.el6.i686
openldap-clients-2.4.23-25.el6.i686

How reproducible:


Steps to Reproduce:
1. install latest 6.3 distro 
2. install ipa-server
3. uninstall ipa-server
4. install ipa-server
  
Actual results:
re-install of ipa-server fails on install and config of the ipa-client

Expected results:
successful installation

Additional info:

Comment 1 Jan Vcelak 2012-05-03 21:21:07 UTC
We set TLS_CACERTDIR to /etc/openldap/certs in ldap.conf with default openldap installation. This change was introduced as a fix for bug #742023. This might be the cause.

Comment 2 Martin Kosek 2012-05-04 07:35:41 UTC
Together with Jan Vcelak I investigated this issue in ipa-client-install. The issue only occurs when the new openldap nss db is set in TLS_CACERTDIR configuration option. When its commented out in /etc/openldap/ldap.conf or

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "")

is added to the LDAP connection initialization in ipa-client-install, the installation works OK. The second change can be used as a workaround until the issue in openldap is fixed.