Description of problem: In /etc/openldap/ldap.conf, i have something like this: TLS_CACERTDIR /etc/openldap/cacerts URI ldaps://my.server # modified by IPA BASE dc=opera # modified by IPA TLS_CACERT /etc/ipa/ca.crt The lines stating with BASE and URI are added by ipa-client-install. These lines actually starts with a '#' after the ipa client installation (to keep the previous configuration). So you need to remove these '#' at the beginning of these lines (uncomment leaving '# modified by IPA' at the end of these lines) and to comment the lines of the previous configuration. then i run ldapsearch -x -h my.server | less and i get almost nothing: ----------------------------------- # extended LDIF # # LDAPv3 # base <dc=opera #> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 ----------------------------------- If I remove '# modified by IPA' from the lines starting with URI and BASE, then ldapsearch works normally. It is actually the '#' at the end of the BASE line that makes ldapsearch not working. Version-Release number of selected component (if applicable): openldap-2.4.40-12.fc22.x86_64 How reproducible: always Steps to Reproduce: 1. To check this,, add a '#' at the end of the line starting with BASE 2. run ldapsearch 3. and see the output
Let me see if I understand. Before running ipa-client-install, the file looked like this? TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/ipa/ca.crt Then after running ipa-client-install, the file looked like this? TLS_CACERTDIR /etc/openldap/cacerts #URI ldaps://my.server # modified by IPA #BASE dc=opera # modified by IPA TLS_CACERT /etc/ipa/ca.crt At any rate, it looks as though the problem is with ipa-client-install - since BASE dc=opera # modified by IPA is not valid openldap configuration file syntax. ipa-client-install should put the comment on a line by itself before or after the value that was modified. From man ldap.conf: Lines beginning with a hash mark (`#') are comments, and ignored. # Wrong - comment on same line as option: DEREF never # Never follow aliases moving to ipa
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5202
yes, it looked like this actually: TLS_CACERTDIR /etc/openldap/cacerts URI ldaps://my.old.server BASE dc=opera #URI ldaps://my.server # modified by IPA #BASE dc=opera # modified by IPA TLS_CACERT /etc/ipa/ca.crt So I uncommented the new lines (leaving the '# modified by IPA') and removed the old ones. And of course, ldap could not work. It is indeed an ipa-client-install problem.
(In reply to Fujisan from comment #3) > yes, it looked like this actually: > > TLS_CACERTDIR /etc/openldap/cacerts > > URI ldaps://my.old.server > BASE dc=opera > #URI ldaps://my.server # modified by IPA > #BASE dc=opera # modified by IPA > TLS_CACERT /etc/ipa/ca.crt > > So I uncommented the new lines (leaving the '# modified by IPA') and removed > the old ones. > > And of course, ldap could not work. > > It is indeed an ipa-client-install problem. Before you edited ldap.conf by hand, did you read the manpage for ldap.conf to make sure you were editing the file in a way that was supported by ldap? It could be that ipa-client-install is changing ldap.conf with the assumption that the user will not need to change it afterwards, and, if the user does need to change it, the user will have read the manpage for ldap.conf and will make sure that any edits will be valid. If the line modified by IPA is uncommented, then the line is no longer merely "modified by IPA" and the "# modified by IPA" should be removed as well.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.