Hide Forgot
This is the bug to track a tech note for 6.3. "Run the updates as root for now". +++ This bug was initially created as a clone of Bug #813373 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2621 It always does a SASL EXTERNAL bind which requires root: {{{ $ ipa-ldap-updater Directory Manager password: ipa : INFO PRE_UPDATE Traceback (most recent call last): File "/usr/sbin/ipa-ldap-updater", line 160, in <module> sys.exit(main()) File "/usr/sbin/ipa-ldap-updater", line 140, in main modified = ld.update(files) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 792, in update updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 135, in update (restart, apply_now, res) = self.run(update.name, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 165, in run return self.Updater[method](**kw) #pylint: disable=E1101 File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1398, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_memberof.py", line 44, in execute conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 387, in do_external_bind self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 347, in __bind_with_wait bind_func(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.INAPPROPRIATE_AUTH: {'info': 'SASL EXTERNAL bind requires an SSL connection', 'desc': 'Inappropriate authentication'} }}}
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
*** This bug has been marked as a duplicate of bug 813373 ***