ipa-client-install writes out a custom ldap.conf. We're been using the SASL_NOCANON option in ldap.conf to unbreak broken upstream defaults. See: https://bugzilla.redhat.com/show_bug.cgi?id=949864 Ideally we can eventually get a sane default upstream. But either ipa-client-install should keep settings in ldap.conf, or include 'SASL_NOCANON on'
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3582
Also see related upstream ticket: https://fedorahosted.org/freeipa/ticket/3447 This one complains about removing TLS_CACERTDIR. We should fix it too.
Fixed upstream. master: 5d6a9d3befb5434dd7b2d1bbafd76050f22743a2 We will only add those items not already set, and include an IPA-specific version commented out.
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
Looks good: [root@f19-3 repo]# ipa-client-install --uninstall -U Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. [root@f19-3 repo]# grep SASL_NOCANON /etc/openldap/ldap.conf SASL_NOCANON on [root@f19-3 repo]# grep TLS_CACERTDIR /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/certs
Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback).
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.