[Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug
Jakub Hrozek
jhrozek at redhat.com
Thu Nov 11 13:37:35 UTC 2010
On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote:
> On Wed, 10 Nov 2010 19:11:46 +0100
> Jakub Hrozek <jhrozek at redhat.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 11/10/2010 06:47 PM, Jakub Hrozek wrote:
> > > Please see attachment. The right fix would be to fix this in
> > > openldap, but I think we should have a workaround, at least for the
> > > time being. Much of the credit goes to Jan who helped me debug the
> > > issue.
> >
> > Sorry, the first patch had a small bug. New one attached.
>
> Jakub, I am surprised, I have the current code working on F14 w/o
> issues, why do you need to set also the CACERTDIR ?
>
> Simo.
How does your /etc/openldap/ldap.conf look like? On both of my test machines
(one of them F13, the other one F14) it contains:
---
URI ldap://127.0.0.1/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
---
I don't recall setting it manually, though..I suspect some package
scriptlet or authconfig..dunno yet.
With the above setting, installation on F14 fails for me during the very
last step:
---
Unable to set admin password Command '/usr/bin/ldappasswd -h
vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y
/var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z
uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
returned non-zero exit status 1
---
When I ran ldappasswd with "-d -1", I could see TLS errors and
ldappasswd opened only /etc/openldap/cacerts.
Seeing the ldappasswd invocation working on F13 and not F14, I suspect that
CACERTDIR errorneously takes precedence over CACERT (maybe something to
do with the switch to NSS?). Putting CACERTDIR into the environment
fixed the issue for me..
Jakub
More information about the Freeipa-devel
mailing list