[Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug
Adam Young
ayoung at redhat.com
Thu Nov 11 13:54:09 UTC 2010
On 11/11/2010 08:43 AM, Simo Sorce wrote:
> On Thu, 11 Nov 2010 14:37:35 +0100
> Jakub Hrozek<jhrozek at redhat.com> wrote:
>
>
>> On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote:
>>
>>> On Wed, 10 Nov 2010 19:11:46 +0100
>>> Jakub Hrozek<jhrozek at redhat.com> wrote:
>>>
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 11/10/2010 06:47 PM, Jakub Hrozek wrote:
>>>>
>>>>> Please see attachment. The right fix would be to fix this in
>>>>> openldap, but I think we should have a workaround, at least for
>>>>> the time being. Much of the credit goes to Jan who helped me
>>>>> debug the issue.
>>>>>
>>>> Sorry, the first patch had a small bug. New one attached.
>>>>
>>> Jakub, I am surprised, I have the current code working on F14 w/o
>>> issues, why do you need to set also the CACERTDIR ?
>>>
>>> Simo.
>>>
>> How does your /etc/openldap/ldap.conf look like? On both of my test
>> machines (one of them F13, the other one F14) it contains:
>>
>> ---
>> URI ldap://127.0.0.1/
>> BASE dc=example,dc=com
>> TLS_CACERTDIR /etc/openldap/cacerts
>> ---
>>
>> I don't recall setting it manually, though..I suspect some package
>> scriptlet or authconfig..dunno yet.
>>
> I have both a F13 and a F14 machine and neither have TLS_CACERTDIR set.
>
>
>> With the above setting, installation on F14 fails for me during the
>> very last step:
>>
>> ---
>> Unable to set admin password Command '/usr/bin/ldappasswd -h
>> vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y
>> /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z
>> uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>> returned non-zero exit status 1
>> ---
>>
>> When I ran ldappasswd with "-d -1", I could see TLS errors and
>> ldappasswd opened only /etc/openldap/cacerts.
>>
>> Seeing the ldappasswd invocation working on F13 and not F14, I
>> suspect that CACERTDIR errorneously takes precedence over CACERT
>> (maybe something to do with the switch to NSS?). Putting CACERTDIR
>> into the environment fixed the issue for me..
>>
> Ok, thanks for the summary, this explains why I don't see it.
>
> Ah, and ACK.
>
> Simo.
>
>
pushed to master
More information about the Freeipa-devel
mailing list