[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt

Derek Moore derek.p.moore at gmail.com
Wed May 8 21:24:44 UTC 2013

Hey, that did it! You're the man!

I didn't have to downgrade openldap, just changed /etc/openldap/ldap.conf
to "SASL_NOCANON off". This allowed the install script to complete, and the
install script overwrite ldap.conf anyway removing SASL_NOCANON altogether,
so things still work.

I rolled my own krb5/ldap/nss integration back in the early 2000s, so I
feel you on all the the upstream lib dependencies. (I used phpLDAPadmin to
administer my Directory, and I integrated sendmailMTA object which are very
nice [after fixing one or two braindead things about their schema {an
inetOrgPerson could not be a sendmailMTA receiver, i wanted merged objects,
no separate objects}].)

After following your advice, I can no longer use kpasswd to set user
passwords, but I can reset passwords in the web frontend, so that's fine
for now.

FreeIPA seems very nice so far, I hope to be able to make meaningful
contributions as I become more familiar with this complex integration



On Wed, May 8, 2013 at 2:15 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Derek Moore wrote:
>> Setting /etc/hostname manually and several restarts and reboots later, I
>> finally got the install to work (mostly) properly again last night.
>> But I still cannot get the XML-RPC server to function properly, the end
>> of the install script fails on /usr/sbin/ipa-client-install:
>>    ipalib.errors.NetworkError: cannot connect to
>> 'https://ds1.hackunix.org/ipa/**xml <https://ds1.hackunix.org/ipa/xml>':
>> Internal Server Error
>> I can't get passed the "No credentials cache found" error in Apache. The
>> credentials cache it's looking for is httpd's keytab?
> We're fighting some issues with changes in support libraries.
> If you have openldap-2.4.35-3, the default value of SASL_NOCANON changed
> to on (at our request ironically) which breaks ldapi requests, which we
> also use. For 3.1.x and 3.2pre1 or beta1 I believe the only solution is to
> downgrade openldap. We are working with upstream and have provided a patch
> to the Fedora maintainer to mitigate this but it is yet unresolved.
> If you have krb5 1.11.2-4 then you need to add KRB5CCNAME=/tmp/krb5cc_48
> to the end of /etc/sysconfig/httpd. The ccache format was changed to DIR
> and mod_auth_kerb doesn't support this yet. This fix should work with any
> version of IPA.
> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130508/18c0f58e/attachment.htm>

More information about the Freeipa-devel mailing list