[Freeipa-users] anonymous bind + ipa-install-client failure

Benjamin Reed ranger at opennms.org
Fri Dec 23 03:54:42 UTC 2011 

On 12/22/11 9:46 PM, Benjamin Reed wrote:
> I'm attempting to configure a CentOS6 box to talk to a RHEL6.2 IPA
> server. The IPA server has anonymous bind disabled since it's on the
> public Internet. When I run ipa-client-install, I get the following error:

So the full log makes more sense with debug on:

---(snip!)---
[root at nen etc]# ipa-client-install --domain=OPENNMS.COM --debug
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'OPENNMS.COM', 'uninstall': False,
'force': False, 'sssd': True, 'krb5_offline_passwords': True,
'hostname': None, 'preserve_sssd': False, 'server': None,
'prompt_password': False, 'mkhomedir': False, 'dns_updates': False,
'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None,
'realm_name': None, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively
later

root        : DEBUG    Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchldap]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpjxJzV_/ca.crt -T 15
-t 2 http://connect.opennms.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-12-22 22:47:39-- 
http://connect.opennms.com/ipa/config/ca.crt
Resolving connect.opennms.com... 66.135.60.215
Connecting to connect.opennms.com|66.135.60.215|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://connect.opennms.com/ipa/config/ca.crt [following]
--2011-12-22 22:47:39--  https://connect.opennms.com/ipa/config/ca.crt
Connecting to connect.opennms.com|66.135.60.215|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1313 (1.3K) [application/x-x509-ca-cert]
Saving to: "/tmp/tmpjxJzV_/ca.crt"

     0K .                                                     100% 3.11M=0s

2011-12-22 22:47:40 (3.11 MB/s) - "/tmp/tmpjxJzV_/ca.crt" saved [1313/1313]


root        : DEBUG    Init ldap with: ldap://connect.opennms.com:389
root        : ERROR    LDAP Error: Connect error: TLS error
-8172:Unknown code ___f 20
root        : DEBUG    will use domain: OPENNMS.COM

root        : DEBUG    will use server: connect.opennms.com

Failed to verify that connect.opennms.com is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
---(snip!)---

This implies I guess the LDAP server isn't accepting this cert?

Is there a log that might explain what's going on on the server side?

-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111222/053b6bb5/attachment.htm>

More information about the Freeipa-users mailing list