[Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug
Dmitri Pal
dpal at redhat.com
Thu Nov 11 22:21:54 UTC 2010
Jakub Hrozek wrote:
> On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote:
>
>> On Wed, 10 Nov 2010 19:11:46 +0100
>> Jakub Hrozek <jhrozek at redhat.com> wrote:
>>
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 11/10/2010 06:47 PM, Jakub Hrozek wrote:
>>>
>>>> Please see attachment. The right fix would be to fix this in
>>>> openldap, but I think we should have a workaround, at least for the
>>>> time being. Much of the credit goes to Jan who helped me debug the
>>>> issue.
>>>>
>>> Sorry, the first patch had a small bug. New one attached.
>>>
>> Jakub, I am surprised, I have the current code working on F14 w/o
>> issues, why do you need to set also the CACERTDIR ?
>>
>> Simo.
>>
>
> How does your /etc/openldap/ldap.conf look like? On both of my test machines
> (one of them F13, the other one F14) it contains:
>
> ---
> URI ldap://127.0.0.1/
> BASE dc=example,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
> ---
>
> I don't recall setting it manually, though..I suspect some package
> scriptlet or authconfig..dunno yet.
>
> With the above setting, installation on F14 fails for me during the very
> last step:
>
> ---
> Unable to set admin password Command '/usr/bin/ldappasswd -h
> vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y
> /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z
> uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> returned non-zero exit status 1
> ---
>
> When I ran ldappasswd with "-d -1", I could see TLS errors and
> ldappasswd opened only /etc/openldap/cacerts.
>
> Seeing the ldappasswd invocation working on F13 and not F14, I suspect that
> CACERTDIR errorneously takes precedence over CACERT (maybe something to
> do with the switch to NSS?). Putting CACERTDIR into the environment
> fixed the issue for me..
>
>
> Jakub
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>
Can it be that Jakub has it because of the Fedora test date for the
openLDAP?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list