On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote: > On Wed, 10 Nov 2010 19:11:46 +0100 > Jakub Hrozek <jhro...@redhat.com> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 11/10/2010 06:47 PM, Jakub Hrozek wrote: > > > Please see attachment. The right fix would be to fix this in > > > openldap, but I think we should have a workaround, at least for the > > > time being. Much of the credit goes to Jan who helped me debug the > > > issue. > > > > Sorry, the first patch had a small bug. New one attached. > > Jakub, I am surprised, I have the current code working on F14 w/o > issues, why do you need to set also the CACERTDIR ? > > Simo.
How does your /etc/openldap/ldap.conf look like? On both of my test machines (one of them F13, the other one F14) it contains: --- URI ldap://127.0.0.1/ BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts --- I don't recall setting it manually, though..I suspect some package scriptlet or authconfig..dunno yet. With the above setting, installation on F14 fails for me during the very last step: --- Unable to set admin password Command '/usr/bin/ldappasswd -h vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' returned non-zero exit status 1 --- When I ran ldappasswd with "-d -1", I could see TLS errors and ldappasswd opened only /etc/openldap/cacerts. Seeing the ldappasswd invocation working on F13 and not F14, I suspect that CACERTDIR errorneously takes precedence over CACERT (maybe something to do with the switch to NSS?). Putting CACERTDIR into the environment fixed the issue for me.. Jakub _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel