Fix client enrollment when using --no-sssd and nss-pam-ldapd. At version 0.8.4 the default was changed to map uniqueMember to member so a mapping is no longer required, or possible. This causes the daemon to not load.

Remove the option and add a Conflicts on older versions.

This is more a problem in F-18. I propose we backport this patch to the ipa-3-1 branch.

rob
>From 1eaa4f98051fd80482ff3ae698e3d0605671c057 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 30 Apr 2013 14:35:19 -0400
Subject: [PATCH] Drop uniqueMember mapping with nss-pam-ldapd.

nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.

Add a Conflicts on older versions.

https://fedorahosted.org/freeipa/ticket/3589
---
 freeipa.spec.in                           | 9 +++++++++
 ipa-client/ipa-install/ipa-client-install | 1 -
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index d4ee84cb8d54fcaf7dae6b648b39ac22e3b8a9dc..2d0bf8d95716bb4727cc576809f37108ea26697b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -161,6 +161,10 @@ Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
 %endif
 Conflicts: bind < 9.8.2-0.4.rc2
 
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd-0.8.4
+
 # mod_proxy provides a single API to communicate over SSL. If mod_ssl
 # is even loaded into Apache then it grabs this interface.
 Conflicts: mod_ssl
@@ -835,6 +839,11 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Tue Apr 30 2013 Rob Crittenden <rcrit...@redhat.com> - 3.1.99-10
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+  member is now done automatically and having it in the config file raises
+  an error.
+
 * Tue Apr 30 2013 Rob Crittenden <rcrit...@redhat.com> - 3.1.99-9
 - Require pki-ca 10.0.2 for 501 response code on find for d9 -> d10 upgrades
 
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 1385484cfd762e4f13fd4851d2bae8507630f44d..1a8b6439bcf3491ed56d9530dada51c5ba99cc46 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -778,7 +778,6 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server,
             {'name':'empty', 'type':'empty'},
             {'name':'base passwd', 'type':'option', 'value':str(DN(('cn', 'users'), ('cn', 'accounts'), cli_basedn))},
             {'name':'base group', 'type':'option', 'value':str(DN(('cn', 'groups'), ('cn', 'accounts'), cli_basedn))},
-            {'name':'map group', 'type':'option', 'value':'uniqueMember member'},
             {'name':'timelimit', 'type':'option', 'value':'15'},
             {'name':'empty', 'type':'empty'}]
     if not dnsok or options.force or options.on_master:
-- 
1.8.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to