Hey, that did it! You're the man! I didn't have to downgrade openldap, just changed /etc/openldap/ldap.conf to "SASL_NOCANON off". This allowed the install script to complete, and the install script overwrite ldap.conf anyway removing SASL_NOCANON altogether, so things still work.
I rolled my own krb5/ldap/nss integration back in the early 2000s, so I feel you on all the the upstream lib dependencies. (I used phpLDAPadmin to administer my Directory, and I integrated sendmailMTA object which are very nice [after fixing one or two braindead things about their schema {an inetOrgPerson could not be a sendmailMTA receiver, i wanted merged objects, no separate objects}].) After following your advice, I can no longer use kpasswd to set user passwords, but I can reset passwords in the web frontend, so that's fine for now. FreeIPA seems very nice so far, I hope to be able to make meaningful contributions as I become more familiar with this complex integration product. Thanks! Derek On Wed, May 8, 2013 at 2:15 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Derek Moore wrote: > >> Setting /etc/hostname manually and several restarts and reboots later, I >> finally got the install to work (mostly) properly again last night. >> >> But I still cannot get the XML-RPC server to function properly, the end >> of the install script fails on /usr/sbin/ipa-client-install: >> >> ipalib.errors.NetworkError: cannot connect to >> 'https://ds1.hackunix.org/ipa/**xml <https://ds1.hackunix.org/ipa/xml>': >> Internal Server Error >> >> I can't get passed the "No credentials cache found" error in Apache. The >> credentials cache it's looking for is httpd's keytab? >> >> > We're fighting some issues with changes in support libraries. > > If you have openldap-2.4.35-3, the default value of SASL_NOCANON changed > to on (at our request ironically) which breaks ldapi requests, which we > also use. For 3.1.x and 3.2pre1 or beta1 I believe the only solution is to > downgrade openldap. We are working with upstream and have provided a patch > to the Fedora maintainer to mitigate this but it is yet unresolved. > > If you have krb5 1.11.2-4 then you need to add KRB5CCNAME=/tmp/krb5cc_48 > to the end of /etc/sysconfig/httpd. The ccache format was changed to DIR > and mod_auth_kerb doesn't support this yet. This fix should work with any > version of IPA. > > rob > >
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel