search

huit / puppet-ipa

Puppet module that can manage an IPA master, replicas and clients.
15 stars 48 forks source link

unless statement when running ipa::clientinstall #5

Closed aellert closed 11 years ago

aellert commented 11 years ago

I seems that unless statement in clientinstall.pp (exec client-install-${host}) doesn't work because ldapsearch use IPA directory admin account. In my environnement it fails : ldap_bind: Invalid credentials (49) If i run the command manually with IPA admin credential, it works. Do i miss something in my setup or is it a bug ?

Debug output of puppet agent -t --debug :

Debug: Executing '/bin/bash -c "LDAPTLS_REQCERT=never /usr/bin/ldapsearch -LLL -x -H ldaps://ipaserver.mydomain.org -D uid=admin,cn=users,cn=accounts,dc=mydomain,dc=org -b dc=mydomain,dc=org -w directory_admin_password fqdn=ipaclient.mydomain.org | /bin/grep ^krbPrincipalName"' Debug: /Stage[main]/Ipa::Client/Ipa::Clientinstall[ipaserver.mydomain.org]/Exec[client-install-ipaclient.mydomain.org]/unless: ldap_bind: Invalid credentials (49)

Manually works with admin password : /bin/bash -c "LDAPTLS_REQCERT=never /usr/bin/ldapsearch -LLL -x -H ldaps://ipaserver.mydomain.org -D uid=admin,cn=users,cn=accounts,dc=mydomain,dc=org -b dc=mydomain,dc=org -w IPA_admin_password fqdn=ipaclient.mydomain.org | /bin/grep ^krbPrincipalName"

-> krbPrincipalName: host/ipaclient.mydomain.org@MYDOMAIN.ORG

Thanks for your help

robruma commented 11 years ago

This does appear like a bug... The ldapsearch command does indeed need the admin user credentials. Thank you once again for finding an oversight!

Rob

robruma commented 11 years ago

One caveat... You will now need to run 'puppet node deactivate ipaserver.mydomain.org' on the Puppet master since the exported resource has now changed. Then, just run puppet manually on ipaserver.mydomain.org to reactivate.

Thanks Rob

aellert commented 11 years ago

Thanks a lot for your quick fix. Everything works fine now !

Alexandre

2013/6/22 robruma notifications@github.com

One caveat... You will now need to run 'puppet node deactivate ipaserver.mydomain.org' on the Puppet master since the exported resource has now changed. Then, just run puppet manually on ipaserver.mydomain.orgto reactivate.

Thanks Rob

— Reply to this email directly or view it on GitHubhttps://github.com/huit/puppet-ipa/issues/5#issuecomment-19855722 .