Ubuntu
freeipa package

ipa-server-install: On non-x86, errors enabling compatibility plugin for dirsrv

Bug #1600634 reported by Moritz Lapp on 2016-07-10

10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	389-ds-base (Ubuntu)	Invalid	Undecided	Unassigned
	freeipa (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

When executing ipa-server-install on a non-x86 architecture (here: ARMv7), the following error messages appear after having filled out the initial questionnaire:
...
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/46]: creating directory server user
...
  [42/46]: enabling compatibility plugin
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is unwilling to perform: Invalid plugin path
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Parent DN of cn=users,cn=Schema Compatibility,cn=plugins,cn=config may not exist, cannot create the entry
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Parent DN of cn=groups,cn=Schema Compatibility,cn=plugins,cn=config may not exist, cannot create the entry
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Parent DN of cn=ng,cn=Schema Compatibility,cn=plugins,cn=config may not exist, cannot create the entry
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Parent DN of cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config may not exist, cannot create the entry
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Parent DN of cn=computers,cn=Schema Compatibility,cn=plugins,cn=config may not exist, cannot create the entry
  [43/46]: activating sidgen plugin
...

The logfile written showed that the plugin path submitted is something like
/usr/lib/i386-linux-gnu/...
but should probably be
/usr/lib/arm-linux-gnueabihf/...
according to the file list of the freeipa-server package. This library path is introduced in ipaserver/install/ldapupdate.py, where it seems that only i386 and x86_64 seem to be expected.

As far as I could see, the upstream version only differentiates between /lib and /lib64, but the Ubuntu source package contains a patch "hack-libarch.diff" that introduces more fine-grained architecture names.

The following patch served me well, but takes into account only this very architecture.

--- ipaserver/install/ldapupdate.py.orig 2016-07-10 20:43:30.630070890 +0200
+++ ipaserver/install/ldapupdate.py 2016-07-10 20:56:54.772268927 +0200
@@ -330,11 +330,16 @@
     def _identify_arch(self):
         """On multi-arch systems some libraries may be in /lib64, /usr/lib64,
            etc. Determine if a suffix is needed based on the current
            architecture.
         """
+
+ arch = platform.machine()
+ if arch == "armv7l":
+ return "/arm-linux-gnueabihf"
+
         bits = platform.architecture()[0]

         if bits == "64bit":
             return "/x86_64-linux-gnu"
         else:
             return "/i386-linux-gnu"

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2016-07-11:

#1

right, it was expected that sooner or later someone used 389 on !x86 :/

the libarch patch should cover all the others too

Changed in 389-ds-base (Ubuntu):
status:	New → Triaged

Revision history for this message

Philippe Clérié (pclerie) wrote on 2016-09-22:

#2

#$%*@

Just hit that bug. I've done all my testing on x86 VMs without any problems. Now that I want to do it for real, I wanted to use a RPi as server and bingo!

So what would the above look like for the RPi?

Thanks

Revision history for this message

Philippe Clérié (pclerie) wrote on 2016-09-23:

#3

OK! That patch worked on the RPi as is. So I got past that problem.

To be hit by this:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/28]: creating certificate server user
  [2/28]: configuring certificate server instance
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: creating RA agent certificate database
  [10/28]: importing CA chain to RA certificate database
  [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Still trying to figure out what that is. :-(

Revision history for this message

Philippe Clérié (pclerie) wrote on 2016-09-23:

#4

More errors.

I quit trying to install IPA on the RPi, and I went back to a KVM based VM, with a downloaded Xenial cloud image. So now I get past importing CA chain but then this:

  [10/28]: importing CA chain to RA certificate database
  [11/28]: fixing RA database permissions
  [12/28]: setting up signing cert profile
  [13/28]: setting audit signing renewal to 2 years
  [14/28]: restarting certificate server
  [15/28]: requesting RA certificate from CA
  [16/28]: issuing RA agent certificate
  [error] CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-pdYh6Y -r /ca/agent/ca/profileReview?requestId=7 mizar.aaaaaaaa.bbb:8443' returned non-zero exit status 6
ipa.ipapython.install.cli.install_tool(Server): ERROR Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-pdYh6Y -r /ca/agent/ca/profileReview?requestId=7 mizar.aaaaaaaa.bbb:8443' returned non-zero exit status 6

A month ago I was going through this twice a day without any problems.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2016-09-23:

#5

file a new bug

Revision history for this message

Philippe Clérié (pclerie) wrote on 2016-09-24:

#6

Actually, that was an IPv6 misconfiguration error. Fixed that.

On the other hand I filed #1627371 for a couple of timing problems.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-01:

#7

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in freeipa (Ubuntu):
status:	New → Confirmed

Timo Aaltonen (tjaalton) on 2018-04-17

Changed in 389-ds-base (Ubuntu):
status:	Triaged → Invalid

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-04-18:

#8

freeipa (4.7.0~pre1+git20180411-2ubuntu1) bionic; urgency=medium

  * tests/server-install: Fix the fake domain, single label domains are not
    supported anymore.
  * tests: If the server install fails, just dump the log and exit
    successfully.

-- Timo Aaltonen <email address hidden> Wed, 18 Apr 2018 17:50:11 +0300

freeipa (4.7.0~pre1+git20180411-2) experimental; urgency=medium

  * fix-bind-ldap-so-path.diff: Dropped, the plugin uses non-MA path
    now, fix depends to match.
  * control: Add python-augeas to python-ipaclient depends. (LP: #1764615)
  * ldap-multiarch.diff: Replace hack-libarch.diff with a new patch to
    support more than x86. (LP: #1600634)

-- Timo Aaltonen <email address hidden> Tue, 17 Apr 2018 23:47:32 +0300

Changed in freeipa (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.