The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root’s umask. It doesn’t do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root’s umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install.
How to test:
- login as root - set root umask to `0077` - install IPA server - quick-check that you can kinit, control LDAP database etc.
master: b227208
ipa-2-0: 9ce56a6
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.1 - 2011/06
Login to comment on this ticket.