Since we're using this sysaccount in permissions, which are represented as groups, we need to allow adtrust agents group to become nestedgroup. Currently it's only groupofnames.
From the dirsrv's log during the LDAP updates phase of IPA installation:
[10/Jul/2014:15:37:23 +0200] - Entry "cn=adtrust agents,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" -- attribute "memberOf" not allowed [10/Jul/2014:15:37:23 +0200] memberof-plugin - memberof_postop_add: failed to add dn(cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com), error (-1)
Underyling issue in DS is making this noticable since it causes installation to hang. The memberof plugin does not report the failure correctly, and the client is stuck waiting for the result.
Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss password file [3/13]: enabling mod_nss renegotiate [4/13]: adding URL rewriting rules [5/13]: configuring httpd [6/13]: setting up ssl [7/13]: setting up browser autoconfig [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates ...
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @tbabej: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.0.1
Login to comment on this ticket.