Receiving "Error checking LDAP: Server is unwilling to perform: Minimum SSF not met." while running ip-client-install
Environment
- Red Hat Enterprise Linux
- IPA
Issue
When running ipa-client-install and/or ipa-replica-install you are receiving the error Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
[root@example.com ~]# ipa-client-install --server=server1.example.com --server=server2.example.com --server=server1.example.com --domain=example.com --hostname=`hostname -s`.example.com --password=temp --fixed-primary --no-ntp --unattended
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Client hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.COM
IPA Server: server1.example.com, server2.example.com, server3.example.com
BaseDN: dc=example,dc=com
....
Client configuration complete.
Resolution
This is working as expected. The discovery tries to verify that the servers it found are IPA masters, but they do not have the IPA CA to connect with yet. So, SSF failures are not fatal.
You can do the following on the IPA server.
- Stop IPA server.
# service ipa stop
- Take backup of file.
# cp /etc/dirsrv/slapd-instancename/dse.ldif /etc/dirsrv/slapd-instancename/dse.ldif.bak
- Change nsslapd-minssf to 0
In /etc/dirsrv/slapd-instancename/dse.ldif
nsslapd-minssf: 1
to
nsslapd-minssf: 0
- Start IPA server.
# service ipa start
Root Cause
The discovery tries to verify that the servers it found are IPA masters, but they do not have the IPA CA to connect with yet.
Diagnostic Steps
[root@example.com ~]# grep nsslapd-minssf /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
nsslapd-minssf: 1
nsslapd-minssf-exclude-rootdse: on
[root@example.com ~]# ipa-client-install --server=server1.example.com --server=server2.example.com --server=server1.example.com --domain=example.com --hostname=`hostname -s`.example.com --password=temp --fixed-primary --no-ntp --unattended
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Client hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.COM
IPA Server: server1.example.com, server2.example.com, server3.example.com
BaseDN: dc=example,dc=com
....
Client configuration complete.
[root@example.com ~]# grep nsslapd-minssf /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
nsslapd-minssf: 0
nsslapd-minssf-exclude-rootdse: on
[root@example.com ~]# ipa-client-install --server=server1.example.com --server=server2.example.com --server=server1.example.com --domain=example.com --hostname=`hostname -s`.example.com --password=temp --fixed-primary --no-ntp --unattended
Client hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server1.example.com, server2.example.com, server3.example.com
BaseDN: dc=example,dc=com
...
Client configuration complete.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
