#5202 ipa-client-install modifies /etc/openldap/ldap.conf in a way which is unhandy for openldap-clients
Closed: fixed a year ago Opened 4 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1245626

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

When TLS_CACERT is specified in /etc/openldap/ldap.conf when
"ipa-client-install" is run, it creates line
  #TLS_CACERT /etc/ipa/ca.crt # modified by IPA
which sysadmins are likely to modify into
  TLS_CACERT /etc/ipa/ca.crt # modified by IPA
which will be ignored by openldap-client tools (correctly, as per manpage)

Version-Release number of selected component (if applicable):
ipa-client-4.* is affected, all of rhel7.0 and 7.1
ipa-client-3.* seems not affected, I checked on RHEL6.7GA

How reproducible:
always

Steps to Reproduce:
1. setup rhel7.0 or rhel7.1
2. yum -y install ipa-server bind bind-dyndb-ldap
3. echo 'TLS_CACERT /etc/openldap/mycert.pem' >>/etc/openldap/ldap.conf
4. # do a plain ipa setup
   ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net \
  --ds-password=redhat12 --master-password=redhat12 \
  --admin-password=redhat12 --hostname=$(hostname -f) --no-ntp \
  --idstart=10000 --setup-dns --zonemgr=me@example.org --ssh-trust-dns \
  --ip-address=$(ip addr s dev eth0|grep 'inet '|sed -e 's,.*inet ,,' \
     -e 's,/.*,,') --no-forwarders -U
5. grep ca.crt /etc/openldap/ldap.conf

Actual results:
#TLS_CACERT /etc/ipa/ca.crt # modified by IPA

Expected results:
#TLS_CACERT /etc/ipa/ca.crt

Additional info:
- From 'man 5 ldap.conf' it seems like openldap-client is only covering '#'
characters at the start of lines.  I think rather our ipa-client-install should
be modified to fix this.
- From /usr/sbin/ipa-client-install we are calling
/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py to add the "#
modified by IPA"

mhonek's proposal: move the comment to the line above

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Metadata Update from @abiagion:
- Issue assigned to abiagion (was: someone)

a year ago

Metadata Update from @abiagion:
- Issue close_status updated to: None

a year ago

master:

  • 53c5496 ipa-client-install: Update how comments are added by ipachangeconf

Fix landed in master, but I had some trouble with backport. Please manually backport this patch into 4.6, too.

ipa-4-6:

  • 009d6bf ipa-client-install: Update how comments are added by ipachangeconf

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata