Bug 1203024

Summary: authconfig will not create /etc/openldap/cacerts
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 22CC: jlieskov, lnie, spoore, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authconfig-6.2.10-6.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-21 19:31:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
authconfig --test output none

Description Orion Poplawski 2015-03-17 22:56:34 UTC 
Description of problem:

Whatever used to create /etc/openldap/cacerts before (I have no idea), apparently no longer does.  As a result:

# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
authconfig: Error downloading CA certificate
'/etc/openldap/cacerts' must be a directory.

I'm not sure why authconfig doesn't just create it if it needs it.

Version-Release number of selected component (if applicable):
authconfig-6.2.10-3.fc22.x86_64
Comment 1 Fedora Update System 2015-03-30 12:06:19 UTC 
authconfig-6.2.10-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/authconfig-6.2.10-4.fc22
Comment 2 lnie 2015-03-31 07:58:58 UTC 
Tested with authconfig-6.2.10-4.fc22,and got the following output:
'' must be a directory.
'' must be a directory.
Comment 3 Tomas Mraz 2015-03-31 09:12:51 UTC 
Please try authconfig-6.2.10-5.fc22.
Comment 4 Orion Poplawski 2015-03-31 22:20:49 UTC 
Still the same:

# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
authconfig: Error downloading CA certificate
'/etc/openldap/cacerts' must be a directory.
# rpm -q authconfig
authconfig-6.2.10-5.fc22.x86_64
Comment 5 Tomas Mraz 2015-04-01 08:27:59 UTC 
Is there /etc/openldap directory?
Which of the configuration files:
/etc/ldap.conf, /etc/nss_ldap.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/openldap/ldap.conf do you have on your system and what is the tls_cacertdir option value in the files?

Can you attach authconfig --test output?
Comment 6 Orion Poplawski 2015-04-01 14:45:05 UTC 
Created attachment 1009688 [details]
authconfig --test output

# ls -l /etc/openldap
total 4
drwxr-xr-x. 2 root root   6 Feb 20 06:13 certs
-rw-r--r--. 1 root root 445 Mar 31 16:19 ldap.conf

ls: cannot access /etc/ldap.conf: No such file or directory
ls: cannot access /etc/nss_ldap.conf: No such file or directory
ls: cannot access /etc/nslcd.conf: No such file or directory
-rw-r--r--. 1 root root  445 Mar 31 16:19 /etc/openldap/ldap.conf
-rw-r--r--. 1 root root 8897 Mar 31 16:19 /etc/pam_ldap.conf

/etc/pam_ldap.conf:#tls_cacertdir /etc/ssl/certs
/etc/pam_ldap.conf:tls_cacertdir /etc/openldap/cacerts
Comment 7 Fedora Update System 2015-04-02 01:41:53 UTC 
Package authconfig-6.2.10-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-5.fc22
then log in and leave karma (feedback).
Comment 8 Tomas Mraz 2015-04-02 10:25:51 UTC 
So I've finally found the regression cause - there was a mistake in the Python 3 compatibility patch.
Comment 9 Fedora Update System 2015-04-02 18:59:36 UTC 
Package authconfig-6.2.10-6.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-6.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-6.fc22
then log in and leave karma (feedback).
Comment 10 Scott Poore 2015-04-06 17:56:17 UTC 
looks good from what I can tell.  note 192.168.122.30 is an IPA master.

Before upgrade:

[root@fedora1 ~]# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://192.168.122.30/ipa/config/ca.crt
authconfig: Error downloading CA certificate

After upgrading authconfig:

[root@fedora1 ~]# dnf update authconfig
...truncated for brevity...
Upgraded:

  authconfig.x86_64 6.2.10-6.fc22                                                                      

Complete!
[root@fedora1 ~]# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://192.168.122.30/ipa/config/ca.crt
[root@fedora1 ~]#
Comment 11 Orion Poplawski 2015-04-07 18:22:04 UTC 
Looking better for me on an installed system:

# ls /etc/openldap/
certs  ldap.conf
# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
# ls /etc/openldap/cacerts/
157753a5.0  authconfig_downloaded.pem

My concern now is that this directory wasn't created despite running this command in my kickstart %post section.
Comment 12 Tomas Mraz 2015-04-07 19:18:53 UTC 
The default for the directory is now /etc/openldap/certs. You probably install the /etc/pam_ldap.conf only after the authconfig is run in kickstart with the /etc/openldap/cacerts directory set.

I think your setup is quite different from normal Fedora install.
Comment 13 Orion Poplawski 2015-04-07 19:50:08 UTC 
Ah, I see that now, thanks.
Comment 14 Fedora Update System 2015-04-21 19:31:31 UTC 
authconfig-6.2.10-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.