Bug 1353969

Summary: ipa-client-install should overwrite or prompt for changes in /etc/openldap/ldap.conf
Product: Red Hat Enterprise Linux 8 Reporter: Luc de Louw <ldelouw>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: abokovoy, hakon.gislason, pasik, pcech, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1354528 (view as bug list) Environment:
Last Closed: 2020-08-18 12:36:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1354528    

Description Luc de Louw 2016-07-08 14:45:05 UTC 
Description of problem:
When installing an IPA server or client, any existing ldap.conf is not overwritten but the IPA ldap servers are appended and commented out.

This can cause confusion when running ldap operations such as ldapadd/ldapmodify and the like.


Version-Release number of selected component (if applicable):
4.2

How reproducible:
Always

Steps to Reproduce:
1. configure /etc/openldap/ldap.conf pointing to an ldap server. I.e.

BASE   dc=example,dc=com
URI    ldap://ldap.example.com


2. Run ipa-client-install
3. Finding the ldap config as follow:
BASE   dc=example,dc=com
URI    ldap://ldap.example.com

#URI ldaps://ipa1.example.com # modified by IPA
#BASE dc=ipa,dc=example,dc=com # modified by IPA



Actual results:
LDAP operations on the IPA server will fail.

Expected results:
LDAP config should comment out the original BASE and URI and put in place the new IPA ldap config.

Additional info:
On clients, it can be a valid configuration pointing /etc/openldap/ldap.conf to a different LDAP server used by an application on the server. A nice solution would be adding a switch to ipa-client-install i.e --overwrite-config or similar. This switch should be used as default when ipa-server-install triggers the client config part.
Comment 2 Petr Vobornik 2016-07-12 16:04:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6065
Comment 3 Petr Vobornik 2016-07-12 16:04:58 UTC 
Was clone upstream to Future release milestone. This behavior is undefined in IPA and therefore it will need a design page.

A suggestion from Jan Pazdiora:
"""
Could we check that the content of the file is the rpm-default/vanilla,  not touched yet, and overwrite if the file was not touched yet but not  overwrite if it was somehow modified by the admin?
"""
Comment 7 Petr Čech 2020-08-18 12:36:21 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. It was unfortunately not given priority Red Hat Enterprise Linux.
Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.
To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you.
Comment 8 hakon.gislason 2022-10-05 18:43:22 UTC 
Any chance of opening this again? This is causing us issues with ldap authentication of web services. IPA / IDM overrides ldap.conf with it's own CA store file (TLS_CACERT /etc/ipa/ca.crt). We have multiple CA's in house and this causes certificate verification to fail on LDAP servers other than IPA (example MS AD).
If not, then providing a workaround would be good.
Comment 9 Rob Crittenden 2022-10-05 19:11:06 UTC 
Given that there is system-wide certificate trust now setting this is probably better:

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Are you installing your custom trust system-wide? If so this would solve both problems.
Comment 10 Alexander Bokovoy 2022-10-06 06:10:24 UTC 
We also have bug 2094673 which asks to drop setting a TLS store in ldap.conf. I think we can continue in that bug instead of reopening this one.

Hakon, I submitted https://github.com/freeipa/freeipa/pull/6496 to remove TLS_CACERT. Please help testing this configuration in the upstream PR.
Comment 11 hakon.gislason 2022-10-06 09:42:16 UTC 
We have a few different CA's in house that we install/manage on all hosts with Ansible. It would make sense if the IPA client would just add the IPA CA to the system-wide store. Then we could drop this issue. Overwriting the whole config and specifying just one CA for everything that uses openldap (in our case: LibreNMS with LDAP auth) didn't make any sense to me. Alexander is right, bug 2094673 would solve this better.
Comment 12 hakon.gislason 2022-10-06 09:42:59 UTC 
Edit:
>Are you installing your custom trust system-wide?
Yes.