Bug 1527215

Summary: RFE: ipa client should setup openldap for GSSAPI
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Atkisson <batkisso>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: afarley, amarecek, batkisso, cheimes, frenaud, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.5-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:09:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Atkisson 2017-12-18 20:41:07 UTC 
Description of problem:

The IPA client installer currently edits /etc/openldap/ldap.conf, setting up the client to consume LDAP data from IPA.  It currently sets:

URI
BASE
TLS_CACERT

It really should also add:

SASL_MECH GSSAPI
TLS_REQCERT demand


The IPA client installer assumes the client will only be speaking LDAP to IPA, so might as well secure that connection as much as possible by default.
Comment 3 Florence Blanc-Renaud 2017-12-20 14:42:05 UTC 
Hi,

1- SASL-MECH option:
according to ldap.conf(5) man page, SASL_MECH option is a *user-only* option, which means that it cannot be set in ldap.conf:

-----
Some options are user-only.  Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF).
[...]
       SASL_MECH <mechanism>
              Specifies the SASL  mechanism  to  use.   This  is  a  user-only
              option.
-----


2- TLS_REQCERT option:
according to ldap.conf man page, the default setting is "demand":

-----
       TLS_REQCERT <level>
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <level> can be specified as one of the fol‐
              lowing keywords:
[...]
              demand | hard
                     These keywords are equivalent. The server certificate  is
                     requested.  If  no certificate is provided, or a bad cer‐
                     tificate is provided, the session is  immediately  termi‐
                     nated. This is the default setting.

-----

With the above information, do you agree that we can close this RFE?
Comment 4 Brian J. Atkisson 2017-12-20 14:52:40 UTC 
1 - SASL-MECH absolutely gets applied, as defined in /etc/openldap/ldap.conf, when a user runs a ldap{search,modify,delete,whatever} from the CLI. This is the use-case that I want to target by this change.

2 - If TLS_REQCERT demand is the current default, that is fine, ignore #2 :)

I would say #1 still makes sense to do. We routinely have to instruct users to set it.
Comment 5 Florence Blanc-Renaud 2017-12-20 15:58:38 UTC 
You are right, despite what the man page says, SASL_MECH can be set in /etc/openldap/ldap.conf and works.

We'll discuss this RFE with the team.
Comment 6 Rob Crittenden 2018-01-15 18:31:44 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7366
Comment 8 Christian Heimes 2018-04-25 10:12:57 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/07be3306c16c0c8eb729b980c5bd7fdba8343433
Comment 10 Christian Heimes 2019-03-28 20:49:22 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/d4f1406fbd9349c9f64247bd3aeb1a3e0134e018
Comment 12 Nikhil Dehadrai 2019-06-12 09:41:00 UTC 
ipa-client-4.6.5-9.el7.x86_64

Verified the bug on the basis of below observations:

================================================= test session starts =================================================
platform linux2 -- Python 2.7.14, pytest-3.2.3, py-1.4.34, pluggy-0.4.0 -- /usr/bin/python2
cachedir: .cache
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile:
plugins: xdist-1.14, sourceorder-0.5, multihost-1.1, beakerlib-0.7.1
collected 3 items                                                                                                      

test_ipaclient/test_ldapconf.py::test_openldap_conf_empty PASSED
test_ipaclient/test_ldapconf.py::test_openldap_conf_spaces PASSED
test_ipaclient/test_ldapconf.py::test_openldap_conf_mixed xfail

--------------------- generated xml file: /usr/lib/python2.7/site-packages/ipatests/nosetests.xml ---------------------
=============================================== short test summary info ===============================================
XFAIL test_ipaclient/test_ldapconf.py::test_openldap_conf_mixed
  freeipa ticket 7838
========================================= 2 passed, 1 xfailed in 0.09 seconds =========================================


1 TC xfail due to : https://pagure.io/freeipa/issue/7838


Thus on the basis of above observations, marking status o bug to 'VERIFIED'
Comment 15 errata-xmlrpc 2019-08-06 13:09:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241