Bug 2094673
| Summary: | ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ding-Yi Chen <dchen> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | medium | Docs Contact: | Alexandra Nikandrova <anikandr> |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | abokovoy, elpereir, frenaud, ftrivino, gfialova, hakon.gislason, myusuf, pasik, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.10.1-1.el9 | Doc Type: | Bug Fix |
| Doc Text: |
.The IdM client installer no longer specifies the TLS CA configuration in the `ldap.conf` file
Previously, the IdM client installer specified the TLS CA configuration in the `ldap.conf` file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the `ldap.conf` file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 07:32:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
OpenLDAP made it explicit to use default CA store as provided by OpenSSL in 2016: branches 2.5 and later: commit 4962dd6083ae0fe722eb23a618ad39e47611429b Author: Howard Guo <hguo> Date: Thu Nov 10 15:39:03 2016 +0100 branch 2.4: commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8 Author: Howard Guo <hguo> Date: Thu Nov 10 15:39:03 2016 +0100 This means starting with OpenLDAP 2.4.45 we can drop the explicit CA configuration in ldap.conf. There are several use cases where an explicit IPA CA should be specified in the configuration. These mostly concern situations where a higher security level must be maintained. For these configurations an administrator would need to add an explicit CA configuration to ldap.conf if we wouldn't add it during the ipa-client-install setup. This is worth a release note. Upstream PR: https://github.com/freeipa/freeipa/pull/6496 Fixed upstream master: https://pagure.io/freeipa/c/22022ae2ff8d1767bd50eec098eddb02573ea1ae Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/93b0e6a96a1aea45adc0d4c8bb26b226ce683573 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/d9a56b51bbb350219d0f5cb0ea6b3cc00230d437 version:
ipa-server-4.10.1-1.el9.x86_64
ipa-server-common-4.10.1-1.el9.noarch
ipa-server-dns-4.10.1-1.el9.noarch
============================= test session starts ==============================
platform linux -- Python 3.9.14, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.14', 'Platform': 'Linux-5.14.0-210.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 3 items
test_ipaclient/test_ldapconf.py::test_openldap_conf_empty PASSED [ 33%]
test_ipaclient/test_ldapconf.py::test_openldap_conf_spaces PASSED [ 66%]
test_ipaclient/test_ldapconf.py::test_openldap_conf_mixed XFAIL (fre...) [100%]
---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
=========================== short test summary info ============================
XFAIL test_ipaclient/test_ldapconf.py::test_openldap_conf_mixed
freeipa ticket 7838
========================= 2 passed, 1 xfailed in 0.16s =========================
Automation passed, hence marking the bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2205 |
Description of problem: Currently, ipa-client-install will modify /etc/openldap/ldap.conf and put: ~~~ TLS_CACERT /etc/ipa/ca.crt ~~~ However, it breaks LDAPS or STARTTLS for LDAP services that are signed by other CA. Fortunately, ipa-client-install already install CA cert in system wide store after ipa-4.0.3-1.el7 So we can rely on openldap's default, i.e. just use system wide CA store by not specifing TLS_CACERT and TLS_CACERTDIR. Quote man 5 ldap.conf TLS OPTIONS If OpenLDAP is built with Transport Layer Security support, there are more options you can specify. These options are used when an ldaps:// URI is selected (by default or otherwise) or when the application negotiates TLS by issuing the LDAP StartTLS operation. When using OpenSSL, if neither TLS_CACERT nor TLS_CACERTDIR is set, the system-wide default set of CA certificates is used. Version-Release number of selected component (if applicable): ipa-server-4.9.8-8.el9.x86_64 How reproducible: Always Steps to Reproduce: 1. ipa-client-install 2. grep TLS_CACERT /etc/openldap/ldap.conf | grep -v '\s*#' Actual results: Showing: TLS_CACERT /etc/ipa/ca.crt Expected results: Showing nothing, which means using the system wide CA cert store. Additional info: Should you have LDAPS access on ldap.example.com that is not signed by IPA CA, you can also try: ldapsearch -H ldaps://ldap.example.com -x -b "" The actual results is: ldap_start_tls: Connect error (-11) additional info: error:0A000086:SSL routines::certificate verify failed (self-signed certificate in certificate chain) Expect result: No error