Bug 570057
| Summary: | Bug in /etc/rc.d/init.d/slapd causes warning '/etc/pki/tls/certs/myverylongnodename.mysuperdooperl is not readable by "ldap"' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Moore <pmoore> | ||||
| Component: | openldap | Assignee: | Jan Zeleny <jzeleny> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 12 | CC: | jzeleny, pmoore | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openldap-2.4.19-4.fc12 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-04-09 01:30:13 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
openldap-2.4.21-5.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/openldap-2.4.21-5.fc13 openldap-2.4.19-4.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openldap-2.4.19-4.fc12 openldap-2.4.21-5.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openldap'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/openldap-2.4.21-5.fc13 openldap-2.4.19-4.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openldap'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/openldap-2.4.19-4.fc12 openldap-2.4.19-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. openldap-2.4.21-8.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/openldap-2.4.21-8.fc13 openldap-2.4.21-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 397477 [details] Modified /etc/rc.d/init.d/slapd to handle arbitrary length certificate filenames. Description of problem: /etc/rc.d/init.d/slapd init script generates a warning on TLSCA certificate filenames when they have long filenames. Version-Release number of selected component (if applicable): openldap-servers-2.4.19-1.fc12.x86_64 in Fedora 12 How reproducible: Always if the filenames are long enough. Steps to Reproduce: 1. Create a certificate for slapd where the full path of the file exceeds 80 characters. - E.G. /etc/pki/tls/certs/myverylongnodename.mysuperdooperlongdomainname.com.au.pem 2. Configure /etc/openldap/slapd.conf with the certs and do a bunch of stuff to ensure that the filename eventually makes its way into /etc/openldap/slapd.d/cn\=config.ldif 3. service slapd start Actual results: /etc/pki/tls/certs/myverylongnodename.mysuperdooperlong is [WARNING]ble by "ldap" /etc/pki/tls/certs/myverylongnodename.mysuperdooperl is not[WARNING] by "ldap" Checking configuration files for slapd: [WARNING] bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2). Expect poor performance for suffix "dc=blueprintconsulting,dc=com". config file testing succeeded Starting slapd: [ OK ] Expected results: Checking configuration files for slapd: [WARNING] bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2). Expect poor performance for suffix "dc=blueprintconsulting,dc=com". config file testing succeeded Starting slapd: [ OK ] Additional info: Offending code in "/etc/rc.d/init.d/slapd": tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'` The above *ONLY* works reliably for certificate paths containing less 52 characters. This is because when the 26 character string "olcTLSCertificateKeyFile: " (or others) are prepended to the certificate files name, the result is 78 characters or longer which will be wrapped onto multiple lines when it appears in "/etc/openldap/slapd.d/cn\=config.ldif". To modify "/etc/rc.d/init.d/slapd" to handle arbitrary length certificate filenames, the original code must be replaced with something more reliable such as: # tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'` # The code on the above line fails if the TLS filename is too long and is thus # wrapped across more than one 78 character line of the ldif file. The replacement # code below fixes this problem. - Paul Moore, Astute Systems, 03-Mar-2010. tlsconfigs=`LANG=C awk '/^olcTLS/ { while (/^olcTLS/) { if (/^olc(TLSCertificateKeyFile|TLSCertificateFile|TLSCACertificateFile)[ \t]*:[ \t]*/) { do { printf gensub(/^ /,"",1); getline } while (/^ /) printf "\n" ; } else break; } }' /etc/openldap/slapd.d/cn\=config.ldif | awk '{print $2}'`