Bug 578219

Summary: Configuring ldaps:// + cacert does not run cacert_rehash on downloaded certificate
Product: [Fedora] Fedora Reporter: James Laska <jlaska>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: jturner, rhe, sgallagh, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authconfig-6.1.3-1.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-22 22:58:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screenshot.png none

Description James Laska 2010-03-30 15:16:19 UTC 
Created attachment 403514 [details]
Screenshot.png

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Follow instructions at https://fedoraproject.org/wiki/QA:Testcase_SSSD_LDAP_Identity_and_LDAP_Authentication

Specifically, in firstboot
1. Under, ''User account database'' select LDAP
2. For ''base DN'', enter 'dc=fedoraproject,dc=org'
3. For ''LDAP Server'', enter 'ldaps://publitest9.fedoraproject.org'
4. Click "Download certificate" and use http://jlaska.fedorapeople.org/sssd/cacert.asc
5. Leave TLS *UNCHECKED*
6. Under ''Authentication Method'', select LDAP
7. Select Apply and complete firstboot setup
  
Actual results:

/etc/openldap/cacerts does not contain the cert symlink as expected.  I have to manually run 'cacert_rehash /etc/openldap/cacerts' in order to setup the symlink so that I can properly identify and authentication LDAP users.

Expected results:

/etc/openldap/cacerts should contain a symlink to authconfig_downloaded.pem

Additional info:

 * See attached screenshot
 * sgallagh notes that cacert_rehash should be run regardless of whether using TLS or not.  In further testing, if you enable TLS, it is properly setup.  However, when TLS is disabled, cacert_rehash is not run
Comment 1 He Rui 2010-04-01 07:01:15 UTC 
I tested this case after a f13 fresh install using http brached repo. I didn't reproduce this issue. it works for me.
Comment 2 He Rui 2010-04-01 07:29:37 UTC 
(In reply to comment #1)
> I tested this case after a f13 fresh install using http brached repo. I didn't
> reproduce this issue. it works for me.    

Ah, I was wrong. It passed because I enabled TLS before this case as James provided in Additional info.
Comment 3 Fedora Update System 2010-04-07 20:30:59 UTC 
authconfig-6.1.3-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/authconfig-6.1.3-1.fc13
Comment 4 Fedora Update System 2010-04-09 04:04:32 UTC 
authconfig-6.1.3-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update authconfig'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/authconfig-6.1.3-1.fc13
Comment 5 Fedora Update System 2010-04-22 22:57:34 UTC 
authconfig-6.1.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.