Bug 640393

Summary: [RFE] Should check the cacertdir and the cacert during startup.
Product: Red Hat Enterprise Linux 7 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DEFERRED QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: dpal, jgalipea, jhrozek, mkosek, sdenham
Target Milestone: pre-dev-freezeKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-24 11:20:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 644119    
Bug Blocks: 703208, 756082    

Description Gowrishankar Rajaiyan 2010-10-05 18:04:39 UTC
Description of problem:
SSSD doesn't check cacertdir or the cacert during startup.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Configure sssd.conf with incorrect ldap_tls_cacertdir and ldap_tls_cacert.
<snip>
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.domain.com
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = true
ldap_tls_cacertdir = /etc/openldap/cacert
ldap_tls_cacert = /etc/openldap/cacert/cacert.asc
debug_level = 9
</snip>
2. Restart sssd.
3. Observe sssd_DOMAIN.log or /var/log/messages.
  
Actual results:
sssd_DOMAIN.log
<snip>
(Tue Oct  5 23:14:57 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Can't contact LDAP server
(Tue Oct  5 23:14:57 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (3): Connection error: (null)
(Tue Oct  5 23:14:57 2010) [sssd[be[LDAP]]] [sdap_install_ldap_callbacks] (8): Trace: sh[0xffe3d70], connected[1], ops[(nil)], fde[0xffd0270], ldap[0xffe3f40]
(Tue Oct  5 23:14:57 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 636 of server 'sssdldap.domain.com' as 'not working'
</snip>

/var/log/message
<snip>
Oct  5 23:17:32 rhel5-6-Server sssd: Starting up
Oct  5 23:17:32 rhel5-6-Server sssd[be[LDAP]]: Starting up
Oct  5 23:17:32 rhel5-6-Server sssd[nss]: Starting up
Oct  5 23:17:32 rhel5-6-Server sssd[pam]: Starting up
Oct  5 23:17:43 rhel5-6-Server sssd[be[LDAP]]: LDAP connection error: (null)
</snip>

Expected results:
Should check the cacertdir and the cacert during provider startup and fail with a debug message earlier and also report this into syslog.

Additional info:

Comment 2 Dmitri Pal 2010-10-13 16:04:30 UTC
https://fedorahosted.org/sssd/ticket/649

Comment 4 Jenny Severance 2011-05-05 12:50:46 UTC
Please check to see if the defined directory exists, if not ... error.  Then check if the cacert file is defined and if it not ... error.

Comment 10 Martin Kosek 2015-04-24 11:20:53 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.