Bug 1203024 - authconfig will not create /etc/openldap/cacerts
Summary: authconfig will not create /etc/openldap/cacerts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 22
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-17 22:56 UTC by Orion Poplawski
Modified: 2015-04-21 19:31 UTC (History)
4 users (show)

Fixed In Version: authconfig-6.2.10-6.fc22
Clone Of:
Environment:
Last Closed: 2015-04-21 19:31:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
authconfig --test output (1.97 KB, text/plain)
2015-04-01 14:45 UTC, Orion Poplawski 		no flags Details
View All

Description Orion Poplawski 2015-03-17 22:56:34 UTC 
Description of problem:

Whatever used to create /etc/openldap/cacerts before (I have no idea), apparently no longer does.  As a result:

# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
authconfig: Error downloading CA certificate
'/etc/openldap/cacerts' must be a directory.

I'm not sure why authconfig doesn't just create it if it needs it.

Version-Release number of selected component (if applicable):
authconfig-6.2.10-3.fc22.x86_64
Comment 1 Fedora Update System 2015-03-30 12:06:19 UTC 
authconfig-6.2.10-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/authconfig-6.2.10-4.fc22
Comment 2 lnie 2015-03-31 07:58:58 UTC 
Tested with authconfig-6.2.10-4.fc22,and got the following output:
'' must be a directory.
'' must be a directory.
Comment 3 Tomas Mraz 2015-03-31 09:12:51 UTC 
Please try authconfig-6.2.10-5.fc22.
Comment 4 Orion Poplawski 2015-03-31 22:20:49 UTC 
Still the same:

# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
authconfig: Error downloading CA certificate
'/etc/openldap/cacerts' must be a directory.
# rpm -q authconfig
authconfig-6.2.10-5.fc22.x86_64
Comment 5 Tomas Mraz 2015-04-01 08:27:59 UTC 
Is there /etc/openldap directory?
Which of the configuration files:
/etc/ldap.conf, /etc/nss_ldap.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/openldap/ldap.conf do you have on your system and what is the tls_cacertdir option value in the files?

Can you attach authconfig --test output?
Comment 6 Orion Poplawski 2015-04-01 14:45:05 UTC 
Created attachment 1009688 [details]
authconfig --test output

# ls -l /etc/openldap
total 4
drwxr-xr-x. 2 root root   6 Feb 20 06:13 certs
-rw-r--r--. 1 root root 445 Mar 31 16:19 ldap.conf

ls: cannot access /etc/ldap.conf: No such file or directory
ls: cannot access /etc/nss_ldap.conf: No such file or directory
ls: cannot access /etc/nslcd.conf: No such file or directory
-rw-r--r--. 1 root root  445 Mar 31 16:19 /etc/openldap/ldap.conf
-rw-r--r--. 1 root root 8897 Mar 31 16:19 /etc/pam_ldap.conf

/etc/pam_ldap.conf:#tls_cacertdir /etc/ssl/certs
/etc/pam_ldap.conf:tls_cacertdir /etc/openldap/cacerts
Comment 7 Fedora Update System 2015-04-02 01:41:53 UTC 
Package authconfig-6.2.10-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-5.fc22
then log in and leave karma (feedback).
Comment 8 Tomas Mraz 2015-04-02 10:25:51 UTC 
So I've finally found the regression cause - there was a mistake in the Python 3 compatibility patch.
Comment 9 Fedora Update System 2015-04-02 18:59:36 UTC 
Package authconfig-6.2.10-6.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-6.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-6.fc22
then log in and leave karma (feedback).
Comment 10 Scott Poore 2015-04-06 17:56:17 UTC 
looks good from what I can tell.  note 192.168.122.30 is an IPA master.

Before upgrade:

[root@fedora1 ~]# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://192.168.122.30/ipa/config/ca.crt
authconfig: Error downloading CA certificate

After upgrading authconfig:

[root@fedora1 ~]# dnf update authconfig
...truncated for brevity...
Upgraded:

  authconfig.x86_64 6.2.10-6.fc22                                                                      

Complete!
[root@fedora1 ~]# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://192.168.122.30/ipa/config/ca.crt
[root@fedora1 ~]#
Comment 11 Orion Poplawski 2015-04-07 18:22:04 UTC 
Looking better for me on an installed system:

# ls /etc/openldap/
certs  ldap.conf
# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
# ls /etc/openldap/cacerts/
157753a5.0  authconfig_downloaded.pem

My concern now is that this directory wasn't created despite running this command in my kickstart %post section.
Comment 12 Tomas Mraz 2015-04-07 19:18:53 UTC 
The default for the directory is now /etc/openldap/certs. You probably install the /etc/pam_ldap.conf only after the authconfig is run in kickstart with the /etc/openldap/cacerts directory set.

I think your setup is quite different from normal Fedora install.
Comment 13 Orion Poplawski 2015-04-07 19:50:08 UTC 
Ah, I see that now, thanks.
Comment 14 Fedora Update System 2015-04-21 19:31:31 UTC 
authconfig-6.2.10-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.