Bug 1203024 - authconfig will not create /etc/openldap/cacerts
Summary: authconfig will not create /etc/openldap/cacerts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 22
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-17 22:56 UTC by Orion Poplawski
Modified: 2015-04-21 19:31 UTC (History)
4 users (show)

Fixed In Version: authconfig-6.2.10-6.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-21 19:31:31 UTC


Attachments (Terms of Use)
authconfig --test output (1.97 KB, text/plain)
2015-04-01 14:45 UTC, Orion Poplawski
no flags Details

Description Orion Poplawski 2015-03-17 22:56:34 UTC
Description of problem:

Whatever used to create /etc/openldap/cacerts before (I have no idea), apparently no longer does.  As a result:

# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
authconfig: Error downloading CA certificate
'/etc/openldap/cacerts' must be a directory.

I'm not sure why authconfig doesn't just create it if it needs it.

Version-Release number of selected component (if applicable):
authconfig-6.2.10-3.fc22.x86_64

Comment 1 Fedora Update System 2015-03-30 12:06:19 UTC
authconfig-6.2.10-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/authconfig-6.2.10-4.fc22

Comment 2 lnie 2015-03-31 07:58:58 UTC
Tested with authconfig-6.2.10-4.fc22,and got the following output:
'' must be a directory.
'' must be a directory.

Comment 3 Tomas Mraz 2015-03-31 09:12:51 UTC
Please try authconfig-6.2.10-5.fc22.

Comment 4 Orion Poplawski 2015-03-31 22:20:49 UTC
Still the same:

# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
authconfig: Error downloading CA certificate
'/etc/openldap/cacerts' must be a directory.
# rpm -q authconfig
authconfig-6.2.10-5.fc22.x86_64

Comment 5 Tomas Mraz 2015-04-01 08:27:59 UTC
Is there /etc/openldap directory?
Which of the configuration files:
/etc/ldap.conf, /etc/nss_ldap.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/openldap/ldap.conf do you have on your system and what is the tls_cacertdir option value in the files?

Can you attach authconfig --test output?

Comment 6 Orion Poplawski 2015-04-01 14:45:05 UTC
Created attachment 1009688 [details]
authconfig --test output

# ls -l /etc/openldap
total 4
drwxr-xr-x. 2 root root   6 Feb 20 06:13 certs
-rw-r--r--. 1 root root 445 Mar 31 16:19 ldap.conf

ls: cannot access /etc/ldap.conf: No such file or directory
ls: cannot access /etc/nss_ldap.conf: No such file or directory
ls: cannot access /etc/nslcd.conf: No such file or directory
-rw-r--r--. 1 root root  445 Mar 31 16:19 /etc/openldap/ldap.conf
-rw-r--r--. 1 root root 8897 Mar 31 16:19 /etc/pam_ldap.conf

/etc/pam_ldap.conf:#tls_cacertdir /etc/ssl/certs
/etc/pam_ldap.conf:tls_cacertdir /etc/openldap/cacerts

Comment 7 Fedora Update System 2015-04-02 01:41:53 UTC
Package authconfig-6.2.10-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-5.fc22
then log in and leave karma (feedback).

Comment 8 Tomas Mraz 2015-04-02 10:25:51 UTC
So I've finally found the regression cause - there was a mistake in the Python 3 compatibility patch.

Comment 9 Fedora Update System 2015-04-02 18:59:36 UTC
Package authconfig-6.2.10-6.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-6.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-6.fc22
then log in and leave karma (feedback).

Comment 10 Scott Poore 2015-04-06 17:56:17 UTC
looks good from what I can tell.  note 192.168.122.30 is an IPA master.

Before upgrade:

[root@fedora1 ~]# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://192.168.122.30/ipa/config/ca.crt
authconfig: Error downloading CA certificate

After upgrading authconfig:

[root@fedora1 ~]# dnf update authconfig
...truncated for brevity...
Upgraded:

  authconfig.x86_64 6.2.10-6.fc22                                                                      

Complete!
[root@fedora1 ~]# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://192.168.122.30/ipa/config/ca.crt
[root@fedora1 ~]#

Comment 11 Orion Poplawski 2015-04-07 18:22:04 UTC
Looking better for me on an installed system:

# ls /etc/openldap/
certs  ldap.conf
# /usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl
# ls /etc/openldap/cacerts/
157753a5.0  authconfig_downloaded.pem

My concern now is that this directory wasn't created despite running this command in my kickstart %post section.

Comment 12 Tomas Mraz 2015-04-07 19:18:53 UTC
The default for the directory is now /etc/openldap/certs. You probably install the /etc/pam_ldap.conf only after the authconfig is run in kickstart with the /etc/openldap/cacerts directory set.

I think your setup is quite different from normal Fedora install.

Comment 13 Orion Poplawski 2015-04-07 19:50:08 UTC
Ah, I see that now, thanks.

Comment 14 Fedora Update System 2015-04-21 19:31:31 UTC
authconfig-6.2.10-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.