1264437 – ldapsearch not working with # in line starting with BASE

Bug 1264437 - ldapsearch not working with # in line starting with BASE

Summary: ldapsearch not working with # in line starting with BASE

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-18 13:11 UTC by Fujisan
Modified:	2016-07-19 17:56 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-19 17:56:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fujisan 2015-09-18 13:11:35 UTC

Description of problem:
In /etc/openldap/ldap.conf, i have something like this:

TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://my.server # modified by IPA
BASE dc=opera # modified by IPA
TLS_CACERT /etc/ipa/ca.crt

The lines stating with BASE and URI are added by ipa-client-install. These lines actually starts with a '#' after the ipa client installation (to keep the previous configuration).

So you need to remove these '#' at the beginning of these lines (uncomment leaving '# modified by IPA' at the end of these lines) and to comment the lines of the previous configuration.

then i run 

ldapsearch -x -h my.server | less

and i get almost nothing:

-----------------------------------
# extended LDIF
#
# LDAPv3
# base <dc=opera #> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
-----------------------------------

If I remove '# modified by IPA' from the lines starting with URI and BASE, then ldapsearch works normally.

It is actually the '#' at the end of the BASE line that makes ldapsearch not working.

Version-Release number of selected component (if applicable):
openldap-2.4.40-12.fc22.x86_64

How reproducible:
always

Steps to Reproduce:
1. To check this,, add a '#' at the end of the line starting with BASE
2. run ldapsearch
3. and see the output

Comment 1 Rich Megginson 2015-09-18 14:50:58 UTC

Let me see if I understand.

Before running ipa-client-install, the file looked like this?

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/ipa/ca.crt

Then after running ipa-client-install, the file looked like this?

TLS_CACERTDIR /etc/openldap/cacerts
#URI ldaps://my.server # modified by IPA
#BASE dc=opera # modified by IPA
TLS_CACERT /etc/ipa/ca.crt

At any rate, it looks as though the problem is with ipa-client-install - since

BASE dc=opera # modified by IPA

is not valid openldap configuration file syntax.  ipa-client-install should put the comment on a line by itself before or after the value that was modified.

From man ldap.conf:

       Lines beginning with a hash mark (`#') are comments, and ignored.

            # Wrong - comment on same line as option:
            DEREF   never           # Never follow aliases

moving to ipa

Comment 2 Petr Vobornik 2015-09-18 15:21:14 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5202

Comment 3 Fujisan 2015-09-19 20:36:21 UTC

yes, it looked like this actually:

TLS_CACERTDIR /etc/openldap/cacerts

URI ldaps://my.old.server
BASE dc=opera
#URI ldaps://my.server # modified by IPA
#BASE dc=opera # modified by IPA
TLS_CACERT /etc/ipa/ca.crt

So I uncommented the new lines (leaving the '# modified by IPA') and removed the old ones.

And of course, ldap could not work.

It is indeed an ipa-client-install problem.

Comment 4 Rich Megginson 2015-09-21 17:09:08 UTC

(In reply to Fujisan from comment #3)
> yes, it looked like this actually:
> 
> TLS_CACERTDIR /etc/openldap/cacerts
> 
> URI ldaps://my.old.server
> BASE dc=opera
> #URI ldaps://my.server # modified by IPA
> #BASE dc=opera # modified by IPA
> TLS_CACERT /etc/ipa/ca.crt
> 
> So I uncommented the new lines (leaving the '# modified by IPA') and removed
> the old ones.
> 
> And of course, ldap could not work.
> 
> It is indeed an ipa-client-install problem.

Before you edited ldap.conf by hand, did you read the manpage for ldap.conf to make sure you were editing the file in a way that was supported by ldap?  It could be that ipa-client-install is changing ldap.conf with the assumption that the user will not need to change it afterwards, and, if the user does need to change it, the user will have read the manpage for ldap.conf and will make sure that any edits will be valid.  If the line modified by IPA is uncommented, then the line is no longer merely "modified by IPA" and the "# modified by IPA" should be removed as well.

Comment 5 Fedora End Of Life 2016-07-19 17:56:40 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.