RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1353969 - ipa-client-install should overwrite or prompt for changes in /etc/openldap/ldap.conf
Summary: ipa-client-install should overwrite or prompt for changes in /etc/openldap/ld...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks: 1354528
TreeView+ depends on / blocked
 
Reported: 2016-07-08 14:45 UTC by Luc de Louw
Modified: 2022-10-06 09:42 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1354528 (view as bug list)
Environment:
Last Closed: 2020-08-18 12:36:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-8894 0 None None None 2022-10-05 18:50:48 UTC
Red Hat Issue Tracker RHELPLAN-48291 0 None None None 2022-10-05 18:50:47 UTC

Description Luc de Louw 2016-07-08 14:45:05 UTC 
Description of problem:
When installing an IPA server or client, any existing ldap.conf is not overwritten but the IPA ldap servers are appended and commented out.

This can cause confusion when running ldap operations such as ldapadd/ldapmodify and the like.


Version-Release number of selected component (if applicable):
4.2

How reproducible:
Always

Steps to Reproduce:
1. configure /etc/openldap/ldap.conf pointing to an ldap server. I.e.

BASE   dc=example,dc=com
URI    ldap://ldap.example.com


2. Run ipa-client-install
3. Finding the ldap config as follow:
BASE   dc=example,dc=com
URI    ldap://ldap.example.com

#URI ldaps://ipa1.example.com # modified by IPA
#BASE dc=ipa,dc=example,dc=com # modified by IPA



Actual results:
LDAP operations on the IPA server will fail.

Expected results:
LDAP config should comment out the original BASE and URI and put in place the new IPA ldap config.

Additional info:
On clients, it can be a valid configuration pointing /etc/openldap/ldap.conf to a different LDAP server used by an application on the server. A nice solution would be adding a switch to ipa-client-install i.e --overwrite-config or similar. This switch should be used as default when ipa-server-install triggers the client config part.
Comment 2 Petr Vobornik 2016-07-12 16:04:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6065
Comment 3 Petr Vobornik 2016-07-12 16:04:58 UTC 
Was clone upstream to Future release milestone. This behavior is undefined in IPA and therefore it will need a design page.

A suggestion from Jan Pazdiora:
"""
Could we check that the content of the file is the rpm-default/vanilla,  not touched yet, and overwrite if the file was not touched yet but not  overwrite if it was somehow modified by the admin?
"""
Comment 7 Petr Čech 2020-08-18 12:36:21 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. It was unfortunately not given priority Red Hat Enterprise Linux.
Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.
To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you.
Comment 8 hakon.gislason 2022-10-05 18:43:22 UTC 
Any chance of opening this again? This is causing us issues with ldap authentication of web services. IPA / IDM overrides ldap.conf with it's own CA store file (TLS_CACERT /etc/ipa/ca.crt). We have multiple CA's in house and this causes certificate verification to fail on LDAP servers other than IPA (example MS AD).
If not, then providing a workaround would be good.
Comment 9 Rob Crittenden 2022-10-05 19:11:06 UTC 
Given that there is system-wide certificate trust now setting this is probably better:

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Are you installing your custom trust system-wide? If so this would solve both problems.
Comment 10 Alexander Bokovoy 2022-10-06 06:10:24 UTC 
We also have bug 2094673 which asks to drop setting a TLS store in ldap.conf. I think we can continue in that bug instead of reopening this one.

Hakon, I submitted https://github.com/freeipa/freeipa/pull/6496 to remove TLS_CACERT. Please help testing this configuration in the upstream PR.
Comment 11 hakon.gislason 2022-10-06 09:42:16 UTC 
We have a few different CA's in house that we install/manage on all hosts with Ansible. It would make sense if the IPA client would just add the IPA CA to the system-wide store. Then we could drop this issue. Overwriting the whole config and specifying just one CA for everything that uses openldap (in our case: LibreNMS with LDAP auth) didn't make any sense to me. Alexander is right, bug 2094673 would solve this better.
Comment 12 hakon.gislason 2022-10-06 09:42:59 UTC 
Edit:
>Are you installing your custom trust system-wide?
Yes.
Note You need to log in before you can comment on or make changes to this bug.