Bug 146815 - Wrong tls entry ldap.conf
Wrong tls entry ldap.conf
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Fenlason
:
: 146985 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-01 15:42 EST by dijuremo
Modified: 2014-08-31 19:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-18 15:05:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dijuremo 2005-02-01 15:42:02 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The sample ldap.conf file in /etc/ldap.conf has the entry:

#tls_cacertfile /etc/ssl/ca.cert

However, tls_cacertfile is not a valid option for ldap.conf

The correct entry should be:

tls_cacert /etc/ssl/ca.cert

This is also seen in other versions including RHEL 4 Beta 2.

Diego

Version-Release number of selected component (if applicable):
openldap-2.2.13-2

How reproducible:
Always

Steps to Reproduce:
1. Using the default tls_cacertfile /etc/ssl/ca.cert:

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacertfile /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
ldap_start_tls: Connect error (-11)

2. Modifying ldap.conf with tls_cacert /etc/ssl/cacert.pem

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacert /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
filter: uid=dr126
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=ibb,dc=gatech,dc=edu> with scope sub
# filter: uid=dr126
# requesting: ALL
#

# dr126, People, ibb.gatech.edu
dn: uid=dr126,ou=People,dc=ibb,dc=gatech,dc=edu
uid: dr126
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dr126@ibb.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/dr126
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


Additional info:
Comment 1 Walter Justen 2005-08-30 05:24:06 EDT
*** Bug 146985 has been marked as a duplicate of this bug. ***
Comment 2 Joachim Selke 2006-06-29 07:27:57 EDT
This bug still exists in FC5.
Comment 3 Matthew Miller 2006-07-10 18:12:40 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 4 Joachim Selke 2006-07-12 14:24:12 EDT
As mentioned the bug is still there in FC5 updates (openldap-2.3.19-4).

The file /etc/ldap.conf is not consistent with the ldap.conf manpage at least,
which also mentions the option TLS_CACERT (and does not contain TLS_CACERTFILE).

I would like to change version to "fc5" but I am not allowed to. Can someone
else do that please? I do not want to file a new bug for an old problem.
Comment 5 Matthew Miller 2006-07-12 14:27:24 EDT
Thanks, I'll change it. I'm actually going to move it to devel, because it seems
more likely to get fixed there than to receive an actual pacakge errata.
Comment 6 Matthew Miller 2006-07-12 14:27:46 EDT
(clearing "needinfo" bit.)
Comment 7 Jay Fenlason 2006-07-19 17:56:23 EDT
Note that /etc/ldap.conf is part of the nss_ldap subsystem, 
while /etc/openldap/ldap.conf is part of OpenLDAP.  And they have somewhat 
different syntaxes, just to make life annoying.  /etc/ldap.conf is documented 
in the nss_ldap(5) man page, which says 
 
       tls_cacertdir <certificate_dir> 
              Specifies the directory containing X.509 certificates  for  peer 
              authentication. 
 
       tls_cacertfile <certificate_file> 
              Specifies the path to the X.509 certificate for peer authentica- 
              tion. 
/etc/ldap.conf is normally only used by nss_ldap, which is enabled by 
including "ldap" on one or more of the database lines in /etc/nsswitch.conf 
 
 
/etc/openldap/ldap.conf is documented in the ldap.conf(5) man page, which says 
       TLS_CACERT <filename> 
              Specifies  the  file  that  contains certificates for all of the 
              Certificate Authorities the client will recognize. 
 
       TLS_CACERTDIR <path> 
              Specifies the path of  a  directory  that  contains  Certificate 
              Authority   certificates   in  separate  individual  files.  The 
              TLS_CACERT is always used before TLS_CACERTDIR. 
 
ldapsearch is supposed to use /etc/openldap/ldap.conf, not /etc/ldap.conf.  We 
need to find out why your ldapsearch commands are using /etc/ldap.conf.  Do 
you have any of the LDAP* (LDAPCONF, LDAPRC, etc) environment variables set? 
Comment 8 Joachim Selke 2006-07-21 05:21:07 EDT
(In reply to comment #7)
> Note that /etc/ldap.conf is part of the nss_ldap subsystem, 
> while /etc/openldap/ldap.conf is part of OpenLDAP.  And they have somewhat 
> different syntaxes, just to make life annoying.

Interesting. Thank you for pointing this out.

Maybe there should be a hint (where to find the correct manpage) added to
/etc/ldap.conf. What do you think?
Comment 9 Jay Fenlason 2006-09-18 15:05:36 EDT
Current rawhide has reasonable comments explaining which manpages describe 
which ldap.conf files, so I'm closing this. 

Note You need to log in before you can comment on or make changes to this bug.