Red Hat Bugzilla – Bug 191842
authconfig uses deprecated HOST parameter in /etc/openldap/ldap.conf, ignores TLS
Last modified: 2007-11-30 17:07:25 EST
Description of problem: when using authconfig with --ldapserver option authconfig will modify /etc/openldap/ldap.conf to include a [deprecated] HOST statement and will not enable TLS_REQCERT or PORT 636 or other measures which would forcibly invoke TLS. Most annoyingly, authconfig will ignore existing [correct] URI lines. Version-Release number of selected component (if applicable): authconfig-4.6.10-rhel4.1 openldap-2.2.13-4 How reproducible: Always Steps to Reproduce: 1. Set up an LDAP server 2. run "authconfig --kickstart --enableldap --enableldapauth --ldapserver SERVERNAME --enableldaptls" Actual results: authconfig modifies /etc/openldap/ldap.conf to include a HOST statement matching SERVERNAME. HOST is now deprecated according to the ldap.conf man page Expected results: authconfig should use the URI statement. moreover, authconfig should check to make sure that SERVERNAME is not already in URI format (eg. ldap://servername) and convert it to such if needed. At the very least authconfig should not modify a file that already contains a URI using ldap:// or ldaps:// pointing to the same SERVERNAME. Additional info: if your server is configured to only accept connections with SSF such that confidentiality is REQUIRED authconfig will cause your new client to not connect to the server.
The workaround is to put both URI and HOST statements in the config. If the URI is first it will be used as default with the HOST only as failover, so it will be harmless if it doesn't point to right server. But we should fix this for the next RHEL version.
Implemented in authconfig-5.2.5-1. Fixed authconfig will be included in the RHEL 5 when it is released.