Bug 191842 - authconfig uses deprecated HOST parameter in /etc/openldap/ldap.conf, ignores TLS
Summary: authconfig uses deprecated HOST parameter in /etc/openldap/ldap.conf, ignores...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: authconfig
Version: 4.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-16 01:08 UTC by Alan
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-18 15:35:05 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Alan 2006-05-16 01:08:41 UTC
Description of problem:
when using authconfig with --ldapserver option authconfig will modify
/etc/openldap/ldap.conf to include a [deprecated] HOST statement and will not
enable TLS_REQCERT or PORT 636 or other measures which would forcibly invoke
TLS.  Most annoyingly, authconfig will ignore existing [correct] URI lines.

Version-Release number of selected component (if applicable):
authconfig-4.6.10-rhel4.1
openldap-2.2.13-4

How reproducible:
Always

Steps to Reproduce:
1.  Set up an LDAP server
2.  run "authconfig --kickstart --enableldap --enableldapauth --ldapserver
SERVERNAME --enableldaptls"
  
Actual results:
authconfig modifies /etc/openldap/ldap.conf to include a HOST statement matching
SERVERNAME.  HOST is now deprecated according to the ldap.conf man page

Expected results:
authconfig should use the URI statement.  moreover, authconfig should check to
make sure that SERVERNAME is not already in URI format (eg. ldap://servername)
and convert it to such if needed.
At the very least authconfig should not modify a file that already contains a
URI using ldap:// or ldaps:// pointing to the same SERVERNAME. 

Additional info: 
if your server is configured to only accept connections with SSF such that
confidentiality is REQUIRED authconfig will cause your new client to not connect
to the server.

Comment 1 Tomas Mraz 2006-05-18 12:15:23 UTC
The workaround is to put both URI and HOST statements in the config. If the URI
is first it will be used as default with the HOST only as failover, so it will
be harmless if it doesn't point to right server.

But we should fix this for the next RHEL version.


Comment 2 Tomas Mraz 2006-05-18 15:35:05 UTC
Implemented in authconfig-5.2.5-1.

Fixed authconfig will be included in the RHEL 5 when it is released.



Note You need to log in before you can comment on or make changes to this bug.