Red Hat Bugzilla – Bug 191842
authconfig uses deprecated HOST parameter in /etc/openldap/ldap.conf, ignores TLS
Last modified: 2007-11-30 17:07:25 EST
Description of problem:
when using authconfig with --ldapserver option authconfig will modify
/etc/openldap/ldap.conf to include a [deprecated] HOST statement and will not
enable TLS_REQCERT or PORT 636 or other measures which would forcibly invoke
TLS. Most annoyingly, authconfig will ignore existing [correct] URI lines.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up an LDAP server
2. run "authconfig --kickstart --enableldap --enableldapauth --ldapserver
authconfig modifies /etc/openldap/ldap.conf to include a HOST statement matching
SERVERNAME. HOST is now deprecated according to the ldap.conf man page
authconfig should use the URI statement. moreover, authconfig should check to
make sure that SERVERNAME is not already in URI format (eg. ldap://servername)
and convert it to such if needed.
At the very least authconfig should not modify a file that already contains a
URI using ldap:// or ldaps:// pointing to the same SERVERNAME.
if your server is configured to only accept connections with SSF such that
confidentiality is REQUIRED authconfig will cause your new client to not connect
to the server.
The workaround is to put both URI and HOST statements in the config. If the URI
is first it will be used as default with the HOST only as failover, so it will
be harmless if it doesn't point to right server.
But we should fix this for the next RHEL version.
Implemented in authconfig-5.2.5-1.
Fixed authconfig will be included in the RHEL 5 when it is released.