Bug 191842 - authconfig uses deprecated HOST parameter in /etc/openldap/ldap.conf, ignores TLS
authconfig uses deprecated HOST parameter in /etc/openldap/ldap.conf, ignores...
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: authconfig (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2006-05-15 21:08 EDT by Alan
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-18 11:35:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alan 2006-05-15 21:08:41 EDT
Description of problem:
when using authconfig with --ldapserver option authconfig will modify
/etc/openldap/ldap.conf to include a [deprecated] HOST statement and will not
enable TLS_REQCERT or PORT 636 or other measures which would forcibly invoke
TLS.  Most annoyingly, authconfig will ignore existing [correct] URI lines.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Set up an LDAP server
2.  run "authconfig --kickstart --enableldap --enableldapauth --ldapserver
SERVERNAME --enableldaptls"
Actual results:
authconfig modifies /etc/openldap/ldap.conf to include a HOST statement matching
SERVERNAME.  HOST is now deprecated according to the ldap.conf man page

Expected results:
authconfig should use the URI statement.  moreover, authconfig should check to
make sure that SERVERNAME is not already in URI format (eg. ldap://servername)
and convert it to such if needed.
At the very least authconfig should not modify a file that already contains a
URI using ldap:// or ldaps:// pointing to the same SERVERNAME. 

Additional info: 
if your server is configured to only accept connections with SSF such that
confidentiality is REQUIRED authconfig will cause your new client to not connect
to the server.
Comment 1 Tomas Mraz 2006-05-18 08:15:23 EDT
The workaround is to put both URI and HOST statements in the config. If the URI
is first it will be used as default with the HOST only as failover, so it will
be harmless if it doesn't point to right server.

But we should fix this for the next RHEL version.
Comment 2 Tomas Mraz 2006-05-18 11:35:05 EDT
Implemented in authconfig-5.2.5-1.

Fixed authconfig will be included in the RHEL 5 when it is released.

Note You need to log in before you can comment on or make changes to this bug.