Description of problem: During firstboot, if I choose to make my system an LDAP client for authentication, and if I tell it to use TLS to encrypt the LDAP connections, firstboot pops up a window telling me to copy the LDAP PEM file to the /etc/openldap/cacerts directory before clicking OK, but it doesn't give me any method to do so. If I hit CTRL-ALT-Fn to get a virtual terminal, there's no shell on any of the terminals since the box hasn't finished booting yet. firstboot should somehow provide the user a method to provide the PEM file, e.g., copying it via scp from a network location or from a USB memory stick. Fortunately when I hit OK it eventually proceeds anyway and I can add the PEM file later once the system is fully booted. Version-Release number of selected component (if applicable): firstboot-1.4.12-1 How reproducible: Every time Steps to Reproduce: 1. Install fc6test1 2. Configure the system as an LDAP client during firstboot and click the checkbox for TLS 3. Note the pop-up window for the PEM file Actual results: A message tells me to copy the PEM file but I have no way of doing so Expected results: A method should be provided for the user to copy the PEM file Additional info:
Created attachment 131679 [details] screenshot of pop-up window for PEM file
authconfig-gtk needs to provide a UI for doing this. Forcing the user to go do something else in a different program and then coming back to click a button is not a very friendly interface, and leads to problems like you're seeing above. At the least, provide the standard GTK file chooser that allows the user to pick the location of the file they want to use.
The problem is, they mostly won't have the file on disk where they are installing the system anyway.
Agreed: the file is going to be external to the box while it's in this state, so if it can use scp (or maybe even SSHFS/FUSE) to get to the file, that would be ideal.
Using scp directly is a little bit problematic as you'd have to accept the server's public key somehow. What about using http(s) to download the certificate?
You could run ssh-keyscan prior to running scp to get the server's public key into the known_hosts file. Or using https could work too. Any method to do this would be better than the current method which is none. :)
There is now 'Download CA Certificate' button in LDAP settings dialog.