197103 – chicken-and-egg problem with LDAP PEM file

Bug 197103 - chicken-and-egg problem with LDAP PEM file

Summary: chicken-and-egg problem with LDAP PEM file

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	authconfig
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-06-28 15:28 UTC by Jeff Bastian
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:	authconfig-5.3.1-1
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-18 14:45:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
screenshot of pop-up window for PEM file (50.09 KB, image/png) 2006-06-28 15:29 UTC, Jeff Bastian	no flags	Details
View All

Description Jeff Bastian 2006-06-28 15:28:20 UTC

Description of problem:
During firstboot, if I choose to make my system an LDAP client for
authentication, and if I tell it to use TLS to encrypt the LDAP connections,
firstboot pops up a window telling me to copy the LDAP PEM file to the
/etc/openldap/cacerts directory before clicking OK, but it doesn't give me any
method to do so.  If I hit CTRL-ALT-Fn to get a virtual terminal, there's no
shell on any of the terminals since the box hasn't finished booting yet.

firstboot should somehow provide the user a method to provide the PEM file,
e.g., copying it via scp from a network location or from a USB memory stick.

Fortunately when I hit OK it eventually proceeds anyway and I can add the PEM
file later once the system is fully booted.

Version-Release number of selected component (if applicable):
firstboot-1.4.12-1

How reproducible:
Every time

Steps to Reproduce:
1. Install fc6test1
2. Configure the system as an LDAP client during firstboot and click the
checkbox for TLS
3. Note the pop-up window for the PEM file
  
Actual results:
A message tells me to copy the PEM file but I have no way of doing so

Expected results:
A method should be provided for the user to copy the PEM file

Additional info:

Comment 1 Jeff Bastian 2006-06-28 15:29:26 UTC

Created attachment 131679 [details]
screenshot of pop-up window for PEM file

Comment 2 Chris Lumens 2006-06-28 16:59:48 UTC

authconfig-gtk needs to provide a UI for doing this.  Forcing the user to go do
something else in a different program and then coming back to click a button is
not a very friendly interface, and leads to problems like you're seeing above. 
At the least, provide the standard GTK file chooser that allows the user to pick
the location of the file they want to use.

Comment 3 Tomas Mraz 2006-06-28 17:04:38 UTC

The problem is, they mostly won't have the file on disk where they are
installing the system anyway.

Comment 4 Jeff Bastian 2006-06-28 18:25:21 UTC

Agreed: the file is going to be external to the box while it's in this state, so
if it can use scp (or maybe even SSHFS/FUSE) to get to the file, that would be
ideal.

Comment 5 Tomas Mraz 2006-06-29 06:58:52 UTC

Using scp directly is a little bit problematic as you'd have to accept the
server's public key somehow.

What about using http(s) to download the certificate?

Comment 6 Jeff Bastian 2006-06-29 22:28:35 UTC

You could run ssh-keyscan prior to running scp to get the server's public key
into the known_hosts file.

Or using https could work too.

Any method to do this would be better than the current method which is none.  :)

Comment 7 Tomas Mraz 2006-07-18 14:45:40 UTC

There is now 'Download CA Certificate' button in LDAP settings dialog.

Note You need to log in before you can comment on or make changes to this bug.