Bug 197103 - chicken-and-egg problem with LDAP PEM file
chicken-and-egg problem with LDAP PEM file
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2006-06-28 11:28 EDT by Jeff Bastian
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: authconfig-5.3.1-1
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-18 10:45:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
screenshot of pop-up window for PEM file (50.09 KB, image/png)
2006-06-28 11:29 EDT, Jeff Bastian
no flags Details

  None (edit)
Description Jeff Bastian 2006-06-28 11:28:20 EDT
Description of problem:
During firstboot, if I choose to make my system an LDAP client for
authentication, and if I tell it to use TLS to encrypt the LDAP connections,
firstboot pops up a window telling me to copy the LDAP PEM file to the
/etc/openldap/cacerts directory before clicking OK, but it doesn't give me any
method to do so.  If I hit CTRL-ALT-Fn to get a virtual terminal, there's no
shell on any of the terminals since the box hasn't finished booting yet.

firstboot should somehow provide the user a method to provide the PEM file,
e.g., copying it via scp from a network location or from a USB memory stick.

Fortunately when I hit OK it eventually proceeds anyway and I can add the PEM
file later once the system is fully booted.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Install fc6test1
2. Configure the system as an LDAP client during firstboot and click the
checkbox for TLS
3. Note the pop-up window for the PEM file
Actual results:
A message tells me to copy the PEM file but I have no way of doing so

Expected results:
A method should be provided for the user to copy the PEM file

Additional info:
Comment 1 Jeff Bastian 2006-06-28 11:29:26 EDT
Created attachment 131679 [details]
screenshot of pop-up window for PEM file
Comment 2 Chris Lumens 2006-06-28 12:59:48 EDT
authconfig-gtk needs to provide a UI for doing this.  Forcing the user to go do
something else in a different program and then coming back to click a button is
not a very friendly interface, and leads to problems like you're seeing above. 
At the least, provide the standard GTK file chooser that allows the user to pick
the location of the file they want to use.
Comment 3 Tomas Mraz 2006-06-28 13:04:38 EDT
The problem is, they mostly won't have the file on disk where they are
installing the system anyway.
Comment 4 Jeff Bastian 2006-06-28 14:25:21 EDT
Agreed: the file is going to be external to the box while it's in this state, so
if it can use scp (or maybe even SSHFS/FUSE) to get to the file, that would be
Comment 5 Tomas Mraz 2006-06-29 02:58:52 EDT
Using scp directly is a little bit problematic as you'd have to accept the
server's public key somehow.

What about using http(s) to download the certificate?
Comment 6 Jeff Bastian 2006-06-29 18:28:35 EDT
You could run ssh-keyscan prior to running scp to get the server's public key
into the known_hosts file.

Or using https could work too.

Any method to do this would be better than the current method which is none.  :)
Comment 7 Tomas Mraz 2006-07-18 10:45:40 EDT
There is now 'Download CA Certificate' button in LDAP settings dialog.

Note You need to log in before you can comment on or make changes to this bug.