Red Hat Bugzilla – Bug 197103
chicken-and-egg problem with LDAP PEM file
Last modified: 2007-11-30 17:11:36 EST
Description of problem:
During firstboot, if I choose to make my system an LDAP client for
authentication, and if I tell it to use TLS to encrypt the LDAP connections,
firstboot pops up a window telling me to copy the LDAP PEM file to the
/etc/openldap/cacerts directory before clicking OK, but it doesn't give me any
method to do so. If I hit CTRL-ALT-Fn to get a virtual terminal, there's no
shell on any of the terminals since the box hasn't finished booting yet.
firstboot should somehow provide the user a method to provide the PEM file,
e.g., copying it via scp from a network location or from a USB memory stick.
Fortunately when I hit OK it eventually proceeds anyway and I can add the PEM
file later once the system is fully booted.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install fc6test1
2. Configure the system as an LDAP client during firstboot and click the
checkbox for TLS
3. Note the pop-up window for the PEM file
A message tells me to copy the PEM file but I have no way of doing so
A method should be provided for the user to copy the PEM file
Created attachment 131679 [details]
screenshot of pop-up window for PEM file
authconfig-gtk needs to provide a UI for doing this. Forcing the user to go do
something else in a different program and then coming back to click a button is
not a very friendly interface, and leads to problems like you're seeing above.
At the least, provide the standard GTK file chooser that allows the user to pick
the location of the file they want to use.
The problem is, they mostly won't have the file on disk where they are
installing the system anyway.
Agreed: the file is going to be external to the box while it's in this state, so
if it can use scp (or maybe even SSHFS/FUSE) to get to the file, that would be
Using scp directly is a little bit problematic as you'd have to accept the
server's public key somehow.
What about using http(s) to download the certificate?
You could run ssh-keyscan prior to running scp to get the server's public key
into the known_hosts file.
Or using https could work too.
Any method to do this would be better than the current method which is none. :)
There is now 'Download CA Certificate' button in LDAP settings dialog.