Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2094673

Summary: ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
Product: Red Hat Enterprise Linux 9 Reporter: Ding-Yi Chen <dchen>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact: Alexandra Nikandrova <anikandr>
Priority: unspecified    
Version: 9.2CC: abokovoy, elpereir, frenaud, ftrivino, gfialova, hakon.gislason, myusuf, pasik, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.1-1.el9 Doc Type: Bug Fix
Doc Text:
.The IdM client installer no longer specifies the TLS CA configuration in the `ldap.conf` file Previously, the IdM client installer specified the TLS CA configuration in the `ldap.conf` file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the `ldap.conf` file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:32:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ding-Yi Chen 2022-06-08 07:23:48 UTC 
Description of problem:
Currently, ipa-client-install will modify /etc/openldap/ldap.conf and put:

~~~
TLS_CACERT /etc/ipa/ca.crt
~~~

However, it breaks LDAPS or STARTTLS for LDAP services that are signed by other CA.

Fortunately, ipa-client-install already install CA cert in system wide store after ipa-4.0.3-1.el7
So we can rely on openldap's default, i.e. just use system wide CA store by not specifing 
TLS_CACERT and TLS_CACERTDIR.

Quote man 5 ldap.conf

TLS OPTIONS
       If  OpenLDAP is built with Transport Layer Security support, there are more options you can specify. 
      These options are used when an ldaps:// URI is selected (by default or otherwise) or 
      when the application negotiates TLS by issuing the LDAP StartTLS operation.

      When using OpenSSL, if neither  TLS_CACERT nor TLS_CACERTDIR is set, the system-wide default set of CA certificates is used.


Version-Release number of selected component (if applicable):
ipa-server-4.9.8-8.el9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa-client-install
2. grep TLS_CACERT /etc/openldap/ldap.conf | grep -v '\s*#'


Actual results:
  Showing:

  TLS_CACERT /etc/ipa/ca.crt

Expected results:
  Showing nothing, which means using the system wide CA cert store.


Additional info:
Should you have LDAPS access on ldap.example.com that is not signed by IPA CA, you can also try:

 ldapsearch -H ldaps://ldap.example.com -x -b ""

The actual results is: 

ldap_start_tls: Connect error (-11)
	additional info: error:0A000086:SSL routines::certificate verify failed (self-signed certificate in certificate chain)

Expect result:

 No error
Comment 1 Alexander Bokovoy 2022-08-29 11:59:48 UTC 
OpenLDAP made it explicit to use default CA store as provided by OpenSSL in 2016:

branches 2.5 and later:
commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Author: Howard Guo <hguo>
Date:   Thu Nov 10 15:39:03 2016 +0100

branch 2.4:
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
Author: Howard Guo <hguo>
Date:   Thu Nov 10 15:39:03 2016 +0100

This means starting with OpenLDAP 2.4.45 we can drop the explicit CA configuration in ldap.conf.

There are several use cases where an explicit IPA CA should be specified in the configuration. These mostly concern situations where a higher security level must be maintained. For these configurations an administrator would need to add an explicit CA configuration to ldap.conf if we wouldn't add it during the ipa-client-install setup. This is worth a release note.
Comment 2 Alexander Bokovoy 2022-10-06 06:11:36 UTC 
Upstream PR: https://github.com/freeipa/freeipa/pull/6496
Comment 3 Florence Blanc-Renaud 2022-10-10 07:54:00 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/22022ae2ff8d1767bd50eec098eddb02573ea1ae
Comment 4 Florence Blanc-Renaud 2022-10-11 07:07:10 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/93b0e6a96a1aea45adc0d4c8bb26b226ce683573

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/d9a56b51bbb350219d0f5cb0ea6b3cc00230d437
Comment 8 Mohammad Rizwan 2022-12-12 10:57:56 UTC 
version:
ipa-server-4.10.1-1.el9.x86_64
ipa-server-common-4.10.1-1.el9.noarch
ipa-server-dns-4.10.1-1.el9.noarch


============================= test session starts ==============================
platform linux -- Python 3.9.14, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.14', 'Platform': 'Linux-5.14.0-210.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 3 items

test_ipaclient/test_ldapconf.py::test_openldap_conf_empty PASSED         [ 33%]
test_ipaclient/test_ldapconf.py::test_openldap_conf_spaces PASSED        [ 66%]
test_ipaclient/test_ldapconf.py::test_openldap_conf_mixed XFAIL (fre...) [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
=========================== short test summary info ============================
XFAIL test_ipaclient/test_ldapconf.py::test_openldap_conf_mixed
  freeipa ticket 7838
========================= 2 passed, 1 xfailed in 0.16s =========================

Automation passed, hence marking the bug as verified.
Comment 14 errata-xmlrpc 2023-05-09 07:32:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2205