Bug 444714 - sos modifes ldap.conf
sos modifes ldap.conf
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sos (Show other bugs)
4.7
All Linux
low Severity high
: rc
: ---
Assigned To: Bryn M. Reeves
: Reopened
Depends On:
Blocks: 475190
  Show dependency treegraph
 
Reported: 2008-04-30 04:29 EDT by Andreas Pfaffeneder
Modified: 2012-06-14 16:30 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-14 16:30:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RHEL5 vs RHEL4 (6.53 KB, patch)
2009-12-21 14:21 EST, Albert Hopkins
no flags Details | Diff

  None (edit)
Description Andreas Pfaffeneder 2008-04-30 04:29:56 EDT
Description of problem:

sos removes a bindpw from ldap.conf and replaces it with "***" which is a ugly
thing in a production environment. Especially when too much false tries result
in a locked account.

Version-Release number of selected component (if applicable):
1.7.6.1

How reproducible:
easey

Steps to Reproduce:
1. configure ldap.conf with bindpw and binddn
2. execute sosreport
3. have locked ldap-account
  
Actual results:
locked account + sos-report-file

Expected results:
only sos-report-file

Additional info:
Comment 1 Adam Stokes 2008-04-30 06:26:52 EDT
Hi,

Are you saying this modifies /etc/ldap.conf on your production machine and not
just the file thats copied into sosreport?

If so that is a bug, however, if its only the files within the sosreport that
are modified that is intended behavior. If we didn't sanitize passwords during
data collection it would be considered a security risk.

Thanks for the report
Comment 2 Andreas Pfaffeneder 2008-04-30 06:51:39 EDT
Hi,

a modified file in the sos-report would not lock the account in ldap, so: yes,
the file in /etc/ldap.conf is being modified.
Comment 3 Adam Stokes 2008-04-30 07:08:51 EDT
Alright then -- testing on RHEL4, 5, and F8 fails to physically modify
/etc/ldap.conf.

Please provide detailed instructions on how you are reproducing this.

Thanks
Comment 4 Andreas Pfaffeneder 2008-04-30 07:18:39 EDT
[user@host ~]$ ls -ltc /etc/ldap.conf
lrwxrwxrwx  1 root root 23 Aug 16  2006 /etc/ldap.conf -> /etc/openldap/ldap.conf
[user@host ~]$ ls -ltc /etc/openldap/ldap.conf
-rw-r--r--  1 root root 1459 Apr 30 09:35 /etc/openldap/ldap.conf
[user@host ~]$
[user@host ~]$ sudo su -
[host:/root]
root# sosreport

sosreport (version 1.7)

This utility will collect some detailed  information about the
hardware and  setup of your  Red Hat Enterprise Linux  system.
The information is collected and an archive is  packaged under
/tmp, which you can send to a support rappresentative.
Red Hat will use this information for diagnostic purposes ONLY
and it will be considered confidential information.

This process may take a while to complete.
No changes will be made to your system.

Press ENTER to continue, or CTRL-C to quit.

One or more plugins have detected a problem in your configuration.
Please review the following messages:

cluster:
    * required package is not installed for current kernel: dlm-kernel-smp
    * required package is not installed for current kernel: cman-kernel-smp
    * required package is present but not loaded: cman
    * required package is present but not loaded: dlm
    * service cman is not running
    * service cman is not started in default runlevel
    * service ccsd is not running
    * service ccsd is not started in default runlevel
    * service rgmanager is not running
    * service rgmanager is not started in default runlevel
    * service fenced is not running
    * service fenced is not started in default runlevel
    * cluster node is not quorate
    * one or more nodes have no fencing agent configured: the cluster
infrastructure might not work as intended

Are you sure you would like to continue (y/n) ? y

Please enter your first initial and last name [host]:
Please enter the case number that you are generating this report for:

 Progress [###################100%##################][00:38/00:38]

Creating compressed archive...

Your sosreport has been generated and saved in:
  /tmp/sosreport-host-785904-8e9ff2.tar.bz2

The md5sum is: 8eff1da67c3780b48ed1b10b948e9ff2

Please send this file to your support representative.

[host:/root]
root# ls -ltc /etc/openldap/ldap.conf
-rw-r--r--  1 root root 1449 Apr 30 13:14 /etc/openldap/ldap.conf
Comment 5 Andreas Pfaffeneder 2008-04-30 07:20:43 EDT
And yes: the bindpw was again set to "***"
Comment 6 Adam Stokes 2008-04-30 07:36:26 EDT
Ok, I see how you are getting this, however, my question is why are you symlinking ?

They are 2 separate configs for 2 separate operations.

/etc/ldap.conf is primarily used for linux-pam and for name services while
/etc/openldap/ldap.conf is for the actual ldap client configuration.
Comment 7 Andreas Pfaffeneder 2008-04-30 07:45:54 EDT
I am symlinking because this is the standard-setup which was designed by the
people responsible for ldap-operations in the company I work for. 

Thanks for fixing sos in a way that it will not modify files in /etc/ any more.
Comment 8 Adam Stokes 2008-09-30 12:08:13 EDT
Hello,

I am unable to justify fixing sosreport to check for misconfigurations in your ldap setup (or any setup for that matter). Those are 2 separate files which have 2 separate responsibilities. I am inclined to suggest that the ldap setup be configured properly first before stating that there is a bug in sosreport.

Thank you,
Adam
Comment 12 Albert Hopkins 2009-12-21 14:21:10 EST
Created attachment 379683 [details]
RHEL5 vs RHEL4
Comment 14 RHEL Product and Program Management 2010-10-22 14:49:48 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 15 Jeremy West 2012-06-14 16:30:00 EDT
This bug is being closed now that RHEL4 has entered a limited maintanence phase.  If you're a customer with ELS entitlements and need to have this fixed, please contact our support team by visiting access.redhat.com

Thanks

Note You need to log in before you can comment on or make changes to this bug.